June 24, 2016

Funny money

Is the blockchain a solution or a technology looking for a problem? At Tomorrow's Transactions Forum a couple of months ago, Michael Salmony argued forcibly that it's the latter. Distributed databases and consensus algorithms have been researched for 30 years, so what's the big whoop?

At last week's Trust in Digital World's blockchain event (PDF), I heard an answer: "What's new is proof of work," said Michael Huth, a computer science professor at Imperial College. Proof of work is the "mining" we talk about when trying to explain where bitcoins come from. Proof of stake sounds recursive and exclusive: you prove you have a stake - that is, money, if it's a financial system - in order to get your block accepted as valid and added to the blockchain.

MichaelHuth.pngFor several years now there's been a lot of suggestion that the blockchain would be widely used in all sorts of ways by legacy systems and players. For that purpose, Huth said, solving proof of stake is vital because, as Alexandra Dmitrienko pointed out, proof of work is wasteful. The bitcoin network today consumes as much energy as 280,000 US households. Not going to scale, and hence the need for alternatives.

Both, according to Vitalik Buterin in Bitcoin Magazine in an analogy I find helpful, are essentially anti-spam measures. Except when you're talking about money the "spam" is fraud and can cost people real money. Last week, an attacker proved the point by draining ether tokens worth about $50 million from an automated blockchain-based investment fund called The DAO.

Bitcoin, Huth said, is trying to be a revolution; but it may wind up with the coexistence of reformation. It sounds abstract until you consider this in the context of last week's attack. The idea, as David Siegel helpfully explains at Medium, was to run a fully automated fund in which software in the form of "smart contracts" made all the decisions based on the rules programmed into it. It's nice, neutral computer code! What could possibly go wrong?

emin-gun-sirer.jpgCornell professor Emin Gun Sirer studied exactly this question and found a number of answers, which he published shortly before the fund opened for 1business with a call for The DAO to stop operating until the flaws were fixed.

The idea behind The DAO, as the the BBC explains, was to create a fully autonomous fund owned by its participants, who put in money that, converted to ether tokens, could be spent to back start-ups that members voted on. Think a venture capital fund with less expense, less regulation, and no managers. It's arguable that what went wrong was really not the thing of setting up the experiment: that's what early adopters and new technologies are for, and there's not much wrong with that. What went wrong, really, is that everyone got a little too excited, and put in too much money: "While the agile approach of "ready, fire, aim" generally works best with new software, it can be dangerous when $150 million gets loaded into the chamber," as Siegel put it.

Meanwhile, the attacker can't actually do much with the funds they've sequestered under an address only they control in a subfund "child DAO". The fund's governing rules enforce a 27-day delay on spending - which gives the Ethereum Foundation and its attendant community plenty of time to fight over what, if anything, should be done. Unlike most other types of software, where real money is involved governance has to grow up fast; Sirer told the BBC that coding things like this is "more similar to writing code for a nuclear power reactor, than to writing loose web code". The two main options are a soft fork, in which the address where the ether tokens are stored is blocked from spending them, or a hard fork, in which the blockchain is rolled back to before the attack and the community proceeds from there, erasing the intervening history. Meantime, in a second attack, carried out by Ethereum developers, the rest of the fund's money was diverted to a safe location (another couple of child DAOs) for its own protection, an effort the attacker intends to block.

Internet history keeps proving that every community has a value threshold above which it's become a significant enough target that abuse becomes a fact of life. In the past, humans have typically reacted by creating institutions and governance: money begat robbers, who begat banks, who begat bankers, who begat the Securities and Exchange Commission. The desire to substitute code for all that mishegoss is understandable. But it is staggeringly easy to screw up - with or without code - if the incentives and opportunities are wrong.

Siegel had what sounded like a sensible idea; he suggested the attacker should buy a bunch of ether, work with The DAO to return the money to the original token holders, and then they should dissolve The DAO. While they debate soft and hard forks, the wider blockchain community is finding itself considering questions like: whom do we bail out, and why? What kind of precedent does that set? How far do we let people proceed at their own risk? Does the coded contract rule supreme even when the code is flawed? These questions have to be answered no matter what kind of -ware is doing the governing.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

June 18, 2016

Staying in

The talking point going around the conference I'm attending in The Hague this week: no matter how the UK votes in the June 23 EU referendum, in 2017 Britain will nonetheless have to fulfill the following obligation: assume the EU presidency.

"Maybe we can get Scotland to do it," someone said brightly on discovering this. Two years ago, when the British media discovered this, they suggested the predecessor (Malta) or successor (Estonia) could serve a double term. "There is no provision in the treaty for a country leaving," said someone who sounded authoritative, cuing a string of zombie jokes. Philip K. Dick would have appreciated the UK's opportunity to negotiate its departure terms with itself.

Back in the UK, the absurd rhetoric both campaigns have unleashed, evokes the ants in T. H. White's The Once and Future King, whose minds were fully occupied with mindless, endlessly recurring, universally broadcast propaganda. The pound will plummet! Buttinski foreigners are telling us to stay! Property prices will crater! And, my favorite: old people will lose their bus passes!

Until a few days ago, I didn't think I knew anyone who was voting to leave. Here, I'm seeing the sort of well-educated, well-traveled British folks who've actually probably personally benefited from Britain's EU membership shaking their heads and saying the EU is dying, corrupt, aging, outdated...Where's all that "better together" stuff we heard so much of when Scotland was voting?

All that said, this is serious business even though, like so many political events recently, it started as a kind of joke. The question here is the likely impact on net.wars-type topics - computers, freedom, and privacy - if Britain votes to leave.

An arriving Leave campaign leaflet listed among its complaints that EU decisions limit the UK government's anti-terrorism efforts. This is not what Europol says - and although I discovered in conversation earlier this week there are Remain voters whose minds this history would change, it's coincidentally a large part of why I hope Britain votes Remain..

Structurally, Britain's government is an elected dictatorship: given a sufficient Parliamentary majority the government of the day can do what it likes. In constructing the US government (which, unfortunately for my comparison, is currently paralyzed), the Founding Fathers sought to place compensating checks and balances on what the legislative branch could do. As a result, US governments have three legs: executive (the president), legislative (Congress), and judicial (the Supreme Court). Britain's structure places much more power in the hands of the prime minister and their party. That being the case, the EU seems to me to be really important in applying the brakes when you hope *someone* will.

Thumbnail image for 2015_Max_Schrems_(17227117226).jpgIt was the Court of Justice of the European Union (CJEU), for example, that handed down the Schrems decision that up-ended Safe Harbor and threw a wrench into the unimpeded flow of European citizens' data to the US. The CJEU also voided the data retention directive (PDF) in response to Digital Rights Ireland's complaint, ruling that the practice "interferes in a particularly serious manner with the fundamental rights to respect for private life and the protection of personal data."

Similarly, the European Court of Human Rights (ECtHR) ruled in Marper that it was wrong for the UK to keep the DNA samples given by innocent people.

It was only recently that I began to understand the complicated relationship between these two courts. For American readers, CJEU was put in place with the formation of the EU; ECtHR was established in 1959 to ensure the 47 signatories of the European Convention on Human Rights (ECHR) fulfilled their obligations. Britain was one of the leaders of the post-World War II effort to draft and adopt ECHR, which is an important force in ensuring that the citizens of those 47 countries continue to enjoy the fundamental rights they've been promised under the treaty. Even if you love this government and despise those judgments, you can surely imagine a future in which the reverse is true.

Ending its part in the EU collaboration, therefore, would leave Britain still accountable to EctHR. However, this is not much comfort given prime minister David Cameron's stated desire to exit the ECHR as well if the UK can't veto the court's judgments. The May 2016 Queen's Speech announcement that "my government" will legislate a bill of rights is good news in the sense that Britain has never had such a written guarantee - but bad news if it is merely a stepping stone to hobbling the rights citizens have now under the treaty.

Even if the UK votes to leave, the dictates of international trade will mean many EU laws remain behind, laws into which Britain will have no input. One of these is data protection; an alienated UK will be an ignored presence while the EU negotiates with (primarily) the US. The same will be true of other trade laws, even those the tabloids mock.

UK_with_EU_flag_elements_interposed.pngAs part of the EU, Britain is part of a global power - the only one strong enough to police privacy in the US - and a uniquely attractive position as a gateway to a very large market. On its own, especially if Scotland exits as many predict, it will have approximately the world clout score of the state of Texas - with less control over its own future.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.