I cross this same border regularly, and after reading the story, something is confusing to me. The story says that he was "returning to Canada". When returning to Canada there's a toll booth on the US side where you pay the bridge toll (staffed by employees of the bridge authority -- who are not customs agents). The customs inspection is always on the far side of the bridge, in this case the Canadian side. This would have been staffed by Canadian customs agents.

Does this article mean to say that there were US Customs & Border inspection at the toll booth on the US side? That would be very irregular. The only time I have ever seen an exception is during the weekend of the Mackinac Race when police are trying to curtail drunk driving across the bridge (there's a huge party just before the race, heavy drinking, etc.).

I really feel for Mr. Watts. I'm just trying to understand what happened.

I noticed the article paints a picture as though this law will effectively break the functionality of the web and/or make it so annoying that nobody will want to put up with it. I think that's completely wrong. The conclusion that this is "Breathtakingly Stupid" is correct, but not for the reasons stated in the article.

From the article:

Ok.... so you wont be barraged with consent requests every time you visit any web site that needs to maintain session state between two or more pages or track the fact that you've logged in.

So it would seem that the good news in all of this is that this really only pertains to those cookies used for annoying things like advertising and market analytics & profiling; those things that invade your privacy. ...or does it?

What's in a cookie? That all depends on the cookie. Some cookies store all the data being tracked by the cookie. But other cookies are essentially an index -- they store no real data, but merely help the server identify you to the server where the real data is kept. This is where things go gray and the law becomes "breathtakingly stupid."

The law assumes that websites intent on "violating your privacy" (whatever that means) actually need to use cookies in order to do it. This is like wanting to outlaw murder and in order to so, just pass a law that bans handguns (as if handguns are the only way someone might commit the crime.)

Rather than create a separate cookie which exists for the exclusive purpose of marketing analytics (or whatever other violation of a user's privacy the website or it's partners want to perform), now the website just needs to create a 'meta cookie', if you will. They have carte blanche to create a session cookie for maintaing your login or user session (essential the operation of the website) without your consent. They can create what you could think of as 'server side meta-cookies' -- where instead of storing a cookie in your web browser, they store the cookie and it's value as an attribute of your session profile information which is stored only on the server. The only cookie you actually have is your login / session cookie.

Under this scenario, the law only drives the activities of user tracking deeper into the shadows. Before you knew they were tracking you... you had a cookie. But you could delete those and know that they were gone. NOW they'll track you based on session attributes you cannot delete because it's on someone else's server.

There's a huge gray-area around the "strictly necessary" clause. If your website is entirely ad-revenue-funded, and without tracking you wouldn't be able to provide a service to your users at all, is this "strictly necessary"? Google is ad-revenue funded. Then there are sites like Amazon which performs tracking for cross-sell / up-sell purposes (e.g. "Do you want this USB printer cable that goes with that printer you just put in your cart that 98% of the other people that bought that same product discovered they needed because no printer actually comes with a cable?") After all the data needed to track those buying habits isn't essential in order to track your user session or maintain your shopping cart, but it sure is useful to the end-consumer and they're not necessarily collecting it to invade your privacy.

Not so fast. By your logic, all users also consented to having malware on their computers, and all actions performed by that malware would have happened with user consent. After all.... new computers don't just un-box themselves, plug themselves into power and go find a network connection... the user had to do that.

Just because you know what a cookie is and are aware that you can configure your browser to block some or all of them, doesn't mean everybody else does. Nor does it imply it's their own fault for being ignorant. I use the "80 year old grandma" test. There are numerous people who barely manage to use a computer, but feel compelled to (even though they are extremely uncomfortable with them) because more and more companies and services expect that users will have a computer.

Examples: (1) In many cities and towns, daily-editions of the newspaper are no longer available for home delivery. If you want the news you'll need a computer so you can read it online. (2) Wireless phone providers generally do not have printed copies of your contract agreements, terms & services, etc. If you want to view those, you'll have to go online. I've even asked some carriers if they can mail me a copy... the answer is "no, it is only available online."

Anymore, a computer is becoming something households are required to have and use, whether they like it or not, and whether they know how to use, manage, or configure their software or not. Browsers passively accept cookies and respond to cookie requests all day long; having no idea what the cookie is used for. In no way does this imply user consent.

The patent appears to be specific as to purpose and how it would work. So specific, in fact, that Twitter doesn't intrude at all. In order to make Twitter fit so as to be intruding into their patents, you have to broaden the application of the idea so that the technical implementation is no longer important.

Upon broadening the interpretation, a lot of prior art clouds the validity of TechRadium's patents (e.g. using a megaphone to shout at a large crowd is technically a "message sender" sending out one message to a whole lot of "message receivers" who "subscribed" to listen to the message (by showing up at the event) -- so apparently the idea itself isn't really new.

It doesn't stop there.

You may think the megaphone is a silly comparison or clumsy implementation of it... the point is the idea is not new, nor did TechRadium invent it. So what did they invent? Further delve in with some of the things that make their message broadcast system more elegant (yes, well we added this nifty little database so we can manage a publish/scriber model that's a managed and able to be quite a bit more selective than using a megaphone to shout at a crowd), then there's lots of prior art to show that the concept of the pub/sub model in IT predates their oldest patent by many years. The reason the concept was coined the "pub/sub" model is because it worked just like a newspaper or magazine that publishes content and subscribers (a.k.a. customers or readers) could choose to subscribe and, in the case of a publisher with different kinds of magazines, they could even decide which magazines they want to receive. They would of course use some sort of record keeping system so as not confuse what each subscriber wanted to receive. So apparently that idea isn't new either.

Essentially what Twitter "copies" is all the same stuff TechRadium had to also copy in order to come up with their implementation. This is mildly reminiscent of Apple's lawsuit against Microsoft back in the mid 80's when they claimed MS used their desktop GUI idea -- then it turned out BOTH of them got the idea from Xerox. Twitter's implementation would be (a) different and (b) probably a lot more scalable. Twitter has to handle millions of subscribers... TechRadium's solution probably only has to handle a few hundred and *maybe* a couple thousand.... tops. In order to achieve these differences in scale, the implementation is likely to be radically different.

I read this story and immediately thought of last Saturday's Dilbert:

http://dilbert.com/2009-08-01/

In addition to FOSS, don't forget that there's also SaaS options (Software as a Service). For example... could you use Google Mail & Calendar instead of Outlook & Exchange for mail & calendar?

Buy a replacement at full price? You must have friends, right? Those friends must have old phones they don't use anymore because *they* got new phones to extend their contracts.

Just find a friend with a phone they don't use anymore -- they'll probably give it to you.

If you don't have any friends, just buy a used phone on eBay for a couple bucks.

It's about the fact that it can be 'tracked' -- just as the US has used cellphone tracking to hunt down bad-guys overseas, they can do the same thing to us if they know what cellphone we have.

It's not about the 'archival' of data. The Blackberry taps into YOUR traditional mail infrastructure. If you back it up, then your messages are archived.

No, it's more about the fact that an external company is granted access (usually via VPN) to your internal network (or at least part of it) and, more specifically, they get to keep a copy of your authentication credentials (so they can watch your new mail arrive, copy it, and delivery it to your device). Allowing a 3rd party company VPN access to a US government network with the Whitehouse mail server and, oh by the way, a copy of the president's username and password... well NOW maybe you can understand why they're nervous about security.

Frankly it would be better if he were addicted to an iPhone. At least with that solution you can host your email on any IMAP compliant mail server you want and nobody but you needs a copy of your security certificates, VPN gateway access, or username & passwords.