Soylent and Proposition 65

Lots of people have been gleefully reposting links to a PR Newswire press release from a group who are suing the makers of Soylent for failing to comply with California’s Proposition 65.

Test results commissioned by As You Sow, conducted by an independent laboratory, show that one serving of Soylent 1.5 can expose a consumer to a concentration of lead that is 12 to 25 times above California’s Safe Harbor level for reproductive health, and a concentration of cadmium that is at least 4 times greater than the Safe Harbor level for cadmium. Two separate samples of Soylent 1.5 were tested.

Which sounds terrible, until you look at how California’s Safe Harbor levels compare with ordinary food:

When the State of California conducted a soil-lead-uptake analysis of its own soil, from 70 different locations, they found that most vegetables averaged four times the Prop 65 lead limits.

That’s according to Dr. Edward F. Group III. But let’s get some more definitive information…

You can check out cadmium and lead levels for common foods from an FDA study, and there’s a spreadsheet with comparisons to Soylent that’s linked from the Soylent Proposition 65 disclosure FAQ page. The cadmium exposure from Soylent 1.5, while relatively high, is equivalent to eating two cups of spinach.

Compare with European standards for acceptable lead and cadmium exposure. Europe allows cadmium levels of up to 3mg/kg for seaweed-derived products, and 1mg/kg for many other foods including kidney meat and some seafoods. Soylent’s level is 0.186mg/kg, which is safely under the limit for wheat, rice and soybeans. (Rice is a major ingredient of Soylent.)

Similarly, Europe’s standards for acceptable lead exposure go up to 1.5mg/kg for some seafoods. Soylent’s level is 0.043mg/kg, which is well under the limit set for fresh vegetables. So by European standards, Soylent is within the limits for the raw grains and vegetables you’re supposed to be eating. I’m all for minimizing exposure to heavy metals, but let’s not hyperbolically claim that Soylent is poisoning people, as I’ve seen people do on Twitter.

With European standards in mind, let’s consider California’s Proposition 65 safe harbor levels as listed in the official documents. The California limit for cadmium is 4.1 µg/day, and the lead level is 15 µg/day. Note, that’s micrograms in an entire day’s food. Yet by my calculations, one 40g FDA-standard cup of spinach in a salad and you’re already at nearly double the California limit for cadmium.

So the only reason you don’t see Proposition 65 warnings on your salad is that natural foods are specifically exempted from Proposition 65. If they weren’t, practically everything in Whole Foods would need a warning label. To illustrate this, the American Council on Science and Health threatened to sue Whole Foods for not putting warning labels on its fresh bread.

Also, in spite of the name, the “Safe Harbor” limits are not safe limits for human consumption. Rather, they are limits below which foods are considered so safe that they don’t need a warning label. For instance, in the case of carcinogens, they correspond to no significant risk levels.

So why the lawsuits? As the ACSH explains:

Bounty hunters can earn up to $3,000 a day for each day a manufacturer is in violation of Prop. 65’s labeling requirement, Stier said. Some environmental activist groups in California exist solely to bring Prop. 65 lawsuits against manufacturers, he added.

If “As You Sow” can show that Soylent failed to put Proposition 65 notices on its web site for a few months after starting to ship product, they can cash in. I’m sure that’s not their only motivation for the lawsuit, but I bet it helps.

Finally, consider the EPA limits on lead and cadmium in your drinking water. 0.005mg/l for cadmium, 0.015mg/l “action level” for lead. So if you drink the 2 liters of water a day recommended by many, you could be drinking nearly twice the California limit for lead and 20x the limit for cadmium, in your drinking water alone, and that would be considered perfectly safe with no action required.

Look, I’m all for minimizing heavy metal exposure from foods, and I get that Rob Rhinehart is a bit of a crank, and that it’s fun to pile on and mock him. But can we please not take everything on PRNewswire at face value? Remember, absolutely anyone can get anything they like published on PRNewswire just by paying.

Explaining SOPA

A lot of people are concerned about SOPA, the Stop Online Piracy Act. There are plenty of pages that say that it will destroy the Internet, but very few that explain clearly exactly why. It has also become clear that the politicians writing the law have no idea how the Internet actually works. So here is my attempt to explain it all.

Let me start by explaining DNS, using a situation that doesn’t involve computers, that hopefully anyone can understand.

Imagine a server on the Internet as being like an office building in 1973. No computers. No mobile phones. Just an office building with an expensive business phone line, internal phones connected by wires, and a receptionist with switchboard and a single phone line connected to the outside world.

The server has an IP address. That’s like the office building’s telephone number.

The web sites on that server are like the people who work in the office building. So talking to John Smith is like reading John Smith’s web site.

Now, when your web browser connects to John Smith’s web site, it looks up the IP address of the site, connects to the web host, and requests John Smith’s web site via HTTP. The request is then routed to the appropriate page.

That sounded complicated, so let’s translate it into our telephone analogy:

When you want to talk to John Smith, you look up the phone number of the building he works in, call that number, and ask to talk to John Smith, and you’re put through to him.

Note that unrelated people can work in the same office with the same phone number used to contact them. This is just like the Internet, where there can be multiple unrelated web sites on the same server at the same IP address. What about the different pages of a web site? Well, those are like talking to the owner of the web site about different topics.

OK. Next problem: DNS is distributed. How do we explain that?

Well, at work in 1973, when I want to know somebody’s telephone number, I look in my address book. If it’s not there, I look the number up in the company telephone directory, and make a copy in my address book so I’ll find it quicker next time. If the number isn’t in the company directory, I get the big telephone directory from the phone company, and look in that. If it isn’t there, I call directory assistance, and they look in the really big master telephone directory that has every number in the country. And so on.

DNS is like that. If your computer knows the IP address of a web site because it has used it recently, it just goes ahead and connects, makes the call. Otherwise, it asks your ISP if they have the IP address. If they don’t, your request for the IP address gets forwarded up to a higher level server, until we get to the so-called root servers, which are like the phone companies’ multi-volume master directories.

There are a few technical details not addressed by this analogy, but it’s close enough to explain basically how the system works.

So, now we can talk about the proposed SOPA legislation, the Stop Online Piracy Act.

The basic idea of SOPA is that if someone is accused of copyright violation, all the ISPs in America are required to block access to that person’s web site.

Put like that, it might sound quite reasonable. That’s probably how music and film industry lobbyists explain it to politicians. The problems become clear when you rephrase it for 1973 technology.

People are taping LPs, and giving tapes to friends who call them up on the phone and ask for a copy. So, if someone is accused of taping LPs, we will cut off the phones of the business he works at and remove his name from the phone directory.

Hopefully if you think about that for a moment, some obvious problems spring to mind. I’m going to talk about a few of them.

The first problem is that word “accused”. SOPA does not require any independent investigation. It does not require a lawsuit, or a trial, let alone a conviction. All that’s needed is for Polymer Records to accuse John Smith of taping their albums.

You might think that record companies can be trusted. Well, you might think that if you aren’t a musician, anyway. If you do, I’d suggest reading about some of the abuse of the Digital Millennium Copyright Act, DMCA. Just this last week, Universal Music Group have been issuing takedowns on YouTube for video recordings they don’t own the rights to. You might think it would never happen to you, but if you’ve ever uploaded a video of your kids singing Happy Birthday, well, that’s actionable copyright violation. The owners of The Birthday Song, Warner Brothers, collect about $2 million per year from demanding payment from people who sing it.

The second problem is this: Even if the record company is right, what about all the other people who work in the same office building? How are they going to do their work and earn a living?

A single IP address can host literally thousands of web sites, owned by people who are total strangers to each other. Blocking an IP address takes all those sites offline.

That’s not the only weapon against the Internet authorized by SOPA, though. It also allows for DNS-level blocking. That is, rather than taking out every single web site hosted at a particular IP address, it just takes out every page hosted at the same domain. Going back to our telephone analogy, when John Smith is accused of copying LPs, his name is struck from the telephone directory.

Our analogy fails somewhat here. On the Internet, a single name like Flickr or YouTube can represent tens of thousands of people. So the problem of ‘collateral damage’ isn’t eliminated, only reduced.

But the analogy does make clear a more constitutional issue: In what way is it any of the government’s business what the phone company prints in the telephone directory? If I want to run a telephone directory business with ads for dodgy massage parlors, it’s none of the government’s business. Or in Internet terms, if I choose to publish the information that happyendings.com is at IP address 2001:db8:0:1 then the First Amendment requires that I be free to do so.

There are technical issues too. At the moment, a lot of effort is going into making the Internet more secure by preventing DNS spoofing. Like crooks who put card skimmers on ATMs, DNS spoofers put fake entries in the Internet’s ‘telephone directory’, so that when you think you’re contacting the bank, you’re actually contacting a web server they own. They then collect your username and password, and use those to drain your account.

The solution is called DNSSEC, secure DNS. It uses digital signatures to ensure that only DNS entries signed by your bank will be accepted by your browser. If the signed and verified entry is missing from the directory, your computer goes out and probes servers around the world until it finds one that can provide signed and verified information.

The problem, of course, is that this is utterly incompatible with SOPA. If the government orders that happyendings.com be removed from the Internet, a computer with secure DNS will detect that the “No such web site” reply is not signed by the company that owns the domain. It will try other DNS servers, including those outside the USA and beyond US government control, until it gets a true answer.

So for SOPA’s DNS filtering to work, DNSSEC has to be abandoned or blocked. Which means that online fraudsters will carry on having a free pass to put digital ‘card skimmers’ on your bank’s web site.

Hopefully you’ve followed all that. Please feel free to quote any or all of it in letters to your elected representatives. And now, a little irony to chuckle over.

Earlier this month, a Russian web site compiled a database of around 20% of the IP addresses using BitTorrent file sharing, along with the details of the files they were downloading. Investigation soon revealed something interesting. Someone at Sony Pictures movie studio had downloaded illegal copies of “Conan The Barbarian”, a movie owned by indie studio Lions Gate Entertainment. They had also downloaded Beavis and Butthead, owned by Viacom. Meanwhile, NBC Universal’s IP addresses had downloaded pirate copies of HBO’s “Game of Thrones”, and Fox Entertainment had pirated Paramount’s “Super 8”.

If SOPA were already in effect, Sony, Fox and NBC could have found their corporate web sites forced offline, with no trial, no notice, and no comeback. Do they realize this, or are they counting on the law not being enforced against them?

US vs UK

A US court has ruled that authorities cannot force people to incriminate themselves by divulging their encryption passwords.

This is in marked contrast to the UK, where the Regulation of Investigatory Powers Act (RIPA) makes it a crime to decline to hand over all your incriminating files if the police demand it. If the case doesn’t involve national security, you can be put in jail for two years. If it does, five years.

Of course, the authorities would only use that power if absolutely necessary to fight terrorism, right? Well, the first person to fall afoul of section III of RIPA was an animal rights protester. She claims she didn’t have any encrypted files.

Got any old encrypted e-mails for which you no longer have the key? The RIPA has no limit, they can demand keys for files years old. Lost or forgotten the key? Someone sent you something encrypted with the wrong key? Off to jail you go.