March II 2009

25 March 2009

Fredric Morris, Editor-In-Chief, Connect-World
Fredric Morris

eRegulation – smoother than expected square wheels

Regulating anything can be a messy business. Regulating the world of ‘e’ – eCommerce, eFinance, eBanking, eServices, eAnything, online digital rights management, the Internet itself – is messy enough for the story lines of a whole slew of low-budget terror movies, and it gets even messier if it is international. Regulations in each country for online dealings are as different as the legal systems themselves and the culture of the country. They cover different pieces of the eWorld, they regulate them differently and enforce the regulations – or not – as they see fit. Despite the confusion, the eWorld is growing and this system, as makeshift as it seems, has generated enough friction to raise concerns and stimulate legislative concerns – but not enough raise a general alarm.

Most of us have never given the question a thought. The few who do either are in government or international organizations – or have businesses that stand to gain or lose depending upon the regulatory winds. Some consumers have found, to their disappointment or grief, that eCommerce is a slippery beast that slides past regulations developed over the years and centuries to deal with brick and mortar transactions.

The bigger countries, the international trade organizations, the EU and such have studied the question, published guidelines and even enacted laws and regulations, but it will be many years before there is a consolidated, consecrated, body of eLaw to deal reliably with all the issues involved.

Many of the problems associated with eRegulation are the direct result of the history of the Internet, or rather the lack thereof. In its short history, the Internet has passed from a tool for researchers, the military and government agencies to a global phenomenon. The Web is an integral part of the social and business lives of hundreds of millions of people. It is one of the world’s largest and most diverse marketplaces. It is the world’s greatest source of information – its reference library. The Web is a major source of entertainment, of news, of political debate, a focal point for science, for fantasy, for crime, a focal point, indeed, for almost every human activity.

Regulation and control was not an issue when the Web was designed, but given the reach of the activities online it is now a pressing need. Where do you start, how do you devise comprehensive legislation and regulation for a phenomenon that covers just about every conceivable human activity, especially when one considers the enormous diversity of interests in our society. The Internet, itself, the greatest public forum in the history of humankind, contributes to the difficulty; never before have so many people been aware of the issues or had a way to make themselves heard.

The very philosophy of the Web, implicitly believed by hoards of users, is that the Web is an instrument to extend our civil liberties by making all information (and just about everything else) free. It is important to remember that supporting deregulated markets was, until the recent financial market meltdown, considered an almost sacred obligation of forward-minded thinkers, so this, too, has made it difficult to comprehensively regulate the Internet.

Despite the ardent, but not always justified, positions the overwhelming need for regulation to protect users has pushed forward a patchwork of protective regulations. Regulatory issues still have to be decisively addressed, to sort out legal issues relating to contractual obligations and to deal with buy/sell transactions, intellectual rights, money transfers, digital services, advertising, child protection, questions of privacy, of fraud and a range of other questions. Although in the ‘real world’ we have a long history of regulating trade and protecting businesses and consumers alike, in the digital world we often seem at a loss or at odds.

Businesses want regulations that set eCommerce on a charted path, one that can be evaluated in unambiguous black or white terms; on the other hand they want to be sure the regulations do not take away any advantages they have in the free, unregulated, environment. In keeping with the prevailing competitive free market philosophy of recent decades, regulators and legislators have sought – as they have while liberalising the telecom sector – to ‘level the playing field’ for all competitors. Although legislators and regulators have had some success – more in the EU for example than the US – businesses and business associations have long called for a self-regulatory approach.

Given the conflicting interests involved, it was something of a wonder that practical good sense has triumphed in many instance around the world. Rules have been established which give the market some semblance of order and credibility without which it could not grow. Still, the rules are far from perfect and the balance of forces on each side of the issue is likely to hobble the pace of regulation for years to come. To be fair, no one really knows what is needed or how to achieve it. It took centuries for today’s ‘real world’ laws to take shape and they are still constantly pinched, poked tweaked and stretched as the need arises. Digital regulations still have a long way to go.

Finding cyberspace on the map is a problem for regulators. What laws, from what country, apply to a place you can’t find? When there is a cross border digital transaction, a fraud, a felony, a question of privacy violation, a financial transaction that goes awry – in what court do you settle it, using the laws of what country? Real world rules may not apply at all in many cases.

Many countries apply a ‘country of origin principle’ to determine which country has jurisdiction and which laws to follow. Now that sounds simple, doesn’t it? Well, in practice, things are not quite so neat; there is no universal law that says either party must necessarily agree. There are even areas where it is commonly recognised that the origin principle simply does not apply. This is the case, for example, with intellectual property rights such as copyrights, eMoney, spam and real estate transfers among others. Sovereign states can, and do, pass laws that ignore the country of origin principle when questions of public interest, consumer protection, national security, public safety and health are involved.

It is easy to let international organisations such as the Organization for Economic Cooperation and Development (OECD), the World Trade Organization (WTO), draw up the rules, but they cannot pass laws, at best, they establish standards that the world’s countries might, or not, adopt. Then too, these groups lack the diplomatic credentials and reach needed to forge a global consensus that takes into account the interests of all segments of society. The EU, because of its structure, has the best chance of harmonising the regulations of its members, but even this falls short of the ideal – worldwide, universally adopted, regulations – since the EU only wields a stick in Europe.

Taxes are a problem for most governments and there is no universally agreed way for governments to dip their hands into the consumer’s pockets when business is transacted online. In the EU, value added taxes are tacked onto each transaction, but this has been hard, rather impossible, to collect when international transactions are involved. There has been talk for many years about requiring companies to register, collect and pay taxes in the countries where they do digital business, but anything that requires countries to collaborate on tax legislation, and involves so many conflicting special interests, is not going to happen quickly – if at all.

The United States Internet Tax Freedom Act of 2000 does not bar local sales taxes; online transactions pay the same taxes as any other, but the Act does prohibit taxes that apply only to the Internet, including Internet usage taxes and direct taxes on eCommerce. That, of course, does not mean that cities and states will stop trying to squeeze some money from the Net. So far, they have not had much success.

Privacy is another area where international regulation varies widely from country to country. The EU, as in so many areas, is a leader. Its Data Privacy Directive serves as a model for regulators in many parts of the world, but it cannot impose it on businesses from other countries. Businesses in the United States, after much pressure, consented to a form of auto-regulation in matters of privacy and the U.S. Federal Trade Commission (FTC) agreed to enforce it and punish the transgression of the privacy directive where the personal and financial information of EU consumers was involved.

To earn the trust of consumers, many companies promised to abide by U.S. Department of Commerce’s Safe Harbor Privacy Framework, which call for notifying consumers of the company’s privacy policies and giving customers the right to forbid disclosure to third parties among other rights.

The Internet is supposedly the worldwide equalizer, in principle, it gives everyone free access to information and tools to exchange it. Regulators around the world have tried to restrict access to material deemed harmful to children or society – pornography, hate sites, terrorist propaganda, instructions to make bombs and the like, but their efforts have often drawn fire from civil libertarians concerned about any attempt to abridge free speech and access to information. Many of the libertarians share the fears of the regulators regarding harmful materials, but they are even more fearful of censorship of the Web, so attempts to control content have been highly controversial. Opponents of Internet regulation point to attempts by countries such as China, among others, to control the content its citizens can view; such countries tend to view the control of information flowing over its borders as a question of national sovereignty and security.

The Internet, the Web, is an agent of profound social change. So far, considering its superficial anarchy, the Web has done much better at managing itself – if not exactly regulating – than we have any right to expect. Laws, social customs and even ethics evolve in response to all important agents of change, but it takes time for society to reach some sort of working consensus. In the past, we had centuries or decades for the right sort of structures to evolve and, even then, there were often severe social and economic dislocations and wars. The Web was born about 20 years ago, but it only really began to grow in the last ten years or so.

We haven’t got it quite right yet, but I don’t see high tech counterparts of the early industrial revolution-type sweat shops, rampant disease or a collapse of the old order. I see social and economic progress in the remotest and poorest regions of the world. Sure, there is spam and viruses and all sorts of crooked dealing, but that has always been part and parcel of every human society, we just code it in bits and bytes today.

The Information Society still has a lot to learn, negotiate and regulate, but all considered – slips, slides, falls and bangs – we are doing a sensational job of keeping the train on track despite the square regulatory wheels inherited from earlier revolutions. Nice going for a toddler.


The next issue of Connect-World Europe will be published next month. This edition of Connect-World will be widely distributed to our reader base and, as well, at shows such as: Sviaz/Expo Comm, Moscow (May 12-15, 2009)

The theme of this issue of Connect-World Europe will be – ICT and the EU Innovation Agenda

The EU has actively promoted innovation of all types through a series of programmes and conferences. The EU has committed over €2 billion to its plans for “Inventing the Future” by promoting research and development in ICT, including its use in such leading edge fields as ICT-bio, photonics, robotics and cognition. The far-reaching EU development programmes promise to open new markets, new sectors, and bring new players. This issue of Connect-World Europe will track the progress and the promise of these important EU initiatives.

Europe 2009 Media Pack; Click here


March I 2009

12 March 2009

Fredric Morris, Editor-In-Chief, Connect-World
Fredric Morris

Darwin and cyber security from hexadecimal to Tyranocyber Hex

I sat down to write this letter with the modest aim of listing and briefly describing the range of security threats and describing the current state-of-the-art cures. There were physical security threats (fire, water, theft of equipment or storage media, etc.); human problems (careless, unlucky, unsuspecting, naive or dishonest people); access questions (physical and digital); adware, spyware, viruses and other malware; denial of service attacks; cryptography; financial security… etc., etc., etc. It didn’t take long to realise I would need a book to skim the surface or a rather long paper just to list the threats.

Where do you start when a problem has no end? ICT security is octopus wrestling – pin two arms to the mat and six come up to whack you down.

Pity the poor software developers, CIOs, security forces and everyone else who uses a computer or any information and/or communications technology.
Security is a Darwinian battle for survival. Every sort of attack is eventually neutralised by a better defence; this, in turn, prompts attackers to ratchet up the intensity and sophistication of their methods or look for a new front, a new battlefield, to wage war. Mobile phones are the latest in a long list of battlefronts. You probably have heard of ‘phishing’, the use of bogus official-looking Websites and emails to trick people into revealing sensitive, personal, information, but have you heard of SMishing? SMishing uses SMS spam messages for the same end. What’s next – Twitching, using Twitter to con people or TVitching, playing ‘gotcha’ on an interactive IPTV?

All these scams use virtually the same mechanism. The phishers ask for confidential information – ID, Social Security, credit card numbers, bank account information and such – via fake Websites or emails from a bank or credit card claiming your account is blocked, an attorney in some godforsaken country promising untold sums of money, a store promising to deposit a credit in your bank account or give you a credit line. The information you send back can open the doors to identity theft and other forms of fraud.

There are many types of security problems besides phishing and other forms of “…ishing”, but it makes an important point – people, themselves, are among the biggest security problems. As Pogo, the cartoon character, said, “We have met the enemy and he is us!” We are our own worst enemy.

Security products abound; some are quite good and others are not worth the trouble and expense. They aim at stopping viruses, network attacks and a host of other problems including many I have never heard of or bothered to think about.

For years, many professionals have complained that software should be inherently trustworthy and safe. If systems were safe, they say, there would be no need to spend untold millions for separate services to lock down the house. In principle, they are right, of course, but in practice this doesn’t happen and probably never can. I am sure university specialists and theorists have mathematically analysed the problem. I haven’t read anything at all about it, but I expect the problem of protecting software will prove to be, as the specialists say, ‘mathematically intractable’.

Anyone who has ever put together a complicated system, with umpteen thousands or millions of lines of code, knows in their heart there is no way to close all the doors and check all the possibilities – it is just not doable. Ask Microsoft or SAP or Oracle or Sun, ask any other company that has ever developed complicated code and they will tell you that no matter how brilliant the developers are or how hard they test and try, someone, somewhere, can eventually find a way to blow a hole in the best defended, tightest, code. That is the way it is today and, since software gets more complicated by the day, tomorrow will be worse. That is why companies that specialise in ICT security of any sort will always have a market – they are the Special Forces, the SWAT teams and the ‘green berets’ of the information society.

I cannot imagine the day when software will be so secure that we won’t need an anti-virus package, a firewall. Perhaps, we will need some sort of super software security manager as well, which will constantly evaluate threats to every conceivable internal state of a PC or, yes, cell phone. In the meantime (forever?), many companies are likely to outsource their ICT security to specialised companies or even to the carriers that handle their virtual private networks. It will probably cost less and be more effective for most companies than building – and maintaining – their own 24/7 state of the art security forces.

When attackers can’t find a way to break into the system, they will find a way to break through the defences of those that use it. Computer security is as fallible as we are. All security professionals know that the user is the ultimate backdoor into any system. ‘Social engineering’, fooling unobservant or gullible users to gain access to their secrets or their software, is often, perhaps even more often, a more effective way to crack a system than fancy programming. People can be easier to understand – and get around – than computer code.

Part of the problem, the technical part, might be better controlled if software as a service (SaaS) becomes more prevalent in coming years since the companies that provide it will have to work very hard indeed to make their systems secure and win the trust of users. I say ‘might’ because in a Darwinian world, whenever a stronger shell evolves a bigger nutcracker cannot be far behind. The other part of the problem – the people part – is even more difficult; how do you keep people from making asses of themselves? We have all done it – haven’t we?

The United State’s Oak Ridge National Laboratory has come up with a fascinating and somewhat frightening way of policing the Web. Its Ubiquitous Network Transient Autonomous Mission Entities – ‘UNTAME’ – software deploys ‘an army of software robots’ to scour the Web for malware and evil-doers. New, are the “cybot entities” that UNTAME sends scurrying through the Web. According to the Lab they form, “collectives that are mutually aware of the condition and activities of other bots in their colony”. This ‘intelligent’ software army, they hope, will collaborate in the task of watching over and keeping large networks like the Internet safe.

All well and good, but an uncontrolled band of software vigilantes roaming the Web, might well become a threat in itself. So far, UNTAME is still a prototype; it runs on a closed network in the lab. What happen, though, when it is set loose on the Net? Will it work as planned or will it become a menace? No matter how well you test, you cannot test everything. I expect the designers on the project have installed some failsafe mechanisms – Isaac Asimov, I Robot, do no harm, sort of directives. Will they work?

Here is the frightening part. The collaborative model the Lab is using sounds too much like a genetic learning algorithm for comfort.

For a number of years, scientists have run genetic algorithms in computers to optimise solutions to complex engineering, weather forecasting, financial strategy problems and the like. In the first evolutionary ‘generation’, a number of potential solutions to a problem are run against real data, and each potential solution is compared to the desired result. The best features of each solution that produces acceptable results are selected and combined in a variety of ways to produce a second generation of solutions. The procedure is repeated until an optimal solution is found. Vaccines have been produced by this method that are 250 thousand times more effective than the starting candidates and the orbits of communications satellites have been optimised far beyond the orbits produced by traditional calculations.

Genetic learning algorithms are powerful tools. Although this was nowhere spoken of in any of the reports I have read, the UNTAME sort of collaborative bots will ‘learn’ from one another and will – unless they are artificially hobbled for safety reasons – probably evolve ‘genetically optimised’ solutions to new threats on their own. The developers will, no doubt, insert elaborate safety mechanisms into the code. Nevertheless, software such as this, like a collection of genes, is subject to mutation (a critical bit is dropped or changed) – not all good and not all easily controllable.

Cyber warfare, a software hurricane Katrina, is a preoccupation of the new Obama administration. To combat cybercrime and cyber warfare experiments UNTAME and many other approaches will have to be investigated, but given the power of the tools, and their inevitable adoption by the enemy as well, the escalation of cyber threats has just begun. It is only starting, but are we already evolving from hexadecimal to Tyranocyber Hex?


The next issue of Connect-World India will be published early next month. This edition of Connect-World will be widely distributed to our reader base and, as well, at shows such as: Convergence India, New Delhi, (19-21 March 2009).

The theme of this issue of Connect-Word India will be – It’s more than outsourcing.

The growth of India’s economy, driven by ICT and business process outsourcing has inspired comment and imitation the world over. The credit given to outsourcing is deserved, but the government policies, astute entrepreneurs a vast number of well educated and prepared professionals that made India’s success in this field are often overlooked. India’s growing ability to source new service and products, not just outsource the operations of others, and its ability to move ahead by its own efforts are also overlooked by those not familiar with the country’s vast pool of talent and potential. This issue of Connect-World India will examine India’s growing strength and look a bit down the road it is travelling.

This issue of Connect-World India will explore the influence of information and communication technology upon the transformation of India, and how India, itself, is transforming technology and processes and helping create a seamless world.

India 2009 Media Pack; Click here