" /> net.wars: September 2015 Archives

« August 2015 | Main

September 25, 2015

Cheat mode

I had a lot I wanted to say about the news that Volkswagen gamed its cars' software to give both their customers and environmental protection agencies what they want - better performance in the first case, less pollution in the second. However, James Grimmelmann, writing in (among others) Mother Jones beat me to what I wanted to say about the dangers coming our way in a future full of hidden software that can change the physical world, and then Zeynep Tufecki covered my other point, asking whether we still think electronic voting is a pretty neat idea.

Grimmelmann's - and EFF's - concern is that current copyright law, specifically the Digital Millennium Copyright Act, makes it harder to catch such issues by restricting research. Well, sure: the law was created to serve the entertainment industries, primarily music, not a future of software inside everything of public import, from printer cartridges and cars to streetlights and medical devices. The EU's equivalent 2001 EU Copyright Directive has similar but not identical clauses that have been invoked to block the presentation of research from the University of Birmingham into cracking keyless car entry systems (the paper has since been published with some redactions (PDF).

VW's is the kind of scandal that gives corporate malfeasance a bad name for generations to come. And it has company: this week's news that Exxon's own research confirmed global warming in 1982, the tobacco companies' long suppression of Simon Davies.jpgpermitted to create their own impenetrable encrypted communications system, despite their history. It all goes to prove Simon Davies' contention, stated in an interview for a 1999 Scientific American article (TXT), "Companies are pathologically unable to punish themselves."

This is a roundabout lead-up to this week's notable but overshadowed story that the Advocate-General of the European Court of Justice, Yves Bot, has issued an opinion that the "safe harbor" agreement that allows personal data to be transferred from the EU to the US is invalid. Assuming the court follows Bot's advice, which I'm told it does approximately four-fifths of the time - we might be on the verge of the trade war Davies predicted in 1999. Companies like Google and Apple, which are more focused on individuals, may not be too severely affected, but how does a social media platform like Facebook manage users' international social graphs under a system that requires it to sequester EU citizens' personal data?

The CJEU case was brought by the Austrian lawyer and activist Max Schrems. Following the 2013 Snowden revelations, which made plain that EU citizens could not escape spying by the US authorities, Schrems decided to test whether the EU's data protection laws are in fact enforceable in practice. In 2014, he took his complaint to Ireland's data protection commissioner (where Facebook is based) and asked him to force the company to conform to EU law. He found found widespread support; unlike the UK but like the US, Austria allows class action suits. From there, the case found its way to the CJEU.

Even in 1999, when safe harbor was agreed, privacy advocates were arguing that it was inadequate. Basically, it's a kludge. EU data protection law prohibits the transfer of personal data to countries that lack a similar level of privacy protection. The US doesn't. Safe harbor allows everyone to pretend it does by allowing companies to self-certify their compliance. The BBC counts more than 4,000 companies that use safe harbor and quotes Schrems calling this is an unfair advantage over companies that are more tightly bound by privacy law. It would be good to see this claim stood up by research (of the kind few companies will permit). Instinctively, it seems reasonable: it's an imbalance comparable to allowing US companies to sell into the EU without collecting VAT, given them a substantial price advantage over EU-based companies, a loophole that's been closed.

At least one American commentator - Lauren Weinstein - has called the ruling hypocritical, on the basis that EU is perfectly happy to spy on its own citizens. He's missing the point. An Austrian citizen who believes their privacy has been invaded by their own government has means of recourse: filing a court case or freedom of information requests, spearheading civil protests, campaigning, voting. There are no such means of recourse for a foreign national in the US. Plus, this isn't a case the government brought: Schrems has noted that the Irish data protection commissioner's office did their best to avoid bringing the case, answering Schrems' 22 complaints with a best-practice audit rather than a prosecution.

Thumbnail image for toxic_sludge_is_good_for_you.jpg"[Americans] fail to understand that what has happened in Europe is a legal, constitutional thing, and they can no more cut a deal with the Europeans than the Europeans can cut a deal with your First Amendment," Davies said in 1999. That was before they started secretly negotiating treaties intended to bypass domestic, democratically enacted law. Alongside the provisions in nascent treaties such as the Transpacific Partnership are equally contentious, business-backed attempts to bypass data protection law by prohibiting requirements for local storage (PDF). For our benefit, I'm sure. Like breathing particulates.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

September 19, 2015

Old school

"Who are the people?" asked Phillip Vlahogiannis Cr-Phillip-Vlahogiannis2012_0.jpgat this week's Hybrid City conference in Athens. Vlahogiannis is the mayor of the City of Yarra, a section of the suburbs of Melbourne, where a strong Vietnamese subculture and a small remnant of the Wurundjeri tribe are overshadowed demographically by the descendants of European immigrants - British, Greek, Italian. One reason he asked was this year's subtitle, "Data to the People".

Which people, what data, and for what purpose? On show were a variety of projects taking a more citizen-centric approach to the smart cities we're told lie in our mutual future. Or, rather, many speakers called it, "the" future.

The future. The smart city. The public interest. Why is there only one of each of these, and not many? someone asked. A good question: is this a science fiction film, which imagines everyone will dress exactly the same?

This is a group for whom "smart cities" are a questionable prospect: they'd like their cities to be smart, all right, but "smart as in people" rather than "smart" as in our master's technology. Speaking on urban myths of open data, Christian Ulrik Andersen had a pair of images that summed up the problem: one, a medieval wall with an open archway, the other an Apple office building, all glass with lighted cubicles clearly visible. One is transparent but entirely closed, one is opaque and walled off (and a little intimidating) but, now that no guards are posted, allows open access. Is either what we want?

Martijn de Waal, who talks of hacking the city with the relish of a 1988 teen discovering the internet, also had a pair of perfectly matched images: photographie-couleur-paris-1914-7.jpgan Albert Kahn photograph of Paris, 1914, when the newly literate populace wrote directly onto their buildings to advertise what could be found within, and a mock-up of today's augmented reality, in which every building has reviews and user ratings. The key difference, of course, is the shared experience in 1914, versus the personalized one of today. This is frightening in its own way: what society will we have if we can filter-bubble our real environments?

An Amsterdam University project set about studying how interlinked an Amsterdam square mile's worth of businesses were. They used three data sources: the Chamber of Commerce database of companies; images from Instagram, Google, and Panoramio; and check-ins from Foursquare. Each had its distinctive bias: the Chamber of Commerce data was "old and stale": people never updated anything. Foursquare was full of sports facilities: "I'm working out!". The images tended to be of boutiques.

At the awesome end of the spectrum was the University of Buffalo's Mark Böhlen, for whom data collection and analysis was only the beginning of getting people in a small village in Indonesia better water. Increasing density had led to contamination of the water wells; data proved how bad. Two years later, a local café advertises drinks made with the water drawn from the well Bohlen's team helped build, which is self-sustaining. What good is data if it does not lead to action?

This was my difficulty with another Amsterdam project, presented by Wouter Meys, that asked citizens to annotate their neighborhoods when out walking. Meys noted the many variables posed difficulties in designing, and that they struggled to keep people motivated over time. The latter seems simply solved: show them follow-through. See the eight-year-old FixMyStreet.

It's becoming increasingly hard not to view social media as a setback: the data generated, particularly on public systems like Twitter, is like crack to researchers. But, as in the just-mentioned project, you can only get answers to the questions you think to ask (from your biased point of view), and then only from the self-selected bunch who use those sites. Twitter for example, will give you a demographic skewed towards journalists. Don't we already know what those chatterboxes think? Lacking social media, you might try something more reliable; Aerial photography is expensive, true; the Local Data Company puts sensors in shop windows to measure footfall. Mike Philllips' "landscape of sentiment", found by analyzing tweets, may not be, as elsewhere a href="http://www.tarletongillespie.org/">Tarleton Gillespie has written, measuring anything real, looking at ourselves instead of outward.

"It's not about smart cities, it's about smart citizens," Phillips said, noting the disempowerment of a roomful of cold people unable to turn down the air conditioning. "Institutionalization of the infrastructure has a huge impact on us."

Back up 5,000 years. Athens is simultaneously hosting an exhibit of ancient Greek machinery. oldest-robot-athens-2015-smaller.jpgAnyone who thinks mankind has gotten smarter should see the stuff the ancients invented from scratch before electricity or steam: gizmos for measuring astronomical distances and latitudes, cranes, pantographs, and some wonderful magic tricks one can only call "rich people's toys", including an automated theatre, a water-powered singing bird, and even what must be the first-ever humanoid robot, dated to approximately 300 BC. Seeing that, it's easy to believe, as a (non-Greek) friend always tells me, that the Greeks had everything all figured out. Was the Athens of their day the smartest city?

"This is where everyone used to vote," a local friend said, pointing out the agora, the "home of democracy". Everyone, that is, who was a male citizen - at Wikipedia's best guess, about a fifth of Athens' then-population. Inclusion is one problem they never tried to solve.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

NB: The date of the servant robot of Philon has been corrected to 300, rather than 3,000.

September 11, 2015

Coining it

A former editor of mine explained to me once that one of the staples of British journalism is the forking subculture. He had a point: the pattern holds wherever you look, from fans of a particular TV show to sports associations. Now the fork threatens bitcoin, as the community debates an alteration to the underlying code.

I am on record as skeptical about bitcoin as a currency, and given that its price bitcon-chart.pngin US dollars has gone from 8.5 cents in 2010 to over $900 in early 2014 to around $235 now, I still feel justified. But what has emerged more clearly in the last couple of years is that what we refer to as "bitcoin" is really two things: bitcoin-the-currency and the blockchain, the public, distributed ledger of transactions.

For months, as reports such as this from Business Insider began warning a month ago, some of the leading names in bitcoinworld have been arguing over whether to increase the size of the blocks that make up the distributed public ledger at the heart of bitcoin - the blockchain. The limit currently in place was put there in 2010 as a temporary method for deterring spam and DDoS attacks while the network grew, but the plan was always to scale up as the number of transactions grew. Opponents of Bitcoin XT - the expanded block size version - see the proposals as an attempted coup that will result in the very centralization bitcoin was supposed to up-end - the connection being the claim that bigger blocks will require nodes to have more processing power and bigger bandwidth. Gavin Andresen, the MIT scientist introducing the change, disputes this interpretation. Ultimately, the decision about how to go forward is meant to be settled by the equivalent of a vote. If 75% of servers have adopted XT by January 11, the rest are supposed to follow suit. If they don't...it opens up the possibility that the same bitcoin could be spent twice, once on each fork of the blockchain, eradicating the most important element of this and every other monetary system: trust.

One of Andresen's points is that this type of situation was faced once before, and bitcoin survived. The story is told in detail in Nathaniel Popper's recent book, Digital Gold: the Untold Story of Bitcoin. As told by Popper, in March 2013 computers on the network disagreed over which block they were trying to mine. The cause was a software update: computers running the older software were rejecting by computers running the newer version. In this case, everyone agreed to revert to the older software and drop the coins minted since the update; the change cost the large mining pool BTC Guild over $5,000.

The Bitcoin universe was a lot smaller then, and so were the stakes: the BTC150 to 200 the move cost BTC Guild then would be worth something over $35,000 at today's prices. As the number of bitcoin users continues to grow the interests and motives of those users will continue to diversify. An open letter from a group of bitcoin developers asks the community to use upcoming meetings to build consensus. The community may still be small enough for that to work.

Money, as Felix Martin explained in Money: the Unauthorised Biography, is three things: a universal unit of value, an accounting system, and an authority that backs the whole thing and makes it scale. moneybio.jpgIn the case of bitcoin, the wild fluctuations in its price against nation-state currencies make it an iffy store of value; its safest use (for a fiscal coward like me) is as a temporary stepping stone. The young company Bitpesa does exactly that: you use your local currency to buy bitcoin, hand it off to Bitpesa, and it hands off local currency again to recipients in Kenya or Tanzania. At a 3% transaction fee, Bitpesa claims to be the cheapest way to send money to Africa. The accounting system side - the blockchain - looks set to become an important and disruptive platform for many types of financial transactions, as Preston Byrne, the CEO of Eris Industries, explained at this year's Tomorrow's Transactions Forum, calling the blockchain "a system for agreeing the truth".

For its earliest users, including disappeared inventor Satoshi Nakamoto, the whole point was to eliminate central authorities - only to find, as Popper notes - that ordinary users flocked to centralized wallets. One of the things Popper does well in his book is show the different reasons why people embraced bitcoin: US libertarians seeking a better version of gold to avoid government control; Argentinians facing rampant inflation, to whom anything looked better than the peso; China's gambling-loving culture. But bitcoin isn't at the beginning any more, and many more recent arrivals on the scene have a different set of motivations. Building solid, long-term businesses requires working with regulators instead of opposing their existence on principle.

Bitcoin today is something that isn't on Martin's list: it's a community. It won't be able to stay that way. Community does not scale.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

September 4, 2015

The MacGyver complex

"Do you want to be MacGyvers?" In a fascinating lecture this week, given as part of Royal Holloway's annual Smart Card Centre open day, University of Tulsa professor Sujeet Shenoi demonstrated the work he and his Cyber Corps team do to extract information from the weird and wacky devices used by criminals. shenoi_sujeet.jpgNo photographs were allowed: real devices, used in real crimes! And here we find out that just as there's an arms race in software (you make stealthier malware, I come up with cleverer ways to block it, so you make even smarter stuff, and...) there's one going on in hardware obfuscation. Not just, as security writer Brian Krebs keeps documenting, that people keep inventing ever-cleverer and harder-to-detect devices, One of Shenoi's gadgets began as a set of headphones with an embedded MP3 player purchased from Skymall; the MP3 player was then attached to an ATM to record the data on cards' magnetic stripe as audio files; Krebs describes a similar device.

But the people who make the gadgets that land in Shenoi's lab are aware that at some point they may be investigated in detail using techniques like forensic desoldering and they have access to manufacturers' assistance to reverse-engineer pinouts. So part numbers are burned off with acid or covered with paint, and the boards are covered and underfilled with epoxy so investigators will struggle to take them apart to access the innards. No wonder Shenoi needs his degrees in chemical engineering as well as computer science: they use lasers and chemicals such as DMSO and MEK to attack such gambits. They have recovered information from buried and burned phones and broken SIM cards, and 3D-printed tiny JTAG connectors to plug into the broken-off ports on boards to get at the 0s and 1s encoded in the chip. A 2010 case in which an ATM skimmer swallowed a USB drive raised the question of the effect of stomach acids on electronic circuitry, a study that sounds like an Ig Nobel award waiting to happen. My guess is that criminals know their inventions won't permanently defeat investigators, and that their goal is to extend as long as possible the window of time during which they can go on profiting from these devices to the tune of $1 to $5 million a week.

"It's old-time science," Shenoi said.


In various discussions of the HIV clinic that emailed 780 of its patients with all their email addresses exposed, several points have emerged. The first is that medically - the reason for its existence - the clinic has an extraordinary record of excellence. The second is that the instinctive reaction to blame the person whose finger was on the Send button may be unfair: quite often "modern" email software doesn't make it easy or obvious how to send individual group emails. This is one of many cases where it's worth remembering that people *can*, when software-deprived and in a hurry, make mistakes. The better option is generally to improve the software so that doing it right is the easiest possible option, but also to see such mistakes as part of a complex system that has typically accreted rather than being designed. Fixing the human or designing them out entirely is rarely a complete solution.


I have been sporadically and incompletely following the strange story of what can only be described as a Distributed Denial of Service attack on the Hugo awards that involved slates of candidates and block voting. For 60-plus years, the Hugo awards have been amiably voted on by fans who have paid the fee to join the year's World Science Fiction Convention. They are everything you'd want fans' choice awards to be: voted on by knowledgeable, passionate readers spending their own money. This year, as millions of words in blogs and articles - such as The Daily Beast's summary, and Wired's wrap-up, and discussions hosted by Theresa and Patrick Nielsen-Hayden and Charlie Stross. Some solutions have been suggested. One, E Pluribus Hugo, has been adopted with the intention of closing off this year's particular exploit for future years. The cost for this year, however, is that when fans rebelled against the slates many categories were voted "no award", and the likelihood is that by being crowded out of the nominations some deserving authors lost out on the recognition they might otherwise have received.


Not technology-related: I commend to you Show Me a Hero, the new HBO miniseries by David Simon (best known for The Wire and Treme), based on the eponymous 1999 book by New York Times journalist Lisa Belkin. The series expertly chronicles the ugly, angry late-1980s dispute over desegregating housing in Yonkers, New York, which saw the city was by US federal judge Leonard B. Sand (Bob Balaban) to pioneer scattered-site public housing. The series makes explicit a theme that is visible in today's "neutral" big data systems: years of exclusion, deprivation, and prejudice embedded in the infrastructure (or the data) indicate patterns that become the coded basis for resisting change. Big data is a result; it's bad hoo-doo to turn it around and make it a cause.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.