Clay Shirky: RIAA Succeeds Where Cypherpunks Fail

scubacuda writes "Clay Shirky has an interesting take on encryption: 'The RIAA is succeeding where the Cypherpunks failed, convincing users to trade a broad but penetrable privacy for unbreakable anonymity under their personal control. In contrast to the Cypherpunks "eat your peas" approach, touting encryption as a first-order service users should work to embrace, encryption is now becoming a background feature of collaborative workspaces. Because encryption is becoming something that must run in the background, there is now an incentive to make its adoption as easy and transparent to the user as possible. It's too early to say how widely casual encryption use will spread, but it isn't too early to see that the shift is both profound and irreversible.'"

Interesting, but apathy will prevail

[Tangurena]

Nice article. Unfortunately, apathy will ultimately reign supreme. People want to turn on their computer to get something. They don't want to be car mechanics in order to be able to drive a car. If the p2p software comes preconfigured to use encryption, then it will get used. If it has to be enabled, then it won't happen very often. It does not really matter if I want to use PGP, if no one else I communicate with is willing or able to install and use it.

Digging their own graves...

[Noryungi]

Anybody else thinks that, if encrypted file-sharing becomes a reality, the RIAA will simply implode?

From the article:
to a first approximation, every PC owner under the age of 35 is now a felon.

Now remember what the Cypherpunks said a few years ago?

If crypto is outlawed,
only outlaws will have encryption

There you have it: goodbye RIAA. We hardly knew ya. You made us all felons, and by doing so, you opened the floodgate that were going to drown you.

A bit rambling...

[fruey]

What the article is basically saying is that because people are now losing their anonymity in a more obvious way, because they're getting sued... then they are more likely to turn to crypto.

However it's a rather tenuous link to say that the RIAA succeeded where Cypherpunks failed. Advocates are one thing, but really the rise of P2P applications and the growing Internet user base are what have caused P2P to become a real PITA for the RIAA. Therefore they make high profile legal cases to grab media attention. However, they could not realistically target piracy any more than the police raids on weekend markets in London will stop home-burned DVDs from being sold on a stall.

So, some people will use encryption just like Del Boy and Rodney (UK reference to Only Fools and Horses) used a suitcase for their wares and ran whenever the Police came close by. But massive public adoption of cryptography will only be because it will be built in for a reason (rather than optional) and because processors are fast enough to encrypt/decrypt on the fly with long keys... and still, it's a prediction. It's not mainstream yet - and the main thing this guy is forgetting is that the RIAA will bait and trap users with or without encryption on the wires.

Unbreakable anonymity?

[Weaselmancer]

I read the article and can find nothing there suggesting how I can trade anything for unbreakable anonymity, or even how unbreakable anonymity could even be implemented.

Encrypt the packets? Fine. You can still trace their origin.

Let's say that you do RSA key pairs, and build them into some sort of P2P. When two people connect, they swap public keys and encrypt the stream.

There is nothing that says that the person who is leeching a file from you isn't Hillary Rosen. Traceroute, and you're still nailed.

The only way to be truly anonymous in a P2P application would be to have the application auto proxy a neighbor. Here's how that would work.

User WantMusic jumps on the new P2P net and broadcasts a desire to download "myfavoritesong.mp3", and their RSA public key along with the request. Some other user, MusicBank, has the song. Rather than having the client pull the data directly from MusicBank, have MusicBank push the data to the client. Each outbound packet from MusicBank would at random select someone else on the net and say "Take this packet of data and pass it along to user WantMusic at this IP address."

If the someone else happened to be Hillary Rosen, all she would get is a packet of unreadable data - she doesn't have the private key. She could know who it was from, and where it was going but have no idea what it was. Might be music, might be the Linux kernel.

If Hillary jumps on the net and tries to download myfavoritesong.mp3, all she could do is traceroute a bunch of packets to 2nd party proxies. By the definition of the protocol, they don't have the file. They're innocent. She still doesn't know MusicBank has the file.

The disadvantage to this protocol is that it'd be slow. Each packet would have to hit a proxy. Instead of server->client, it'd be server->proxy->client. You could expect downloads to be at least 1/3 slower.

If I had the time, I'd write this sucker.

Weaselmancer

Re:Seems obvious.

[plover]

What will be most interesting is if the crypto "wars" play out through all the theorized stages of attack, counterattack, and man-in-the-middle attacks that the cryptographers have worked out over the past 20 years. We already expect the RIAA won't take kindly to encrypted networks sharing their music, so we should expect to see some countermeasures.

So what will be their strategy? Will they first attempt to "join" these networks, posing as users looking for Britney's latest, and entrapping systems that serve up the bits? Will they put out bogus trojaned clients on the services? "Dude, download LockTella 1.9, it's l33t!!" only to find that it hoovers up passwords and music lists, and forwards them on to DUDE@RIAA.COM?

Will cypherpunks come to the rescue, providing signed versions of the clients? Will the users finally understand the need to verify the signatures before running them? It's a big stick -- "run an untrustworthy client, get a lawsuit."

And finally, will this come full circle, leading to a true "Web of Trust" as originally envisioned by Zimmerman et al with PGP? I can see the further parallels to Prohibition, with entry to speakeasies controlled by passwords like "John said to tell you I'm OK" whispered through a hole in the door.

This could be a very interesting time to live in.

Re:Cypherpunk is a stupid name

[Anonymous Coward]

Encryption, like all technology, is amoral.

Technologies like weaponised anthrax?

Re:Sad, but the truth.

[Anonymous Coward]

Put in a cached copy of articals...
Google does it, why not slashdot?
Just put a "[cached]" link after the actual link in the post, so if it gets slashdotted, we can still see the artical page.
This would help out a lot.

Sealed lips

[daminotaur]

Shirky: "In any system where a user's identity is in the hands of a third party, that third party cannot be trusted." The classic Mafia version of this is: "Two people can keep a secret as long as one of them is dead." Most people don't think that way, and even if they did they are unlikely to trust any technological system that promises absolute anonymity. The cypherpunks' fantasies are no more ready for prime time now than ever. Main problem is that anonymous communication is a chimeral fantasy, and any scheme to even experiment with their implementation is complex and onerous to all but people who like to read Schneier for fun, and play secret agent. Above all, cypherpunks chase anonymity like it's a virtue, when most of the worst aspects of the net are caused by anonymity and unaccountability.

Yahoo and Hot Mail should turn on by default

[leoaugust]

I think the fastest way to get encryption turned on by default is to have these major email providers (like Yahoo and Hotmail) to turn on encryption by default. If they did so, then there will be enough momentum for the other providers to do so too, and anyone using encryption would not stand out as a potential trouble-maker ....

The reason why it is importatnt to have a critical mass of communications in encryption is becuase otherwise the people encrypting sorely stand out. If I decide (which I would love to) start encrypting today, many people would wonder what sort of shady business I have gotten into. Not to mention Ashcroft would be after me, with a claim that I am some Lone-Wolf terrorist ...

My point is that there should be there has to be enough people encrypting for it to become feasible. If I am one of the people encrypting while others are not then I am the proverbial needle in a haystack. Any magnet can easily pull me out by my jugular ... If I am one of the many other people encrypting then I am just another hay in the hystack ... much harder then to grab me by my b**** ....

Re:Cypherpunk is a stupid name

[ReelOddeeo]

You mean like when I throw my copy of Applied Cryptography at people's heads?

Careful! Applied Crypography is a thick book!

I am currently reading that book. (Second Edition) I was amazed at the prophetic words on page 97 (or maybe 99)? The book is discussing Key Escrow and Clipper. He says something to the effect of:

If there were a major terrorist attack on New York what sorts of limits on the police would be thrown aside in the aftermath?

The copyright on the book says 1996. I'm assuming that even in the Second Edition that these words are prophetic. Sorry I don't have the exact quote, and am not positive on the page number because I don't have the book here with me. But you could find the Key Escrew form the TOC.

Re:changing laws

[poot_rootbeer]

When the vast majority of a society is violating a certain law, it is a sign that the law, not the society needs to change.

Most people routinely travel 5-10 miles above the speed limit on the highway -- regardless of what the posted limit is. Should we change the limit from 65 to 75 so most of us aren't breaking the law anymore? Should we consider the studies that show traffic fatalities increase when speed limits are raised?

It's human nature to choose the course of action that benefits one's self the most, but if that action has a net effect of reducing benefits to others (by not compensating them for their work, or by killing them in a car crash), it is right for the state to restrict your ability to follow that course of action.

Re:Digging their own graves...

[lynx_user_abroad]

there's multiple problems with anonymous, encrypted peer to peer whitout users oversights.

Those are not problems of the encryption, nor even of the system which employs it. The problems you mention result from trusting an untrustable contact.

It's not an IP address you're trying to conceal, (having an IP is not illegal) it's the activity occuring at that IP address which you're concerned with. Similarly, if you get your content only from and offer your content only to trustable people, then you don't have to worry about them linking your conduct with your identity.

The hard part is finding trustable contacts. Encryption does not help in this, but it is an effective tool for ensuring that information is only being disclosed to to whom you think you are disclosing it to.

Any, yes, stoopid people can shoot themselves in the foor even with an encrypted gun. Nothing can prevent that. Onlt the advice "Don't have stupid friends." seems of any help for that.

Re:Unbreakable anonymity?

[Weaselmancer]

First off, thanks - seriously. I need people to challenge this so that I can spot problems. Too bad you posted as AC. So here goes.

1) Client says "who has this file?" Server says "me" and sends client public key. Client knows IP of sender. Client is RIAA. Server nailed.

In this protocol, only the client would broadcast a public key. Client broadcasts a file request and a public key, and somebody responds. Nobody knows who. The server never directly contacts the client under any circumstances.

2) Client says "who has this file?" Server says to a random computer "Tell client I have this file." and passes along its public key. Random computer is RIAA. Server nailed.

Again, server never broadcasts a public key. And even if the message was "Tell client I have this file," at this point server would have the client's public key and could encrypt the intent to broadcast the file.

Keep it up - keep poking at this. Maybe we can establish a truly anonymous protocol here!

Weaselmancer

Re:Unbreakable anonymity?

[JASegler]

It's not unfixable. It's just inconvienent.

Freenet has non-trivial to break privacy for it's users. I won't say unbreakable since that's not really proveable.

Of course it has problems:
1) very slow
2) very unreliable
3) not easily searchble.

Because of these issues it's not going to replace Napster/Kazaa/etc for normal users.

That's always the tradeoff for security anyway. Easy to use or secure? Pick one.

Anybody remember prohibition?

[I-R-Baboon]

"Those who cannot remember the past are condemned to repeat it." -George Santanya

This strikes me very much familiar along with the "war" on drugs. A previous post touched on this lightly as well. Be it encryption, invite only LAN MP3 share parties, USENET, or any of the other countless work arounds out there...By brandishing their lawyers [slashdot.org] they are in fact creating an underground which society has demonstrated they want to exist, and it will. Instead of trying to make use of this phenomenon, they want to bully people and focus their creative energies on how they can sue. Sounds eerily familiar to the ban of alcohol which founded organized crime in the US and gave a beautiful model for drug running today. In an effort to slay a beast, a new monster was created and the beast was welcomed with open arms in the long run and taxed accordingly to make it profitable and put into a mostly controlled environment. Of course it's not possible to put music into a controlled environment, but iTunes was able to make downloading music a business. Guess they should have focussed on hedging that new market instead of helping to create an underground they will never be able to control or profit from. (Go to concerts if you want the artists to get your money, and boycott RIAA backed media)

Re:changing laws

[MisterMook]

That's exactly what happened when they raised the speed limit from 55mph though, stopped the ban on alchohol, started examining segregation, and probably a whole bunch more that my soda blurred brain can't think of right now. If a minority chooses to do a thing then it's a cancer, if the whole organism begins to act a certain way and the minority are the people who don't...Is it selfish for a society to not act hypocritically? If all of society begins to act a certain way and the left hand chooses not to, should society sit idly as the left hand stabs the right because it's not acting the same as before? Now the question comes, is filesharing the issue and if it is such a prominent component of something that hasn't been identified properly as the issue, then what is that issue? A huge segment of society obviously is chosing to act this way, is it selfishness or consensus?

My Favorites Tools for Anonymity

[PureFiction]

are a 802.11b card, a 1W amplifier, and a nice 16dBi vagi antenna:
http://peertech.org/coder/vagi-amp-laptop.jpg [peertech.org]

Re:Unbreakable anonymity?

[Anonymous Coward]

Well, this relates to the current batch of lawsuits as well. The RIAA isn't claiming that they can show that anybody ever actually downloaded one of your shared files. They are claiming someone COULD have.

I think that is why they are so quick to offer settlements to people. If somebody did want to go to court with the RIAA, it probably would be difficult to prove that a copyright violation ever occurred. Of course, you would spend 10x as much to defend yourself as to simply settle.

Same thing applies here, the RIAA sees you requesting copyrighted music files, they file suit because they believe an infringement occurred. They offer to settle for a couple grand. Now, you could fight the law suit, but you are going to spend way more than a couple grand to do it.

obvious yes... but legal?

[WebCowboy]

RIAA and MPAA, being comprised of entertainment executives and their lawyers which are known to be the lowest form of life on earth, would instinctively ... attempt to "join" these networks, posing as users looking for Britney's latest, and entrapping systems that serve up the bits? Will they put out bogus trojaned clients on the services? "Dude, download LockTella 1.9, it's l33t!!" only to find that it hoovers up passwords and music lists, and forwards them on to DUDE@RIAA.COM ....

Hopefully, however, the law and the constitution would step in since these tactics are just a tiny bit unethical, immoral and illegal. RIAA agents posing as file sharers and enticing others to load and run trojans that compromise their PCs and privacy in order to look for and obtain incriminating evidence is blatant entrapment and such evidence would/should be inadmissable in a court case.

It also looks like illegal search and seizure--and an unconstitutional invasion of privacy and misuse of private property. People have been convicted of criminal offences for deploying trojans and viruses and hacking into peoples machines (and rightly so). The rules should be no different for those acting on RIAA or MPAA's behalf regardless of their motives.

Re:Unbreakable anonymity?

[Qzukk]

If I send out a request for "myfavoritesong.mp3" and then other nodes on the network start sending me packets.

Ah, but as part of the network, you would be receiving and forwarding other peoples' responses too (unless you're abusing the network, in which case you deserve to be tracked down ;) So, just because packets come to you doesn't mean they were part of your request.

Something like this could be easily turned into a freenet with less secrecy and more privacy by establishing a mesh of nodes, each with the keys of their neighbors, and each with a three-part request table. Node X encrypts Request #12531324 to each of its neighbor nodes sends it and records "I made Request #12531324". Neighbor Node Y decrypts the request, checks to see if it can answer it, then encrypts the request with each of its neighbor nodes, records "I got #12531324 from Node X". This step is repeated until it reaches Node Z, who can respond to the request (for brevity, we'll assume that the next node is Z). It responds with Response #19591531 to Request #12531324. This response isn't the data of the file, just a "this file exists here". Node Y gets the response, looks in the request table, and finds that it got request #12531324 from node X. It makes an entry in the table saying "I got Response #19591531 from Node Z".

Finally, the user at Node X sits back down after grabbing a drink and sees that responses have started coming back for his search for "Scream*avi". Looking through the list of choices, he finds that scream 2 encode he's been missing to complete his collection. He clicks on Response #19591531, and Node X sends a message to Y saying "Fulfill Response #19591531". Node Y knows this response came from Z, so it forwards it to Z. Z sends data to Y, Y sends data to X. Loops are identified and terminated when a node handling a request finds that it already has handled that request in its table.

So, now unlike freenet any particular node can determine whats being forwarded through it (since it decrypts every bit of data to pass it on to the next node). However, privacy is maintained: If node MPAA requests scream 3, it receives only data from neighbor-nodes, with only information about those neighbor-nodes. If Node MPAA receives a request from Node X, MPAA does not know whether X itself made the request or if X is forwarding that request from someone else. If Node MPAA responds to a request, it only talks to the Node that gave it the request in the first place.

In order to compromise this privacy, MPAA would need to either a) read the request table of every node between and including X and Z, or b) BE every node in the network, except for X and Z, so that they know the request could not have come from anywhere other than X and gone to anywhere other than Z.

Other things to improve usability (possibly at the risk of allowing users to cripple the network): Request and Response nodes could bear a "max_bandwidth" field, which could be lowered by a slow node but never raised, and used by Node X when determining which response to accept. Node Z could wait a random amount of time to formulate the Response (if MPAA requests foo from Z and Z answers immediately, then Z is a likely candidate for being the host of the file).

Part of the reason for "secrecy" though, where nobody but Z and Y knows *what* is in the data, is that if Node MPAA receives Scream 2 from Node Z, even though Z may or may not be hosting it themselves, the MPAA may get to sue them for helping whoever hosted it give it to whoever requested it.

Actually it's perfectly natural I'm afraid..

[Nijika]

This is evolution of a very basic kind. There are new predators stalking about, so to survive the animals in question need to develop camouflage or some other defense. The ones that do will be able to head to the watering hole without much worry, the ones that don't will either have to find a new watering hole farther away or will get eaten up I'm afraid.

Re:There is a meme for this

[Prior Restraint]

Just out of curiosity, why wouldn't something along the lines of, "I wish you would go back into the bottle," work? (Not saying the RIAA's task is that simple; just critiquing the meme.)

Why Doesn't Shirky Blog??

[gilgongo]

I'm a big fan of Clay, and I'm on his NEC mailing list (I read his article when it came in today), but I think this piece has some unusually (for him) shaky arguments in it.

What I'd like to see is his site as a blog that we could then discuss his essays on. He wouldn't have to take any notice of what we said, but seeing as he's big into online communities and communication networks, you think he might be into the idea.

I know, I'll mail him. Where's his public key?