I have a child. I'm about 50 years old. You are wrong. Grandparent is right.

First, a refund isn't adequate.

Here comes the oblibatory car analogy: I buy a car from you. A week later, you decide you didn't want to sell it, so you come over to my house, hotwire it, and stick the money back through my mail slot. Sorry, not going to fly, especially not if, say, I miss work the next day and lose my job because of your actions. It's not your choice any more, and you are civilly and criminally liable for what you did, refund or no refund.

Sony's legal situation isn't that clear cut for several reasons... but their ethical situation is exactly the same, and given that any contract that gives them any "right" to do what they're doing is a surely a contract of adhesion, possibly unconscionable, and possibly contrary to public policy or even direct statute, they're not exactly in the clear legally.

The refund is not going to be an adequate remedy for a lot of people, and even if it were, it's not Sony's choice to make.

Second, small claims court doesn't help.

Small claims court usually has a filing fee, and you have to go down there and appear, thus spending time that has a real monetary value. Then you get to spend more time and money getting Sony to notice your judgement and pay it, possibly including threatening to take them to "real" court". It's not feasible to do that to get a $15 refund or a $50 refund. For most people, it wouldn't be reasonable from a financial point of view if it were less than several hundred dollars. And small claims court can't give you any injunctive relief, either let alone give any third party any injunctive relief.

The only people who mess with small claims court are going to be people who want to spend lots of time to make a point, and there aren't that many people like that. Sony is therefore pretty much free to steal all it wants, as long as it steals it a little at a time. The only real court remedy for something like this is a class action, and that's a huge project that has its own problems.

I can think of no such circumstances where an actual test for impairment at the relevant time wouldn't do a better job.

Make 'em play a video game. Make 'em do a dry run of whatever. Measure their reflexes. Whatever makes sense for the task at hand. The technology exists for essentially every task.

If you're impaired, I don't care WHY you're impaired. What matters is that you're impaired. Testing for some causes and not others is obvious evidence that the impairment isn't what the people ordering the tests care about. Drug testing is and always has been about moral panic (and about hucksters whipping up that panic for their own gain).

Cisco makes gear to let governments spy on their citizens. Every major network equipment manufacturer makes it. All of them. Every major network operator buys it. Practically every government requires it if you're going to build a public network. They sell it, and, yeah, that means they support it, in every sense of the word.

It's called "Lawful Intercept" by its friends, and "sleazy narcing" by its enemies.

It's an idea pioneered right in the U S of A. CALEA, Baby.

Sometimes it's used for Good(TM) and sometimes it's used for Evil(TM). No government is immune to the Evil. The US government, specifically, is almost certainly abusing it, and even if it's not, the EFF sure thinks it is.

Even if it's not being abused in the sense of illegal use, it's being used heavily to enforce laws the EFF and its main backers don't agree with.

So why isn't the EFF coming down on Cisco for selling such equipment in the US? It's not like the EFF believes the US is pure. Nor any of the many other major governments.

The fact is that all the network gear makers sold out ages ago, back when this whole spying thing first came up in the US. The precedent is set, the principle is established. There's no going back. Governments get what they want on the Net, period. US, China, North Korea, whoever.

At this point, it's self help. Encrypt your data, use relays, use steganography, whatever. But it's way too late to try to fix the equipment makers. The EFF is just grandstanding.

OK, let's just have a look at that report, shall we?

"Activations" involving photographs on laptops issued to students were grouped into these categories:

• "Stolen student laptops". AKA "playing cop and spying on people who probably stole laptops". 18,782 photographs, 17,258 screenshots. Probably no legal authority. If you or I had done it: probably given a pass because we were trying to identify a Bad Guy and legitimately had no idea where the machines were... however, it's also probably illegal. There's no legal exemption I know of for peeping to find your stolen property. That's for law enforcement with warrants, not random school officials.

• "Laptops Not Returned by Students Who Withdrew from School". AKA "playing cop and spying on kids who may have stolen or forgotten to return laptops". 2,366 photographs, 1,332 screenshots. Doesn't say whether they tried, you know, calling the kids on the phone first. Report says "In any event, the wisdom and propriety of activating image tracking in these circumstances are questionable at best." Actual legal justification for doing this: zero. If you or I had done it: criminal charges probable.

• "Missing Student Laptops". AKA "if we give them the benefit of the doubt, just taking a peek through the webcam and hoping they can recognize where the machine is". 6,693 photographs, 6,693 screenshots. Photographs probably legal if they weren't actually trying to watch any actual person. Screenshots probably wiretapping. If you or I had done it: get a good lawyer, but you might skate by claiming the screenshots were inadvertant..

• "Image-Tracking of Laptop for Which Insurance Fees Were Unpaid". AKA "total overreaction, spying on a kid to get information about a machine you accidentally handed to him, with no suspicion of any intent to on his part to steal it, no attempt to contact him, and reason to suspect he wouldn't just cooperate with you if you did contact him, plus bonus escalation to an investigation of personal activities (probably sex chat) based on a screen shot.". 210 photographs, many taken after the precise physical location of the laptop was established. If you or I did it: criminal charges probable.

• "Mistake Activations for Student Laptops". AKA "random incompetence". 6 photographs, 4 screenshots. If you or I had done it: honest mistake, we'd probably be OK.

• "Activations for Student Laptops for Reasons Unknown". AKA "nobody bothered to say why", 3/10, "nobody bothered to say anything at all", 7/10. 2,507 photographs, 2,212 screenshots. If you or I did it: probably legally OK because burden would be on the prosecution to prove we did it on purpose and for invalid purposes. However, they'd probably have tried to charge us anyhow, given that it involved kids.

US attorney's decision: "no sufficient evidence of criminal intent"... despite the intentional commission of multiple clearly criminal acts by multiple people working in concert over a long period of time. Chance that you or I would get that kind of consideration for our stupidity or ignorance of the law: approximately zero. Unless we worked for some kind of corporation or other institution with "respectability", in which case the US attorney would similarly serve "justice" by letting us go. It's amazing how much the credibility of the evidence against you varies by who you are.

Bottom line: these people were let skate because they were "nice" types working for the "good guys" and "just trying to do their jobs". Identical behavior by an average citizen acting alone would probably get criminal charges. Identical behavior by somebody actually "anti-establishment" would probably get hundreds, maybe thousands of counts, plus conspiracy and a whole raft of add-ons, and a serious drive for a conviction... which would probably succeed, because the behavior really is illegal.

NO, the Feds don't think it's the right of any government employee to spy on citizens. YES, the Feds won't treat your behavior as "really criminal" unless you're doing something they personally think is "bad". How "bad" they think you are varies with:

1. Whether they see you as personally sympathetic.
2. Whether your motives were "pure" in their personal view (which does often translate to whether you were supporting the Establishment or undermining it). And, yes, government employees do get a bit of a break in their minds. Not carte blance, but a break. After all, they're just trying to do their jobs.
3. Whether you're openly defying the law. Legally, you don't usually even have to know about a law to be charged under it. You generally only have to know what you're actually doing, not that it's illegal. However, for people prosectors "like" under the two criteria above, attitude toward the law itself mystically becomes a factor in determining "criminal intent".

If you don't see that as a problem for the rule of law, I don't know what to say to you.

Actually, according to a talk by Rich Cannings, Google's "Android Security Leader", at Usenix Security '09 in Montreal, Google can choose whether or not to have your phone ask you for permission for an OS upgrade. If they think it's important enough, they reserve the "right", and definitely retain the technical capability, to install an upgrade without asking. The carriers can probably also do OTA upgrades on their own initiative; that part wasn't clear to me.

The whole tone of his talk was scary. There was no sign that he could imagine that somebody might not want to trust Google with total control of their phone, or that such distrust could possibly be legitimate if it did exist. His whole attitude reeked of "we know better than you do", and he seemed to think of the phone's owner more as a security threat than as the person who should be setting security policy. And he didn't even mention the possibility that Google might get compromised.

He also seemed to think of the Android open source project as something to push code to as an afterthought, rather less important than the carriers... whose interests he seemed to think were terribly, terribly important.

It was not reassuring.

And, yes, my understanding matches yours. The article says that they can also install apps, in addition to OTA OS upgrades. In fact, as I read the supporting material, the Market application works by pushing an "INSTALL_ASSET" message to your phone... the same message they'd use to spontaneously install an app. So there's no fixing the problem without either disabling the Market entirely or patching the implementing code.

And of course an OS upgrade could contain code to do anything they want, including enabling them to install apps if they weren't already able to do so.

It seems to me that what's going to have to happen is that people are going to have to get over the idea that they can actually review every statement a nominee has ever made, get over the idea that people should be automata who never say anything possibly embarrassing (and thus that it even makes sense to want to review everything they've ever written), and get over the idea that there's some absolute bright line between the public and private life.

While we're doing that for the Supreme Court, maybe we should also do it for other random jobs. It's idiotic to check every Facebook a job candidate has ever made to see if they've failed to toe the line at all times. Doing that favors worthless nonentities.

These pretenses are technologically obsolete, and people need to deal with that.

My point is that you should not be liable to anybody at all, for anything. By imposing liability for something, the law is, in effect, saying that that behavior is forbidden. I can murder people, too, but I'll be subject to a criminal penalty because the law forbids murder. More to the point, I can fail to perform on a contract, but I'll be liable for civil damages because the law forbids not performing on contracts. Sorry if German law doesn't have the criminal/civil distinction, but I think it probably does.

To push the car analogy, your approach says that, if I lend my car to my friend, who is a licensed driver with a reasonable record, and if my friend scrapes somebody's fender (which is closer than running over somebody to the level of damage you can do via WiFi), then I should pay for the fender. You may in fact believe that. I don't.

If I were an official of the American government, speaking in my official capacity, you'd be right.

Since I'm not, I'm free to criticize any law, anywhere in the world, and to say what I think should happen anywhere in the world. I am a human being, and that means that, in this and many, many other situations, I outrank artificial constructs like nation states.

I'm happy to listen to German opinions on what should be done with American law. In fact, I think the US needs all the outside opinions it can get right now.

As for what mechanism the law uses to forbid open WiFi, that's not relevant. If ir forbids open WiFi, which seems to be the case, then it needs to be changed. I don't care whether it's phrased in terms of "802.11[abg] without WPA-2", or in terms of "personal responsibility". If the effect is to forbid open WiFi, it's not OK.

I'm perfectly well aware that Germany is a civil law country. What does that have to do with the fact that the law shouldn't forbid running an open WiFi network? I didn't say by what process it should be changed. Taking a German court at its word on its interpretation of German civil law is not the same thing as saying the court makes the law.

And, according to the summaries I've seen of the decision, the court in fact said that, according to local law, you effectively can't run an open WiFi network. That's because any remotely effective "precautions against abuse" make the network not open any more. A network is not open if you need to have a password to join it. It's also not open if it's so loaded up with filters that you can't do anything interesting with it.

I doubt the law will accept a mere pretense of precautions; you're going to have to have a real expectation that what you're doing will work, and that means no open networks.

I can anonymously give or sell people all kinds of things that they could use to commit crimes, and that is a good thing.

Internet access isn't particularly dangerous. Most of the uses of it aren't illegal at all. The actual, direct harm you can cause with it is usually a lot less than the harm you can cause with, say, a hammer. You can buy a hammer with no questions asked down at the hardware store. As long as I have no special reason to believe that that specific person intends to use it illegally, I can also give a hammer to a random person in the street. Same thing for thousands of other objects and services... in fact, for almost all objects and services.

I do, and will continue to, run an open WiFi access point. I really don't give a flying fuck about your issues with that. You're just gonna have to deal. Not everybody wants to live in your world.

In decent countries, they have to prove that you broke the law. You don't have to prove anything.

I should presumably also be fined if somebody commits a crime using M&Ms from the candy jar on my desk.

There is no legal requirement in the US for an ISP to know who its customers are, nor should there be. Certain people would like to make every citizen responsible for enforcing everything, and not let anybody do anything without being tracked by the Man... but luckily those particular evil forces haven't completely won yet.

I have no idea about German law, other than that, to the extent that it forbids running an open WiFi network, German law needs to be changed.

There's no hardcoded password in that "lawful intercept" stuff. There are bugs in it, and the auditing is inadequate, but it's not like just anybody who knows a password can turn it on, nor can any law enforcement or spy agency turn it on without help from the carrier. The bugs are more like it not complaining loudly enough when somebody tries to brute-force the password the operator has set.

Don't get me wrong. "Lawful intercept" is a bad idea and a huge security hole in every vendor's products (not just Cisco's). But there's a big difference between a documented set of features that have bugs, and an intentional, hidden, sooper-sekrit "back door" with a fixed password.

All carrier products from all vendors have wiretapping support, because it's required by law in a boatload of places. It's stupid and evil to have those laws, but they were openly debated and openly adopted, and the technology that implements them is openly described. Furthermore, using it requires the carrier to participate in the wiretap process; law enforcement can't do it by itself. The problem those articles describe is that it's hackable... which is something the vendors, probably including Cisco, warned could happen when the laws were adopted.

No conspiracy there, I'm afraid.