" /> net.wars: May 2013 Archives

« April 2013 | Main | June 2013 »

May 31, 2013

Flow, sweet data, flow

It's very difficult to gauge the progress of the EU's attempt to reform the data protection directive, whose text is due to be agreed by the end of this year. Basically, it comes down to the difficulty of understanding what is going on in EU government at any given time. There seems to be more than 4,000 amendments (not exaggerating), an endless succession of committee votes, and little way to understand their order of precedence. Couple that general confusion over the EU's legislative process with the fact that a Mad Man trying his hardest could not have come with a term that sounded less engaging, and you have a subject that fights to get mainstream press attention.

At the beginning of the process, which will take until 2014 to complete, it hardly seemed to matter. A bunch of European regulators put forward plans to update the existing directive. The claim that reform was necessary seemed logical enough, since the directive was passed in 1995, when the Internet had only just been opened to commercial traffic, the Web was still a bunch of text pages listing links to other text pages, and the founder of Facebook was 11 years old. Yet what's opened up in the months since is the possibility that instead of a few tweaks and update we will get the substantial weakening of a law that offers European citizens some redress of the balance of power between themselves and the large organizations they transact with, often perforce.

The 1995 data protection principles have held up remarkably well, in large part because they *are* principles and not restrictions on specific technologies. Talk about robots and algorithm-driven decision making, for example, to a data protection expert and they're likely to see little difficulty in applying the principles to constrain potential damage to consumers and allocate liability. In that sense, the big change since 1995 isn't the advent of large, data-driven companies but global interconnection. In a world in which a public company the size of Netflix is built on Amazon's cloud services and, as Frances Cairncross predicted in 1997, distance is dead, the data you entrust to your local solicitor may be stored just about anywhere. How and where data may flow is one of the most contentious issues in the debates over reform, along with requirements for data breach notification.

Member states were required to transpose the directive into national law by October 1998 (the year Google was founded. By early 1999, as I see from my February 1999 piece for Scientific American (TXT)Simon Davies, then the executive director of Privacy International, went so far as to predict a trade war when US companies found themselves blocked.

"They fail to understand that what has happened in Europe is a legal, constitutional thing, and they can no more cut a deal with the Europeans than the Europeans can cut a deal with your First Amendment," he told me at the time.

Ah, yes, well, that was then. The EU and the US went on to negotiate a safe harbour agreement, and when the US wanted Passenger Name Record data the EU caved. Critical reports, such as this one from 2008 pop up in a search, and despite EU law, the US's big data data companies are demonstrating accelerating growth in the EU as elsewhere.

The EU law has been widely emulated. In 2000, Canada passed its equivalent law, PIPEDA. Meanwhile, the 2000s trend toward outsourcing means gave countries like India and the Philippines powerful motivation to copy the EU's data protection principles so they can sell call centers and other services to the EU. The US remains the outlier, stuck on its 15-year-old insistence on a free market approach - only now it has much bigger companies to finance lobbying efforts.

And there has been plenty of lobbying, both traditional and copy and paste. The latest, as the European Digital Rights Initiative documents, is questionable evidence built on assumptions that have no quantifiable basis.

It's a curious dissonance I wish someone would study in a PhD dissertation that data protection law has spread alongside increasing surveillance. Last week, Slate, under the influence of former Microsoft European privacy chief Caspar Bowden, argued that some amendments to the data protection directive have been written with US surveillance powers specifically in mind. Slate cites a report Bowden co-authored in January (PDF) studying the issues relating to cloud computing in the EU. Among the concerns raised by the report is the potential for the loss of control over the data stored in the cloud, as well as the fact that US companies offering cloud services are subject to the PATRIOT (2001) and the Foreign Intelligence Surveillance Amendments (2008) Acts. In other words, the US claims surveillance rights over EU citizens.

In other words: this dull-sounding labyrinthine process could cost EU citizens rights currently thought to be indelible. We'd better pay attention.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Stories about the border wars between cyberspace and real life are posted throughout the week at the net.wars Pinboard - or follow on Twitter.


May 24, 2013

Forcing functions

At last Saturday's OpenTech, perennial grain-of-sand-in-the-Internet-oyster Bill Thompson, in a session on open data, asked an interesting question. In a nod to NTK's old slogan, "They stole our revolution - now we're stealing it back", he asked: how can we ensure that open data supports values of democracy, openness, transparency, and social justice? The Internet pioneers did their best to embed these things into their designs, and the open architecture, software, and licensing they pioneered can be taken without paying by any oppressive government or large company that cares to, Is this what we want for open data, too?

Thompson writes (and, if I remember correctly, actually said, more or less):

...destruction seems like a real danger, not least because the principles on which the Internet is founded leave us open to exploitation and appropriation by those who see openness as an opportunity to take without paying - the venture capitalists, startups and big tech companies who have built their empires in the commons and argue that their right to build fences and walls is just another aspect of 'openness'.

Constraining the ability to take what's been freely developed and exploit it has certainly been attempted, most famously by Richard Stallman's efforts to use copyright law to create software licenses that would bar companies from taking free software and locking it up into proprietary software. It's part of what Creative Commons is about, too: giving people the ability to easily specify how their work may be used. Barring commercial exploitation without payment is a popular option: most people want a cut when they see others making a profit from their work.

The problem, unfortunately, is that it isn't really possible to create an open system that can *only* be used by the "good guys" in "good" ways. The "free speech, not free beer" analogy Stallman used to explain "free software" applies. You can make licensing terms that bar Microsoft from taking GNU/Linux, adding a new user interface, and claiming copyright in the whole thing. But you can't make licensing terms that bar people using Linux from using it to build wiretapping boxes for governments to install in ISPs to collect everyone's email. If you did, either the terms wouldn't hold up in a court of law or it would no longer be free software but instead proprietary software controlled by a well-meaning elite.

One of the fascinating things about the early days of the Internet is the way everyone viewed it as an unbroken field of snow they could mold into the image they wanted. What makes the Internet special is that any of those models really can apply: it's as reasonable to be the entertainment industry and see it as a platform that just needs some locks and laws to improve its effectiveness as a distribution channel as to be Bill Thompson and view it as a platform for social justice that's in danger of being subverted.

One could view the legal history of The Pirate Bay as a worked example, at least as it's shown in the documentary TPB-AFK: The Pirate Bay - Away From Keyboard, released in February and freely downloadable under a Creative Commons license from a torrent site near you (like The Pirate Bay). The documentary has had the best possible publicity this week when the movie studios issued DMCA takedown notices to a batch of sites.

I'm not sure what leg their DMCA claims could stand on, so the most likely explanation is the one TorrentFreak came up with: that the notices are collateral damage. The only remotely likely thing in the documentary to have set them off - other than simple false positives - is the four movie studio logos that appear in it.

There are many lessons to take away from the movie, most notably how much more nuanced the TPB founders' views are than they came across at the time. My favorite moment is probably when Fredrik Tiamo discusses the opposing counsels' inability to understand how TPB actually worked: "We tried to get organized, but we failed every single time." Instead, no boss, no contracts, no company. "We're just a couple of guys in a chat room." My other favorite is probably the moment when Monique Wadsted, Hollywood's lawyer on the case, explains that the notion that young people are disaffected with copyright law is a myth.

"We prefer AFK to IRL," says one of the founders, "because we think the Internet is real."

Given its impact on their business, I'm sure the entertainment industry thinks the Internet is real, too. They're just one of many groups who would like to close down the Internet so it can't be exploited by the "bad guys": security people, governments, child protection campaigners, and so on. Open data will be no different. So, sadly, my answer to Bill Thompson is no, there probably isn't a way to do what he has in mind. Closed in the name of social justice is still closed. Open systems can be exploited by both good and bad guys (for your value of "good" and "bad"); the group exploiting a closed system is always *someone's* bad guy.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted irregularly during the week at the net.wars Pinboard - or follow on Twitter.


May 17, 2013

Equality bytes

This week BT announced it would give free access for its residential broadband subscribers to its two sports channels (BT Sport 1 and BT Sport 2) plus US-based ESPN. Is this the moment the UK starts fighting, like the US, over network neutrality?

For years the received wisdom has been that the UK is too different. In both countries the legacy monopoly telecommunications supplier ran into deregulation in the mid-1980s. In the US, that began with the court-ordered break-up of AT&T, leading to the set of seven "Baby Bells", which have since merged back into three, much like the shards of the liquid metal man in Terminator 2. In the UK, it's been government policy to open up BT's network to competitors, and its behavior is closely scrutinized. That's harder to do in the US where so much happens at the state, rather than federal, level.

While both countries have large companies wishing to lock consumers into bundles that include broadband, telephone, mobile, and television, the average British Internet user who cares to look has probably dozens of choices of supplier, not all of whom buy their upstream bandwidth from BT Wholesale. The average American is lucky if they have two.

The bigger differences lie in the way television is funded and provided, partly because of the UK's entrenched public service broadcasting and partly because of geography. Given the US's size, in many areas either you have cable or a satellite dish or you don't have television at all because the nearest broadcast station is too far away. In the UK, terrestrial broadcast blankets the nation and the major broadcasters (BBC, ITV, Sky) have teamed up to offer free satellite (Freesat) and broadcast (Freeview) systems whose array of channels is entirely competitive with cable or paid satellite if you can do without the premium channels (mostly movies and sports). I cut the cord on cable a year ago in favor of Freesat plus an online subscription to the tennis tours.

Given this situation, it's not surprising if BT thinks it needs television content in order to compete effectively with Virgin and other ISPs.

In 2010, the BBC's Rory Cellan-Jones asked the network neutrality question about BT when BT Retail's commercial director referred in an interview about prioritizing network traffic so that television streams would reach consumers uninterrupted. There are, Ofcom told Cellan-Jones at the time, no rules against the widespread practice of traffic shaping, and let's face it: if you're watching a video stream or making a voice call it's a lot more important to get your packets immediately and continuously than if you're loading a Web page or reading your email.

In 2011, BT's announcement of Content Connect raised similar questions; that wholesale service was, again, intended to speed delivery of streaming video by using local servers - which sounds like the kind of content caching that goes on all over the place.

For me, what raised more questions was BT's announcement in June 2012 that it had paid £738 million for the rights to 38 Premier League football games and then in February 2013 that it had acquired ESPN's UK and Irish channels. These channels are the basis of BT Sport, which will broadcast a load of football, in direct competition with Sky (and, they tell me, some women's tennis). We are now talking about the country's most significant telecommunications infrastructure provider competing directly with other companies whose content it carries.

Accordingly, this is the announcement that to me is the serious one. The really vital thing in ensuring network neutrality is not banning practices that speed service but in avoiding giving dominant suppliers leverage over their competitors or incentives to break it. Otherwise, you get discriminatory service - exactly what the EU is investigating Google for This is the classic first principle of antitrust law: the owners of the means of distribution should not be allowed to also own the content that streams through it.

Two of the best-known cases under the US's 1890 Sherman Act illustrate the point perfectly: the break-ups of the movie studios and of Standard Oil. In the former, the movie studios were required to divest themselves of theater chains; in the latter, the company was broken up into dozens of smaller ones. As in the AT&T break-up, some of those smaller ones - Exxon and Mobil - have merged back together, but by the time they did the landscape had substantially altered.

In some of these cases you could argue that regulatory action was rendered unnecessary because new technologies were about to present them with new forms of competition. The AT&T break-up was in 1984 and separated local and long distance reveues; by 1990 the Internet would have begun threatening the latter anyway - although law professor Susan Crawford argues that the subsequent mergers have undone the break-up's competition benefits. Similarly, Paramount Pictures' break-up in 1949 was rapidly followed by the challenge of television.

We can't bet on such a radical change this time. Instead, BT may become a content supplier to other ISPs while, conversely, in the US Google is building out local fiber. Watch this space.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

May 10, 2013

The brewing war on some shapes

It's about time we had a new new-technology panic, and here it is. This week the US State Department invoked the International Traffic in Arms Regulations to demand the removal of design files for "The Liberator" gun from Defense Distributed's "island of misfit objects", Defcad.

Defcad started up in the summer of 2012 when Makerbot, the owner of the 3D printing design-sharing site Thingiverse, refused to host designs for firearms. Those who know Net history will see a parallel here to early Usenet, when the relatively small group who ran things refused to create rec.drugs and talk.drugs. Frustrated, Gorden Moffett, John Gilmore, and Brian Reid routed around the decision and created the alt hierarchy, and with it alt.drugs, alt.sex, and, for symmetry, alt.rock-n-roll, setting the tone for Internet defiance of centralized control. This episode was followed by such incidents as the many mirror sites set up to host Scientology secrets in 1995 and the so-called Streisand effect. And yet it still seems not to have landed. By the time the US State Department acted, the files had been downloaded 100,000 times, and they're now readily available on your favorite torrent site.

Society at large is not in any imminent danger from these downloads, certainly compared to the millions of (metal) guns sold in the US each year: it's the sort of thing people grab because they *can*, out of curiosity. Few have the resources to really use the files. See for example Philip Bump, who recounts in The Atlantic the impossibility of actually getting the thing printed. The Guardian's Charles Arthur writes that specialists approached by British newspapers refused to print the design for safety reasons.

Obviously it's not making plastic guns that's the issue; it's how to control who has them. This is the source of the panic, and the danger isn't the gun but the bad law people make when in that state of mind, particularly in the light of recent terrorist attacks.

The early proponents of 3D printing specifically, and additive manufacturing more generally, hope it will eliminate some transportation costs, use materials more efficiently, create utterly new possibilities, and enable customization. In their recent book, Fabricated, Cornell researcher Hod Lipson and technology analyst Melba Kurman talk about the three stages they believe 3D manufacturing will go through:

First we will gain control over the shape of physical things. Then we will gain new levels of control over their composition, the materials they're made of. Finally, we will gain control over the behavior of physical things.

Under the influence of Lipson and Kurman, the world is on the verge of becoming infinitely malleable. They seem particularly entranced by the prospects for food printing customized to provide the healthiest possible diet for a particular genotype and lifestyle and living human tissue. The Defcad launch video linked above, however, has a different set of excitements: the democratization of manufacturing items previously controlled by regulation or copyright, much as the Internet did to digital content. Per the video, the site's goal is making an "unblockable open-source search engine for all 3D-printed parts", bypassing industry and government to make "the important things" like "medical devices, drugs, goods, guns".This is the 2013 physical world equivalent of Timothy May's Crypto Anarchist Manifesto. (Except, of course, that faced with a government threat the site promptly voided its video promise of "No takedowns - ever".

I've long thought that the first phase, now rushing at us, would recapitulate, far less pleasantly, the copyright and content wars of the last 20 years of the Internet's development. When the Defcad link came up for discussion among a few members of the Open Rights Group advisory council, I said as much. Certainly, the market and uses are growing fast. Alan Cox, who posted some thoughts earlier today which call this takedown the beginning of "the unavoidable collision between speech and physical objects", had a different take.

Cox felt there were four areas government should think about: trademark enforcement, regulation to protect people in shared environments (such as roadways; never mind thoroughly tested self-driving cars; what about the guy who's printed a wheel?); health and safety education for maker communities; and the recyclability of materials. "I would be far more concerned about the number of people who end up injuring themselves on badly designed home 3D printed objects," he concluded. This all makes sense to me.

But the bigger thing governments should think about is what can sensibly be regulated, and for that they must first free their minds of thinking they know what *things* look like. In that discussion, Cox called guns "irrelevant and old-fashioned". The key change brought by 3D printing and other additive manufacturing technologies is that we are not limited to the constrained shapes of the past. They knew Defcad had firearms because Defcad said so. Criminals wouldn't be so helpful - and if we could reliably understand what a series of bits described we wouldn't be in so much trouble with respect to cybersecurity.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

May 3, 2013

Policy jam

There are two ways to approach fixing a complex system that everyone is unhappy with. One is to analyze the problem by asking what a fix would look like and then how to implement it. The other is to look at new technologies and ask how they can help.

In the case of government policy-making, the complaints are well-known and of long standing; they boil down essentially to the fact that policy is made by the few for the many, and there are always going to be disconnects in the interface between those two groups. The few may ignore, not understand, or not hear expert advice; the people most affected may not have a voice; entrenched prejudice may prove impossible to shake; the political climate may mean certain ideas simply will not be considered; or the resulting legislation may be derailed at the last minute by special interests. These difficulties are likely to remain no matter what mechanism you use for enacting legislation and no matter how you gather information and opinion beforehand. And the people don't always know best: in California, where the number of referendums turns the published voter instructions into something the size of a telephone book, popular policies may have adverse consequences that persist for decades after they become law.

The technology world has a weird and uneasy relationship with all this. Policy making is slow, which techies tend to hate. It's *governmental*, which libertarian techies tend to hate even more. Young upstarts simply ignore it by routing around it: the release of PGP onto the Internet in 1991, for example, up-ended entrenched policies on encryption. It's almost a sign investors could use that a technology company has reached the dreaded maturity when instead of bypassing laws by deploying new technologies it starts sending delegations to legislatures and hiring lobbyists.

It was therefore interesting to listen to the civil servants assembled for yesterday's London tea camp chew over short presentations from various people attempting to make real change in how policy-making happens in Britain. This is a discussion that I'd missed until now but that is taking place in a number of venues and reflects a broader plan for civil service reform that includes improving policy-making.

Among the major questions raised yesterday is how to broaden the range of information and participants: today's model of publishing consultations, collecting and collating responses, and then publishing reports and draft legislation attracts only the most dedicated respondents who then risk being thought of as cranks if they say the same thing too often even if they're both expert and right.

This is Anthony Zacharzewski's focus; his organization, Demsoc, aims to broaden participation. Government policy, he said yesterday, "has to be based on the best possible information. There are far more sources of information out there than policy-makers use." One of the things he complained about is speed: "People don't want to wait four years to change policy. We have to find people in the networks where they are already having conversations. They won't come to us."

And yet: policy-making isn't a speed trial. Policy that is going to affect a nation for decades to come should be implemented deliberately, slowly, and after careful thought.

Hannah Rutter, (Twitter: @openpolicyuk), from the Cabinet Office, struggles with the meaning of "open" in "open policy". "How to consult more widely is just one sliver," she said. "There's a broader piece about how to broaden the quality of the evidence we're getting - not just more academics and more think tanks - the people who are experiencing and delivering the services."

Other speakers are looking at how the civil service works, trying to use agile technologies to remake how policy is created, and running small, manageable experimental projects that can be shut down quickly and cheaply if they don't work. "If you're going to fail, fail fast," as Alice Newton (Twitter: @aliceenewton) put it.

That particular idea up-ends a characteristic of British government that the late Margaret Thatcher was especially keen on: policy begins at the center and propagates outward. The UK has no analogue to the US, where local government has its own revenue-raising powers and where therefore policies may start locally and then sweep the states before arriving at the federal level (data breach notification laws, for example, which started in California and worked eastward). Allowing the local authorities at the coal face to propose and test policies they want and let the successful ones percolate upwards would be a profound reversal of decades of increasing power at the center.

The more complex issue is harder to solve: how do you change the influence of money and promises of jobs that can sway and distort policy decisions, most notably but not solely in areas like copyright? It was the realization that policy-makers were simply not hearing the other side of the copyright debate that led Lawrence Lesssig to found a movement to counter that kind of influence. This is the problem open policy really has to tackle. Because: what politician will tell the nice man promising jobs in their local constituency to go away because a bunch of ragged-trousered posters on Twitter are opposed to the policy the nice man wants?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of the earlier columns in this series. Stories about the border wars between cyberspace and real life are occasionally posted at the net.wars Pinboard - or follow on Twitter.