One year later – DRM-free ebooks hugely positive for Tor

New York Times technology columnist David Pogue discussed the decision last year by Tor Books UK and US to drop copy protection. It just released a statement regarding the effect of the DRM-free ebooks after one year.

His column deftly discusses the tension between consumers who want the inconvenience of encryption eliminated and concerns that DRM targets lawful consumers far more than those acquiring illegally distributed copies. Although he does not address the plethora of DRM-free versions on bit torrent sites, he notes that the changes to DRM for commercial products might affect the rate of piracy, but not the existence of piracy.

The Tor announcement highlighted a few other features of their strategy. First, the strategy was about their authors and the goals of the authors to engage more effectively with their readers. Secondly, as a science fiction imprint, their readership is among the most capable of getting DRM-free copies, so the publisher needs to make the consumer happy more than it needs to protect itself from the consumer. And finally, the decision to eliminate DRM does not mean that the works are not for-profit, on-sale copies. This statement captures many of Tor’s concerns:

We had discussions with our authors before we made the move and we considered very carefully the two key concerns for any publisher when stripping out the DRM from ebooks: copyright protection and territoriality of sales. Protecting our author’s intellectual copyright will always be of a key concern to us and we have very stringent anti-piracy controls in place. But DRM-protected titles are still subject to piracy, and we believe a great majority of readers are just as against piracy as publishers are, understanding that piracy impacts on an author’s ability to earn an income from their creative work. As it is, we’ve seen no discernible increase in piracy on any of our titles, despite them being DRM-free for nearly a year.

Pogue suggests but does not state outright that DRM is an ineffective strategy for reducing piracy. But he is very explicit that the point of an anti-piracy policy is to increase sales and revenue. DRM-free does not mean without cost. iTunes sells its music even though it dropped DRM. He also points out that his own books have had fared similarly in the market.

If book consumers thought that everyone in the household could easily read the same book (in the manner that a family can share a physical book), it might be more willing to spend money to own the ebook. For works that have no physical cost, the increase in unauthorized copies is not the right metric. The right question is whether more customers will purchase the work. If more copies are sold, the work is more successful, even if more copies are also pirated.

Pogue makes another strong point that the ease of the transaction directly impacts sales. “Friction also matters. That’s why Apple and Amazon have had such success with the single click-to-buy button. To avoid piracy, it’s not enough to offer people a good product at a fair price. You also have to make buying as effortless as possible.” High transaction costs are reasonable only for expensive, infrequent purchases. Weight is a normal force on friction; only weighty purchases should have high friction.

Finally, Pogue addresses the pricing of ebooks. Frankly, he is more generous to the publishers than I would be on this issue by acknowledging the costs associated with “author advance, editing, indexing, design, promotion, and so on” but like the music industry, the investments are declining. The public is likely to value the fair price point of an ebook as a percentage of its physical counterpart. If the physical copy has a secondary market in the used bookstore, then the loss of resale also needs to be factored in for the consumer. Otherwise the consumer is only paying for the convenience of instant access, and if the instant access is undermined by cludgy DRM, there is no value to be had.

Tor heard this from its constituents:

But the most heartening reaction for us was from the readers and authors who were thrilled that we’d listened and actually done something about a key issue that was so close to their hearts. They almost broke Twitter and facebook with their enthusiastic responses. Gary Gibson, author of The Thousand Emperors tweeted: “Best news I’ve heard all day.” Jay Kristoff, author of Stormdancer, called it “a visionary and dramatic step . . . a victory for consumers, and a red-letter day in the history of publishing.”

Tor never says it has become more profitable, but the company does relish the role it is taking in leading the publishing industry towards a more consumer-friendly business model.

The move has been a hugely positive one for us, it’s helped establish Tor and Tor UK as an imprint that listens to its readers and authors when they approach us with a mutual concern—and for that we’ve gained an amazing amount of support and loyalty from the community. And a year on we’re still pleased that we took this step with the imprint and continue to publish all of Tor UK’s titles DRM-free.

So the lesson from Tor is simple – for low-cost impulse purchases DRM doesn’t add value. High quality, fairly priced, and easy to access works will continue to attract a growing market. These are the points of emphasis and differentiation for the marketplace. DRM may be a legal solution, but it is not a sound business strategy.

Beyond Google’s Looking Glass – The Internet of Things is Already Here

(photo: Wikipedia)

Perhaps triggered by the New York Times coverage of Google Glass, The FTC announced both a call for submissions and a workshop related to the Internet of Things and its implications on privacy, fair trade practice, and security implications for both data and people. The FTC announcement highlights both the benefits and risks of device connectivity.

Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, healthcare providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.  The devices can provide important benefits to consumers:  they can handle tasks on a consumer’s behalf, improve efficiency, and enable consumers to control elements of their home or work environment from a distance. At the same time, the data collection and sharing that smart devices and greater connectivity enable, pose privacy and security risks.

The issue is not new. The ITU released a 2005 study discussing the implications of the Internet of Things. The ITU described a near, technological future in which “industrial products and everyday objects will take on smart characteristics and capabilities. … Such developments will turn the merely static objects of today into newly dynamic things, embedding intelligence in our environment, and stimulating the creation of innovative products and entirely new services.”

I have previously described some of these concerns in an article, Mortgaging the Meme.[1]

In each of these situations, an automated and consumer-defined relationship will replace the pre-existing activities. In many situations, this will create efficiency and convenience for the consumer, but it will also reduce the opportunities for human interaction and subtly rewrite the engagement between customer and company. Those that understand this change will adjust their technologies to improve the service and increase the customer‘s reliance on its systems. Companies that do not understand how this engagement will occur, risk alienating customers and losing markets quickly.

Beyond consumer interactions, other uses may arise. Ethical and privacy concerns regarding misuse tend to focus on government, business and organized crime. These include unwarranted surveillance, profiling, behavioral advertising and target pricing campaigns. As a result, as companies increasingly rely on these tools, they also bear a responsibility to do so in a socially positive manner that increases the public‘s estimation of the company.

Timing for the FTC submissions and workshop are overdue. Reading the New York Times quote regarding app developers, there is a sense that unlike the technology giants such as Microsoft and Google, the developers are thinking more about the technology’s potential than its potential impact. One such example from the Times: “‘You don’t carry your laptop in the bathroom, but with Glass, you’re wearing it,’ said Chad Sahlhoff, a freelance software developer in San Francisco. ‘That’s a funny issue we haven’t dealt with as software developers.’”

Many fields will benefit from increased device connectivity. Just a few:

• Public transportation systems designed around real-time usage and traffic patterns.
• Prescription monitoring to help patients take the right medications at the correct time.
• Fresher, healthier produce.
• Protection of pets and children.
• Social connectivity, with photo-tagging and group-meeting moving into the real world.
• Interactive games played on a real-world landscape.

There are also law enforcement uses that must be carefully considered. After the Boston Marathon attack, for example, calls for public surveillance will undoubtedly increase, including calls for adding seismic devices and real-time echo-location. Gunshots, explosions, and even loud arguments could become self-reporting.

Common household products sometimes become deadly in large quantities. RFID technology could be used to monitor quantity concentration of potentially lethal materials and provide that data to the authorities.

The consumer use, public use, and law enforcement use must be thoughtfully reviewed to balance the benefits of the technology with the intrusions into privacy and the legacy of retrievable information that such technology creates.

FTC staff will accept submissions through June 1, 2013, electronically through iot@ftc.gov or in written form. The workshop will be held on November 21^st. These are the questions posed by the FTC thus far:

• What are the significant developments in services and products that make use of this connectivity (including prevalence and predictions)?
• What are the various technologies that enable this connectivity (e.g., RFID, barcodes, wired and wireless connections)?
• What types of companies make up the smart ecosystem?
• What are the current and future uses of smart technology?
• How can consumers benefit from the technology?
• What are the unique privacy and security concerns associated with smart technology and its data?  For example, how can companies implement security patching for smart devices?  What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
• How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve healthcare decision making or to promote energy efficiency?
• Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

While the FTC has asked some good questions, they are only the beginning. Please submit your thoughts and join the FTC conversation.

---

[1] Jon M. Garon, Mortgaging the Meme: Financing and Managing Disruptive Innovation, 10 NW. J. TECH. & INTELL. PROP. 441 (2012).

NYPD Issues social media policy to stop embarrassment from private comments

Facing increased criticism over the conduct of police officials and firemen, New York City has issued strict social media policies focused on tamping down the offending comments of its officers. New York City Police Commissioner Raymond W. Kelly ordered the distribution of the new guidelines to regulate the comments and impact of the offers’ social media activities. The policy does not cover firefighters, though reports suggest a similar policy is under development.

As the New York Times reports, “police officers across the city checked their accounts to see if anything they had posted might run afoul of the new rules. Some edited their personal accounts to remove references to the department.” The Times quoted Roy T. Richter, president of the Captains Endowment Association. “Such an order is not unexpected. The only surprise is that the order was not put out before now.”

The new policy comes on the heels of incidents in which very public incidents involving social media, including racially inappropriate tweets that led to the resignation of the fire commissioner’s son. Kelly denied the policy was a direct result of the incident, saying the order’s development predated this latest incident.

Robert Gonzelez, a police training expert at John Jay College, has been quoted as saying the guidelines constitute “unauthorized censorship. Members of the NYPD are proud public officials and should be authorized to express that right on social media sites without retribution.

The NLRB has been very aggressive in voiding social media policies that interfere with the rights of workers to organize. The Operations Management Memo has found most social media policies overbroad. Among the limitations on social media policies, employees have the right to wear company logos even when protesting working conditions. Policies that prohibit their right to self-identify as employees or to wear uniforms outside of work are a violation of these rights.

Compare those policies to the NYPD guidelines as reported by the New York Times:

The policy restricts posting photos of other officers, tagging them in photos or putting photos of themselves in uniform — except at police ceremonies — on any social media site.

Employees are “urged not to disclose or allude to their status” online. Disclosing one’s employment could result in that person being ineligible for certain sensitive roles.

The New York Times correct lists other aspects of the policy as good practice and appropriate: “Do not post images of crime scenes, witness statements or other nonpublic information gained through work as a police officer; do not engage with witnesses, victims or defense lawyers; do not “friend” or “follow” minors encountered on the job.”

Once the initial bad press of online misuse fades, the issues of government limitations on employee’s social media will again rise to the surface as a significant issue for employment in the public sector. The NYPD guidelines provide fuel rather than direction for this debate.

New York Times disclosure of cyber-attacks should pave way for greater corporate engagement and a critical infrastructure executive order

Seal of the White House Office of Homeland Security, which was formed by executive order on October 8, 2001,http://www.whitehouse.gov/news/releases/2001/10/20011008-2.html and later grew into the United States Department of Homeland Security. (Photo credit: Wikipedia)

With the lead story in the New York Times focused on its own failure to defend from Chinese political computer hacking, there is a renewed concern regarding the vulnerability of domestic computer systems, particularly those that are part of the critical national infrastructure. Homeland Security describes critical infrastructure as “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof.”

While the Communications Sector is one of the 18 Sectors identified as part of the critical infrastructure, the focus is on the telecommunications network rather than the content itself. Nonetheless, the continuing attack which lasted over four months raises serious questions regarding the ability of organizations to effectively defend themselves against a serious professional attack.

Among the facts that stood out was the failure of commercial antivirus software. According to the Times, “[o]ver the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.”

The nature of the exposure has also changed. Instead of attacks targeted at firewalls, the campaign is not conducted through phishing – bogus links in innocuous emails that open the firewall to allow installation of “remote access tools” — or RATs.

Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.

Michael Higgins, chief security officer at The Times, said: “Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”

To meet this threat the Department of Homeland Security established the Office of Infrastructure Protection in 2002. It has its hands full.

This is a complex mission. Critical infrastructure ranges from the nation’s electric power, food and drinking water to its national monuments, telecommunications and transportation systems, chemical facilities, and much more. The vast majority of critical infrastructure in the United States is privately owned and operated; thus, public-private partnerships are essential to protect and boost the resilience of critical infrastructure and respond to events.

The attacks are real.  The Washington Post has reported on an overseas attacks which target utilities, including one which gained control of a Texas water utility.

Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers. … From October to April, the DHS received 120 incident reports, about the same as for all of 2011. But no one knows how often breaches have occurred or how serious they have been. Companies are under no obligation to report such intrusions to authorities.

Congress flirted with new legislation to update the obligation of companies in the 18 sectors which provide our critical infrastructure but it was ultimately unable to agree on legislative action. In its place, President Obama is expected to issue an executive order which will highlight the obligation to respond to a notice of imminent threat or to update the capacity to respond to a cyber-attack by any organization within one of the sectors which receives a governmental notice.  A possible draft of the order is available here.

While business is reluctant to embrace these new obligations, the acknowledgment by the New York Times of the vulnerability companies face should change the dialogue about the executive order and the need to plan for cyber-defense rather than complain about its costs. After all, the cost of inaction will be much, much higher.