Google wrestles with the generative trade-off. Security experts have found another set of malicious apps in the Android Market and discovered that Google Docs regularly hosts phishing sites.

Falun Gong sues Cisco for facilitating official Chinese repression. Members of Falun Gong have sued tech giant Cisco in a U.S. court, alleging that the company customized its technology to meet government tracking and censorship needs and helped design China’s Golden Shield, the country’s infamous online censorship and surveillance firewall. The group also claims that Cisco marketed its technology as a tool to target government dissidents.

Hargreaves Review published. The review evaluates the fitness of the UK’s intellectual property regime for an internet age. It finds that IP laws put in place several hundred years ago are now stifling modern innovation and goes on to make ten specific recommendations for IP law reform to correct the problem. These recommendations include approaches to clearing patent thickets; dealing with orphan works; and transitioning to evidence-based, rather than lobby-based, IP policy; as well as rejection of a US-like fair use limitation.

Facebook users benefit from a Web of Trust. Clicking a link on your Facebook page that the crowdsourced Web of Trust service has identified as spammy or malicious will now bring up a warning that you may want to avoid the suspect site (and also check out Wikipedia entries on malware and phishing).

iFlowReader closes. Independent iOS e-book retailer iFlowReader shut down at the end of May. According to the company, Apple’s new e-book seller rules made it impossible to turn a profit. (The rules require sellers to give Apple a 30% cut of sales while at the same time limiting the seller to only a 30% commission, so the seller gets the commission from the publisher but then owes it all to Apple.) Company execs expressed frustration that, in their view, Apple maintained complete control over its platform and felt free to change the rules on developers, even after they, relying on the old rules, had been induced to make significant investments.

TiVo and EchoStar settle. The case involving a judicial order to EchoStar to send a remote signal disabling its customers’ DVRs ended in a whimper last month when the parties settled after the Federal Circuit held that EchoStar had waived its arguments that the disablement provision was vague and overbroad. EchoStar had asserted that it legally should not have been forced to disable the DVR boxes because it implemented a design-around instead so that the boxes no longer infringed TiVo’s patents. But the court didn’t reach the merits of this argument, since it held that the time to raise such issues was before the district court found EchoStar in contempt. So while we know that the Federal Circuit doesn’t have a problem with trial courts issuing a disablement provision to remedy patent infringement, we still don’t know whether the infringing party could avoid disabling its users’ products by pushing an update that replaced the infringing technology with a non-infringing alternative.

—Jennifer Halbleib

What content? Well, depending on the Western software company, any of the millions to billions of websites that the company has categorized. And the categories, of which multiple companies boast that they have more than 90, range from porn and violence, to dating and filesharing, to politics, religion, and even anonymizers. All the repressive regime has to do is to buy the software, pay the Western company to maintain the database of categorized websites, click the check boxes next to the categories of sites that it doesn’t want its people to access, and viola, the Western company has commercialized censorship. As the report puts it, “This is not simply a case of a general purpose, neutral tool being used for an end not contemplated by its maker. The filtering products of today engage in regular communications with their makers, updating lists of millions of websites to block across dozens of content categories, including political opposition and human rights.”

The report illustrates how the categorized lists these companies maintain tend to be overinclusive – after all, a governmental customer is unlikely to care if more speech is censored than necessary as long as nothing that it doesn’t want its citizens to see gets through. Furthermore, to give a repressive state the flexibility it needs to oppress effectively, most Western companies also allow their governmental customers to create user-defined lists of sites to filter, in case there is additional content that the government wants to block. Finally, some combination of the Western companies and the governments who use their products has recently moved to obscure attribution of filtering to these products, so citizens – and groups like the OpenNet Initiative – have a hard time determining who is allowing their government to censor the Internet.

It doesn’t have to work this way. Western companies don’t have to sell their filtering tools to repressive regimes – or any government or state-run ISP. They could limit customers to individuals and private employers. Moreover, they don’t need to maintain lists of categorized sites at all. And even if they want to keep lists of violent or pornographic sites for legitimate users, classifications such as “politics,” “religion,” and “privacy” are inexplicable unless the Western company is actively trying to help its governmental customers muzzle speech, and inexcusable then. Therefore, at a minimum, the Western companies could get rid of many of their categories.

Risks would still exist. Governments could steal the technology, as Iran may have done with McAfee’s SmartFilter. And in certain cases, repressive regimes could adapt free software developed for innocuous purposes to filter their citizens’ Internet. These risks – and others – may be sufficient to counsel against supplying anyone with any tool that can be repurposed for state-level censorship. But at the very least, Western companies shouldn’t be continuously complicit in government Internet censorship by selling repressive regimes the software and regularly providing them with updated lists of sites to filter.

It’s remarkable how brazen these Western filtering companies are. For example, one American company, Websense, has an explicit policy not to facilitate government censorship, except to restrict pornography. But among its nearly one hundred classifications listed in the report are such categories as “Advocacy Groups,” “Traditional Religions,” “Political Organizations,” and “Educational Institutions.” Perhaps Websense can articulate a legitimate reason for these categories, but it seems a stretch to relate them to “Adult Content,” which is a separate category in any case.

Another company, Netsweeper, is apparently perfectly willing exploit the freedom of foreign peoples by selling its software to government-backed ISPs looking to “block inappropriate content to meet government rules and regulations ‘based on social, religious or political ideals.’” Meanwhile, McAfee remains mum on how its relationship with repressive governments plays into its business conduct and ethics policy.

In an online world where we condemn oppression of a single netizen as cyberbullying, what do we call the conduct of Western companies that collude with governments to oppress an entire citizenry? Cyberrepression? And should companies that ostensibly exist largely to give parents the control needed to shield children from harmful Internet content be surprised if the government that created them exerts another form of parental control – the kind that parents use on poorly-behaving children with no self-control – by regulating the companies’ own asocial behavior? After all, if corporations have rights and obligations based on the legal fiction of corporate personhood, then these companies are the all-too-real sociopaths of the corporate world.

Even better, customers in Western countries can send a free-market message to these companies without having to resort to a regulatory intermediary: such duplicitous behavior – marketing software in the West as a tool to empower parents and businesses but in the Middle East and Africa as a tool to enervate a state’s citizenry – isn’t acceptable. We shouldn’t buy software that’s supposed to protect if its maker also sells it as a means to abuse.

—Jennifer Halbleib

I’m having similar difficulty understanding Research In Motion’s statement in response to the news cascade following threats by the UAE and other countries to terminate its license to sell Blackberrys unless it’s more cooperative with government requests for surveillance.

Part of the confusion arises from the fact that we’re only seeing a small slice of a government-to-company negotiation — the public threat part — so exactly what’s being asked hasn’t been disclosed, and neither the government nor RIM have much incentive to say more.  And it’s hard to infer what’s on the table since the Blackberry is a Swiss army knife-style digital appliance — it makes phone calls, supports instant messaging, texts, and email — in communication both with other Internet users (including those without Blackberrys) and within a corporate environment.  When trying to figure out what RIM could share if it wanted (or were pressured) to, it helps to consider each service and environment separately.

So how does RIM’s public statement fit in?  Here’s the intro:

Due to recent media reports, Research In Motion (RIM) recognizes that some customers are curious about the discussions that occur between RIM and certain governments regarding the use of encryption in BlackBerry products. RIM also understands that the confidential nature of these discussions has consequently given rise to speculation and misinterpretation.

RIM respects both the regulatory requirements of government and the security and privacy needs of corporations and consumers. While RIM does not disclose confidential regulatory discussions that take place with any government, RIM assures its customers that it is committed to continue delivering highly secure and innovative products that satisfy the needs of both customers and governments.

Strong but vague so far — there’s a compromise to be struck, and RIM hopes to make the right one, bearing in mind the needs and interests of both its customers and its regulators.  It’s how the statement continues that’s puzzling, and to understand requires going from forest to trees for a bit:

Many public facts about the BlackBerry Enterprise Server security architecture have been well established over the years and remain unchanged. A recap of these facts, along with other general industry facts, should help our customers maintain confidence about the security of their information. …

• The BlackBerry security architecture was specifically designed to provide corporate customers with the ability to transmit information wirelessly while also providing them with the necessary confidence that no one, including RIM, could access their data. …

• The BlackBerry security architecture for enterprise customers is based on a symmetric key system whereby the customer creates their own key and only the customer ever possesses a copy of their encryption key. RIM does not possess a “master key”, nor does any “back door” exist in the system that would allow RIM or any third party to gain unauthorized access to the key or corporate data.

At last some specifics.  But they appear extremely selective.  The first bullet point above talks about the encryption of data between a handheld Blackberry and the server operated by RIM — a way station until the data finds its ultimate recipient.  (People intend to email each other, not RIM; the RIM server is just a way to route data from one person to another.)  So the first bullet point offers the assurance that the data can’t readily be accessed between the Blackberry user and the RIM way station.  Fair enough — such encryption is routine.  For example, those who use gmail in “secure” mode — these days it defaults to that — enjoy a similar protection.  No stethoscope gathering radio waves in between can easily decipher what’s going on.

OK, on to the next quoted bullet point, which suggests that once the data is in repose at the way station, even then RIM couldn’t access it.  But here there’s a qualifier: it’s the Blackberry “security architecture for enterprise customers.”  Enterprise customers is a term of art that means customers brought en masse under the umbrella of a corporate enterprise.  If Consolidated Widgets had previously had all its internal correspondence routed through a server in its own basement and wanted to farm that out, RIM could offer an “enterprise solution” where Consolidated Widgets would become its customer, and all of Widgets’s employees could be issued Blackberrys and corresponding email accounts.  In that case, promises RIM, email sitting on RIM’s server would still be inaccessible to RIM.  It’d be private between one sender and one recipient.

Why limit this feature to enterprise customers?  In part because encryption standards haven’t been widely enough deployed to support ready encryption between users without regard to the devices and platforms they’re using.  For me to send you an encrypted email that not even our respective email providers can access requires us to coordinate ahead of time on a standard.  For example, you might establish a key using the Philip Zimmerman’s legendary PGP (“pretty good privacy”) standard, and I could then use it to send you an email that only you can read.  But if you haven’t gone to that trouble, I’m stumped.

That’s not RIM’s fault, but it might make misleading a statement intended to address the overall surveillance controversy — a statement that on a quick read suggests that Blackberry email users enjoy utter secrecy, when in fact it’s necessarily only talking about “enterprise” users who are emailing each other under a single corporate umbrella.  With that understood, the last line of the RIM statement offers much less assurance than it might seem to the average Blackberry user:

RIM assures customers that it will not compromise the integrity and security of the BlackBerry Enterprise Solution.

If the BlackBerry Enterprise Solution is but a subset of what we think of when we think about Blackberrys — namely, intra-corporate stuff — then the fact that it’s assured it both little threat to a government like UAE, which is no doubt concerned about communications and organizing among citizens outside a single corporate environment, and little solace to those very citizens.  And that’s why our questions to RIM should stick to apples in cheeks rather than changing the subject to balls in hands: what assurances can be made about cooperation with government surveillance requests outside corporate intranets?  The assurances need not be without exception to be reasonable — but the parameters of whatever accommodation is reached should be made public.

I welcome correction if I’m misunderstanding RIM’s attempt to dispel misunderstandings.  …JZ

UPDATE 8/5/10: Bruce Schneier has written on the topic here.

Companies rarely share information about the cyberattacks they experience — conventional wisdom has it that it makes the company appear vulnerable, and drives customers away.  Here Google is open about the attacks, while of course assuring readers that it had tightened security as a result.  Google then links these attacks to a lessening of enthusiasm for doing business in China.  Eliminating censorship in google.cn is only mentioned after that.

Suppose the Chinese government acts as expected and tells Google that it may no longer operate in China.  Google.cn might vanish as a domain name, since it’s hosted under the Chinese country-code TLD of .cn, ultimately controllable by the Chinese government.  But the search engine found there could of course keep operating from a different location, like cn.google.com.  Suppose then that China attempts to filter out traffic to and from that new location — and to and from google.com for good measure, as it has done from time to time, especially before the advent of google.cn and its agreement to censor.  (We’ll be watching for such moves at herdict.org, a site where users can report Web blockages.)

What next?  My hope, and expectation, is that Google engineers who might have been a bit halfhearted about implementing censorship mandates in google.cn could be full-throttle in coming up with ways for Google to be viewed despite any network interruptions between site and user.  There are lots of unexplored options here.  They’re unexplored not because they’re infeasible, but because most sites would rather not provoke a government that filters.  So they don’t undertake to get information out in ways that might evade blockages.  Here, Google would have nothing more to lose, so could pioneer some new approaches.  Circumvention of filtering (or other blockages, for that matter) tends to happen on the user side of things, seeking out proxies like the Tor network, or anonymizer.com.

To be sure, many of the larger benefits of operating in China originally cited by Google four years ago — exposing the citizenry to services beyond those locally grown and monitored; engaging them beyond the “China Wide Web” to which some government officials aspire to limit them; and gaining market share that can create momentum and support for later loosening of restrictions — may attenuate.  Google.cn is less known and used than, say, the local Baidu search engine, which boasts about 60% market share.  That share is about to get even bigger.

But drawing a line is both the right move and a brilliant one.  It helps realign Google’s business with its ethos, and masterfully recasts the firm in a place it will feel more comfortable: supporting the free and open dissemination of information rather than metering it out according to undesirable (and capricious) government standards.

That’s it.  Its presence on a poster advertising the OpenNet Initiative’s academic book Access Controlled was enough to deem it prohibited by UN security forces at the Internet Governance Forum, who are shown in these videos removing the poster from the room over the objections of OpenNet colleagues Ron Deibert and Rafal Rohozinski.  Computerworld has a writeup here.

As Ron says: “If we cannot discuss topics about Internet censorship and surveillance policy at a forum about Internet governance then what is the point of something like the IGF?”

If you’re finding there are Web sites you can’t access, please consider filing a report at Herdict — or downloading the toolbar.