Saturday 20 November 2010

Is access control modern day protectionism?


There is a real tension boiling up between content owners and content consumers.

In a recent US legal case Ticketmaster was successful in getting Wiseguy Tickets prosecuted for "conspiracy to commit wire fraud and hacking" with maximum prison sentences of five years and a $250,000 fine.

What was the crime? It was finding ways to by-pass Ticketmaster's CAPTCHA technology which was put in place to try and stop people from automating the process of buying event tickets. They were basically using multiple computers to buy tickets for events in an automated way so that they could do it more quickly and do more of it.

Now you can argue that Wiseguy Tickets were essentially ticket touts, purchasing tickets to sell on and depriving "normal" consumers of an opportunity to buy them - but this wasn't what they were prosecuted for - they were basically prosecuted for hacking.

Even though they essentially only gained access to the same screens and information that everyone else could see, the means in which they gained access - bypassing Ticketmaster user controls - constituted computer hacking.

As Jennifer Granick, Civil Liberties Director at Electronic Frontier Foundation said in a press conference:-

"Anyone who disregards — or doesn’t read — the terms of service on any website could face computer crime charges. Price-comparison services, social network aggregators and users who skim a few years off their ages could all be criminals if the government prevails.”

In a separate case, record label EMI is suing MP3tunes which is a cloud storage solution that allows users to upload their music and then play this from any device/location, arguing:-

“[MP3tunes] does not own the music it exploits; nor does MP3tunes have any legal right or authority to use or exploit that music"

To top all this off, a new law - the Combating Online Infringement and Counterfeits Act (COICA) - is currently in the process of being passed in the US which will essentially "give the Attorney General the right to shut down websites with a court order if copyright infringement is deemed “central to the activity” of the site — regardless if the website has actually committed a crime."

In contrast to all of this however, there was a recent example reported on by Bank2.0 of someone who "disregard[ed] the terms of service" of a company - and actually got thanked for it.

The company was the second largest bank in Russia, VTB24 and they were in the process of building their own iPhone app, but budget constraints meant they couldn't invest in it until 2011. They were surprised then to see a tweet stating:-

"Great to see VTB24 finally has their iPhone app!"

On further investigation - and initially suspecting fraud/phishing - they found the app had been developed by a customer who had re-used their existing WAP site to create a working API for the iPhone app.

When asked why he'd done it the customer replied:-

"Well, I wanted iPhone banking and you guys didn't have it"

In story that could have been written by Disney, VTB24 have since hired the developer and now have a live iPhone app - and everyone lives happily ever after.

What's interesting about this example though is the fine line companies walk. On the one hand, Ticketmaster is prosecuting users for "leveraging" their website for another purpose, and on the other a major Russian bank is hiring the person "leveraging" theirs.

Ultimately, when something is let out into the wild - whether it's an internet site or a new product like Xbox Kinect (hack 1 / hack 2 / hack 3)- people will always want to extend it and re-purpose it. Companies may need to protect their content - but increasingly they will struggle to protect how it's consumed.

If companies start using legislation however to define and constrain this re-use to protect their business model, rather than trying to solve the actual business problem, it could harm innovation for all.

Whether it's music, tickets, banking or loyalty programmes, providing ways for consumers to retrieve, consume and share information is ultimately going to be a better policy to embrace than trying to build more and more protection around it.