Keep Data Secret, Keep Data Safe.

Privacy and Security are two different words, so it is reasonable to ask if there is a difference between “Data privacy” and “Data Security.” The terms seem to be used interchangeably a lot, but I think there is a difference that affects how we think about the issues and that guides how we approach solutions to protecting information.

The standard industry analysis is that Data Security is “confidentiality, integrity, and availability,” while Data Privacy is about the “appropriate use” of the data (I think this is better understood as asking “are only the right people seeing the data?”).

If you’ve seen the movie (and you should have), you remember this moment:

When Gandalf leaves Frodo with the One Ring, he admonishes him: “Keep it Secret. Keep it Safe.” Is this one instruction, or two? Are safety and security of a thing the same thing, or two different dimensions of protection?

  1. Secrecy as Privacy.

One of the most interesting discussions I had in law school began with a professor asking “What good is Privacy?” Some academics and jurists, like Judge Posner, have challenged privacy as inefficient; it is the right of criminals to hide their activities and avoid detection or evade conviction by concealing evidence. Advocates of this position assert that non-criminals do not need privacy, while privacy greatly advances the efforts of criminals.

However, privacy is also how we keep information away from criminals. In the digital world, information is everything, so keeping information away from criminals prevents harm. While non-criminals might not fear other non-criminals accessing financial information, certainly they would not want criminals to have the tools to access their bank accounts.

Privacy is an element of security, but it is not the same thing as security. One of the best ways to keep a secret is for people to not know you have a secret; people don’t rob vaults they don’t know exist. However, you wouldn’t leave your valuables unguarded and rely solely on the hope that no one ever finds out about them. Security is always a prudent consideration. (Though there might be interesting strategic choices in minimizing security to maximize secrecy…)

  1. Safety as Security.

I thought it was a little odd that the US government considers “integrity” one of three prongs of data security. “Confidentiality” makes sense (see the point on secrecy), and “availability” is an often over-looked part of security. Your money would be very safe if you shot your life savings into space, but that’s the kind of security plan we might call “not thought through to step two.” But why would the reliability and accuracy of the data be part of the security of the data? We don’t evaluate the security of a bank value on the basis of whether the currency it protects is undermined by inflation or monetary policy decisions.

I think this prong shows one of the dissimilarities between physical security and cybersecurity. We are rarely concerned about the sabotage of physical things we protect, just as we are not often concerned about physical objects being copied (as data can be copied). Data is subject to minor alterations that can corrupt it to render it unreadable or unsafe to use. In some cases, the fact of the data being shared might render the data less valuable (particularly for military intelligence).

  1. So, Gandalf has a pretty good privacy policy. By keeping a Ring secret, it is easier to keep safe; by recognizing the difference between safety and secrecy, he is able to give Frodo a more robust policy to guard the fate of Middle Earth.

Of course, if Gollum yelps out “SHIRE! BAGGINS!” the data will be compromised and new measures and methods will become necessary… But “The Fellowship of Data Protection” is a blog post for another day.

T[i]M[e] for Teemo!

Lots of times, people never ask me “Mr. Not-At-All-A-Lawyerman, how can the US Patent and Trademark Office’s filing system and database benefit ME, a humble urchin-child with a cockney accent and sooty cheeks?”

After pretending to check the time on a jewel-encrusted golden pocket watch (which doesn’t work because it’s plastic), I tuck the fob back into my waistcoat and playfully tussle the child’s wool cap and say “Well, Xavierathon, you like Teemo, don’t you?”

“He’s my favorite,” always comes the excited reply.

“Well, let’s go on a magical adventure into the Trademark Electronic Search System, and see if we can learn about Teemo.”

“But what can we learn about Teemo from a database of registered trademarks?”

Trademarks are very much about business. When business people want to protect their ideas, they can use copyrights or trademarks (or some other things that won’t help Teemo). Since Teemo has become such a mascot for Riot and League of Legends, the business people at Riot Games, Inc. decided to protect the connection between Teemo and their business. The way they decided to protect that connection was through a federal trademark registration:

Teemo 1A

The only thing I find surprising about this is that they didn’t file the registration until December of 2014. I suppose they wanted to wait until the world championship was all wrapped up. But this is only one of two registrations Riot has for Teemo, and the second one is tantalizing:

Teemo 1B

The tantalization is a two-parter: the filing basis and the goods description. The first registration was filed on the basis of “1A,” meaning the product (the video game) was already out in the market and Teemo was all over it.  This second registration, however, is filed on the basis of “1B.” That is the filing basis of “Intent to Use,” and the company registering the mark promises that they plan to use this mark in commerce in the next 6 months.

A trademark is always used in connection with some good or service. For the first Teemo registration, the good is the game and the service is the ongoing support of the game. For the second Teemo registration, the goods include a lot of clothing items and… “toy action figures.”

What important lesson do we learn from the trademark database?

Action. Figure. Teemo.

Just to be clear: This is all public information. You don’t need a special password to use TESS or read applications for trademarks before the USPTO. You don’t have to sneak into Riot Offices to find out about this. Trademarks are one way that you can read signals of a business strategy. As businesses depend more and more on brand recognition and good will, trademarks become another language of business, like finance or marketing.

The sad, hidden snag about this is that a 1B application isn’t a promise to actually make the product(s) described on the application; it is a promise that there is currently a plan to make the product(s). So this application is not exactly a promissory note for a Teemo Action Figure. It is more like a promise that Riot has seriously thought about it.
But that’s still exciting for little Xavierathon.

Patch Updates for Law; Words for Evil

Making a good game is surprisingly difficult. A good game needs to be balanced. It needs to be equally fair to play as any team, or have reasonable opportunities to overcome challenges and obstacles. Some games aren’t as concerned with balance issues, but many competitive multiplayer games have extensive metagame discussions about balance. Developers try to balance the game as carefully as possible before release. However, patches are inevitable and expected.

Making a good law is surprisingly difficult, as well, and one of the biggest issues is also balance. Laws exist to protect the rights and interests of multiple parties, often in situations where they may be competing with each other. The legislative process, like the game development process, tries to make the law as balanced and complete as possible. However, there is often a need for additional clarity or balancing after the law is enacted. In a common law system, this is usually done by appellate judges.

Both games and law have to balance carefully, thoughtfully, and slowly. Neither wants to make a quick change, only to undo the change in the next iteration. Competitive games and law both benefit from stability and predictability, and participants often react strongly to new balancing effort: both types of updates, if they make major changes, are likely to incite passionate debate.

For a game, updates and balance patches come up as the game company observes data from gameplay and theory crafting to identify and analyze imbalances within the game. Balance patches for law are also the result of identified problems that come before courts as disputes or complaints. However, for a game, the balancing is done as some function of the data within the game: numerical values of some kind are changed (distance, damage, time, etc). In law, the update is often a function of how a piece of language is understood. Language is for law what code is for a game. (There is good reason the different approaches to code are often called “programming languages.”)

Many parts of the law are collections of terms whose meanings are subject to a multitude of organic, unstable factors. Technological advancements challenge the meaning of what is “reasonable” equipment for a commercial ship, to how private citizens might understand their “right to privacy.” Ever-changing cultural norms will determine what “community standards” are applied in determining whether something is obscene.

I realized before writing this that a lot of my posts end up talking about language. I knew this post was heading there again, and I went ahead with it anyway. Part of my obsession is a bit idiosyncratic: a lot of my studies focus is on intellectual property, and the roles of language and meaning are even more pronounced in that area than most. Though any contract, will, corporate bylaw, lien, or criminal confession is ultimately about the words and meaning we draw from (or ascribe to) that glob of language. As foundational as language is to law, I think my interest in it goes beyond my studies. Language has to do with the human experience: how we think, how we know, how we connect, how we perceive reality and understand our fellow humans and ourselves.

“Words for Evil” is a simple game; the central mechanic is basically “Boggle.” You advance through the game by creating words using adjoining letters in a randomized grid. As you find words, your character will fight monsters or unlock treasure chests or evade traps. The underlying message of the game is the language, itself, moves you through the world. Just as in our daily lives, there can be problems in using language to affect the world around us. I have tried to input several strings of letters into the game which were rejected as words; I also made random, desperate guesses as to what might be accepted as language and was rewarded with success. We have the first experience in our lives fairly often: we say something but are misunderstood. The analogy of the second experience, I think, is more suggestive of some of the understanding of what language is and what it means to know language. I do not think we often make random, desperate noises and find that someone will understand them as a coherent expression and aid us according to our will. But if that has happened, I want to hear about it in the comments section.

Capitalism FAQ: Should You Respect or Abuse Your Customers?

No one likes to see a winner kicking the loser on the ground (unless we really, really hate the loser). We accept within our society that there are differences between people: that some will be more powerful or wealthy than others, and that’s just part of life. One of the limits on our acceptance of some inequality is the visceral rejection we have of abuse, of excessive exercises of power that do more to satisfy a desire to exercise power than actually further some external cause.

So, that’s one reason to be unhappy with Taylor Swift and Katy Perry right now.

These two ladies, through their lawyers and legal entities, are making great efforts to enforce intellectual property law against their fans— the very people who support and adore and ultimately finance their lives. There is good reason for us to judge harshly the multi-millionaires who attack the average citizen, but this is not a blog on Marxism or justice or truth. I’m here to write about law and video games.

So, let’s compare two approaches to intellectual property law in the 21st century. Let’s compare the business models and legal approaches of TS/KP with RiotGames, Inc. The framework to keep in mind is that most intellectual property laws don’t have to be enforced. There is no rule that you have to go after people for copyright or trademark infringements (generally). Yes, there are some sacrifices you make by not enforcing some of your rights, but it’s still a choice.

Though neither of them would like it (I guess they’re in some kind of feud, because being rich, acclaimed, and famous isn’t enough to overcome basic human failures), I’m comfortable using TS and KP interchangeably for this analysis. They offer the same goods and services for pretty much the same prices. So, their business model is $1 songs on iTunes, monetizing YouTube music videos, $100 concert tickets, royalties for radio and online audio services, sponsorships, appearances, and merchandise. They (with their enormous business operations) make musical products and sell them in the same way that musicians have since radio (with basic adaptations of the same model for television and internet).

RiotGames, Inc. develops, publishes, and maintains one of the most played video games in the world. Riot does not charge anyone to play the game. They do not charge for downloading, registering, playing, or for any other use of the game permitted by the EULA and TOS agreements. They will accept money for optional, purely aesthetic enhancements to the game, but this is the extent of their revenue (not counting their e-sports operation, which is distinct from the game and heavily guarded by NDAs that make analysis and explication difficult, if not impossible).

It seems obvious— even intuitive– that the business approach which demands more money would be the one to allow fans leniency with intellectual property. After all, KP/TS take in millions each year, so they certainly don’t need the extra potential money from meager merchandise sales to cover their expenses. Of course, for reasons we don’t need to explore, TS/KP are hell-bent on making sure their fans get no enjoyment from their manufactured musical entertainment apparatus without permission and a fee.

Equally intuitive is the idea that a company that gives away its only product must certainly be cautious and guarded with its intellectual property. That company needs alternative revenue sources, and almost everything it does is only recognized in a world of strong copyright and trademark protection. And yet, RiotGames has actively encouraged fans to interact with their work in every medium of creative expression. They even created a venue for fans to share and display their art, music, videos, poetry, and sculptures.

Here we have two different models, laid out for comparison. There are several questions worth asking: Which model is ethical? Which model shows respect for the fans, for the art, and for the artist? Which model engenders a sense of community and mutual appreciation? Which model will thrive in the 21st century?

For those who feel that, at the end of the day, the bottom line on the balance sheet is what matters, and should be what guides and justifies business and legal choices, here are those important numbers:

KP: 110 million

TS: 180 million

RiotGames, Inc: 624 million (2013), maybe over 999 million in 2014.


Child[ren] of Light [in Fiber Optic Cables]: Battling the Monster of Data Vulnerability

I. Like so many other gamers, I usually have some complaints about a game- some buggy feature in the UI, some design choice that manages to annoy me throughout the entire game, repetitive  music that grates on my nerves, etc. It doesn’t mean the game is bad, but just that I see some room for improvement. I don’t know how I would improve Child of Light. It has a wonderful story, beautiful art, fun and interesting combat, characters I can care about, and not much else. I think that was one of the strongest points of the game—its leanness. The developers did not burden the game with extra fluff; they edified the game down to what was essential, and worked to make that as excellent as they could. The only thing that I didn’t love about the game was that I had to play it through Uplay (after buying and installing it through Steam). The absurdity and frustration of one game distribution platform directing me to another game distribution platform occupied my mind as I played the opening levels of Child of Light. As I played a coming-of-age tale about a loss of innocence and the fight to defend oneself and loved ones in a hostile world, I saw the obvious comparison to the coming-of-age of cyberspace, and the fight to defend data and identity in a hostile world. The first point I thought of was how efforts to protect against piracy are often misguided, but I then thought about data protection more generally.

II. As the protagonist, young Aurora grows as she faces a dangerous world. Coming-of-age stories are about the loss of protection and the discovery of vulnerability in a dangerous and unforgiving world. The internet has had its own coming-of-age progress. It is grown from a nascent state of limited, careful users who protected and cared for it to being used by billions of people every day, with billions of dollars spent maintaining and attempting to control or harness it in one way or another. From businesses who use the internet to conduct business, to businesses whose business is conducting internet through cables and wireless transmissions, to government agencies to anarchist hackers, everyone wants to govern the data of the internet.

III. So, in response to the rising threat of hackers and errors, passwords and encryption became ubiquitous. But despite putting a deadbolt on the door, the data frequently seeps through cracks at the hinges or under a window left slightly ajar. Think about the ways our “data” escapes our control: – Large-scale Database hacks (PlayStation Network, HomeDepot, Target, AT&T, Steam, etc.) – Private, small hacks (phishing scams, ATM card readers, discarded paper mail, keylogging) – Third party purchases – We publish it without realizing it, or thinking about the consequences. We don’t hear about a lot of people losing their data because of weak personal  passwords. In the 80s and 90s (and sometimes beyond), most films that depicted some kind of cybersecurity breach showed someone sneaking into a researched area and guessing (or using a previously obtained) a password.  I have a constant background fear for my data, but not because I think someone might guess one of my passwords. It’s because my data is already out there, entrusted to dozens of companies.

IV. In Child of Light, combat allows for either physical or magical attacks. Each character has corresponding defensive stats for each kind of attack: physical resistance and magical resistance (nothing new for the RPG genre); high physical resistances do nothing to protect against magical attacks. In the same way, my setting an extremely strong, 28-character login for my laptop does not protect my credit card information from getting stolen from the servers of Steam or AT&T or AcmeCorp. (Hopefully, their hash functions do!)

As we come of age, we learn to lock doors to houses and cars, and exercise basic, sound judgment about safety in public. People need to become educated about cybersecurity. Everyone, from the most average consumer purchasing on Amazon, to network and IT administrators of large corporations and government offices, needs to think about what the real threats are and what measures are helpful and productive in protecting data. Given the way data has been compromised in the last two years, I am inclined to think that monthly password changes with the usual set of enormously restrictive requirements is not always the best or most pertinent protection.

Year-End Special Four-Part Special: Methods of Power in and around StarCraft II

One of the central questions in both Philosophy of Law and Social and Political Philosophy is “What is power?” Quite a bit of philosophy is interested in understanding the concept of power, often before making value judgments about its use and limits. StarCraft II is a multi-leveled study in power, through gameplay, story, and the impact of the game on the world.

As a real-time strategy game StarCraft II is about controlling and using resources to gain power. Furthermore, each of the three races within the game explores this theme in a unique way, and each of those different explorations illustrates a piece of the way that StarCraft II explains and demonstrates South Korea’s pioneering and excellence in e-sports.

For the Terrans, power is about building and controlling infrastructure—the media and information are key elements in the story and game. For the Zerg, power comes largely through infestation—through being present and connecting with sources of power and with the general Zerg population. For the Protoss, power is considered to be the result of knowledge and wisdom. All of these different approaches can be used to understand why South Korea is such a consistently dominant force in e-Sports.

[Part 1] The Wind Beneath the Wings of Liberty: “For Universe News Network, I’m Kate Lockwell.”

One of my favorite options throughout the Terran campaign was the interaction with the UNN news reports, and the obvious government control and bias against the heroes. What I thought was a fun gimmick took center stage in the plot when the protagonist rebels discovered incriminating recordings of the corrupt Emperor. The heroes chose to hack into the broadcast network and disseminate the incriminating statements, thus turning the “hearts and minds” of the people against the corrupt government. Advancing the revolution was a matter of controlling the infrastructure (in this case, the media infrastructure). For Raynor’s Raiders, power was about controlling information through existing systems, and was worth “a hundred battles.”

In more broad terms, power came from controlling the resources of information and the means of distributing that information. Jim Raynor’s observations that the government had used the media against his cause for years, and his fear that the government would only spin the incident and regain control, show the power of the media. While this is a largely a statement about media as a special kind of access to the power of controlling a very large population, it is also a commentary on the strategic value of controlling any element of infrastructure. For the Rebellion against Mengk’s Confederacy, control over UNN was as important as any military base or research facility or arms manufacturing plant.

It is easy to see the strategic value in controlling existing infrastructures and making them work for your own cause—indeed, there may seem to be no reasonable alternative. However, the Zerg’s interaction with existing differs a little from the Terran method.