" /> net.wars: February 2018 Archives

« January 2018 | Main

February 16, 2018

Data envy

new-22portobelloroad.jpgWhile we're all fretting about Facebook, Google, and the ecosystem of advertisers that track our every online move, many other methods for tracking each of us are on the rise, sprawling out across the cyber-physical continuum. You can see the world's retailers, transport authorities, and governments muttering, "Why should *they* have all the data?" CCTV was the first step, and it's a terrible role model. Consent is never requested; instead, where CCTV's presence is acknowledged it comes with "for your safety" propaganda.

People like the Center for Digital Democracy's Jeff Chester or security and privacy researcher Chris Soghoian have often exposed the many hidden companies studying us in detail online. At a workshop in 2011, they predicted much of 2016's political interference and manipulation. They didn't predict that Russians would seek to interfere with Western democracies; but they did correctly foresee the possibility of individual political manipulation via data brokers and profiling. Was this, that workshop asked, one of the last moments at which privacy incursions could be reined in?

A listener then would have been introduced to companies like Axciom and Xaxis, behind-the-scenes swappers of our data trails. Like Equifax, we do not have direct relationships with these companies, and as people said on Twitter during the Equifax breach, "We are their victims, not their customers".

At Freedom to Tinker, in September Steven Engelhardt exposed the extent to which email has become a tracking device. Because most people use just one email address, it provides an easy link. HTML email is filled with third-party trackers that send requests to myriad third-parties, which can then match the email address against other information they hold. Many mailing lists add to this by routing clicks on links through their servers to collect information about what you view, just like social media sites. There are ways around these things - ban your email client from loading remote content, view email as plain text, and copy the links rather than clicking on them. Google is about to make all this much worse by enabling programs to run within email messages. It is, as they say at TechCrunch, a terrible idea for everyone except Google: it means more ads, more trackers, and more security risks.

In December, also at Freedom to Tinker, Gunes Acar explained that a long-known vulnerability in browsers' built-in password managers helps third parties track us. The browser memorizes your login details the first time you land on a website and enter them. Then, as you browse on the site to a non-login page, the third party plants a script with an invisible login form that your browser helpfully autofills . The script reads and hashes the email address, and sends it off to the mother ship, where it can be swapped and matched to other profiles with the same email address hash. Again, since people use the same one for everything and rarely change it, email addresses are exceptionally good connectors between browsing profiles, mobile apps, and devices. Ad blockers help protect against this; browser vendors and publishers could also help.

But these are merely extensions of the tracking we already have. Amazon Go's new retail stores rely on tracking customers throughout, noting not only what they buy but how long they stand in front of a shelf and what they pick up and put back. This should be no surprise: Recode predicted as much in 2015. Other retailers will copy this: why should online retailers have all the data?

Meanwhile, police in Wales have boasted about using facial recognition to arrest people, matching images of people of interest against both its database of 500,000 custody images and live CCTV feeds while the New York Times warns that the technology's error rate spikes when the subjects being matched are not white and male. In the US, EFF reports that according to researchers at Georgetown Law School an estimated 117 million Americans are already in law enforcement facial recognition systems with little oversight.

We already knew that phones are tracked by their attempts to connect to passing wifi SSIDs; at last month's CPDP, the panel on physical tracking introduced targeted tracking using MAC addresses extracted via wifi connections. In many airports, said Future of Privacy Forum's Jules Polonetsky, courtesy of Blip Systems deploys sensors to help with logistical issues such as traffic flow and queue management. In Cincinnati, says the company's website, these sensors help the Transportation Security Agency better allocate resources and provide smoother "passenger processing" (should you care to emerge flat and orange like American cheese).

Visitors to office buildings used to sign in with name, company, and destination; now, tablets demand far more detailed information with no apparent justification. Every system, as Infomatica's Monica McDonnell explained at CPDP, is made up of dozens of subsystems, some of which may date to the 1960s, all running slightly different technologies that may or may not be able to link together the many pockets of information generated for each person.

These systems are growing much faster than most of us realize, and this is even before autonomous vehicles and the linkage of systems into smart cities. If the present state of physical tracking is approximately where the web was in 2000...the time to set the limits is now.


Illustrations: George Orwell's house at 22 Portobello Road, London.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 9, 2018

RIP John Perry Barlow (1947-2018)

Thumbnail image for John_Perry_Barlow.jpgThere's a certain irony about the fact that John Perry Barlow, who styled himself "cognitive dissident" and whose early 1990s writings set the tone of so much discourse about the internet and inspired so many thousands of activists, has died in the same week that Conde Nast has put up a paywall around Wired, the magazine of record of that era. If you haven't crossed the free limit, I can recommend Steven Levy's obit.

I first encountered Barlow when I began writing about computer crime, around 1990, and called the office of the newly formed Electronic Frontier Foundation, which Barlow co-founded with John Gilmore and Mitch Kapor. A chat with Mike Godwin produced, soon afterwards, a fat paper folder Barlow's founding documents, "Crime and Puzzlement", parts one and two, along with a Harper's Forum discussion of computer hacking and the disproportionate law enforcement response. The first Computers, Freedom, and Privacy to get hackers and law enforcement talking to each other soon followed. I finally met the man himself at my first CFP in 1994.

Barlow's ideas are everywhere in modern internet activism. The EFF itself became a role model for dozens of other digital rights organizations across the world, including Britain's Open Rights Group, which was originally pitched as "a British EFF". The Economy of Ideas: Selling Wine Without Bottles, written in 1992-1993, discusses the "crisis in intellectual property" and how creators will make a living, issues still with us today. EFF has a helpful archive of his internet-related writing, and all of it is worth reading whether or not you agree with him or think, as Barlow claimed Kapor did, that he needed a hyperbolectomy.

His most famous piece, A Declaration of the Independence of Cyberspace, met with embarrassment from many of us when he wrote it in 1996. Yet of everything he wrote it's the one that is still the most widely cited, critiqued, and discussed. To many of us at the time the notion that government had no role to play in cyberspace was either naive or too libertarian for words. In a contemporaneous critique, Reilly Jones (PDF) said Barlow's vision would lead inexorably to universal tyranny. It was clear in conversation with Barlow that he thought the internet was creating libertarians by the million, but I thought government regulation would be an inevitable consequence of ecommerce, and that people would be quick to welcome it to protect them from fraud, theft, and other crimes.

It was clear to anyone who'd talked with him, though, that the ideas he expressed in A Declaration were not the work of a moment's anger at the passage of the Communications Decency Act as part of the 1996 Telecommunications Act. In April 1995, in an interview for the Guardian, he told me, "Cyberspace is naturally sovereign for a variety of reasons...If the terms and conditions of the place are so different from the terms and conditions of the colonial power, sooner or later it becomes obvious that it makes better sense for it to be self-ordering or self-governing." His example was the British Empire: "One of the things that happened quite frequently with the British empire is that Britain realised that from a purely economic standpoint its self-interest was better served by a more or less equal relationship with the former colony as a member of the Commonwealth rather than having it as being an ungovernable, restless, and angry colony. And that analogy applies very well in this instance, because the citizens of cyberspace are going to become more restless and intractable as time goes on, and less willing to be governed by terrestrial principles."

So it's no surprise that 20 years later, Barlow told Wired he stood by its central concept: that cyberspace has a "natural immunity" to nation-state interference. Around the same time he called Wikileaks a "foreign power".

The world he wrote about has both changed and stayed the same. "Cyberspace" dates his views terribly: it's an increasingly meaningless concept to those who've never had to wait to connect, and for whom everything they do online is inextricably entangled with their physical lives. Many younger people are not, as they're so often called, "digital natives", but people to whom the internet has always been a giant surveillance platform delivering cat videos and homework. Yet the battles he wrote about - the right to use encryption, copyright, privacy, openness - are all still being hammered out all around us. So is the key piece of the reason to found the EFF, which he expressed in Crime and Puzzlement, part 2, as "to ensure that the Constitution will continue to apply to digital media". Politicians have long been fond of saying that what is illegal offline should be illegal online, but are less fond of saying the equally important converse: what is legal offline should be legal online.

In his obit for TechDirt, Godwin suggests that in dissecting Barlow's A Declaration we all missed the point. Barlow, he writes, "was writing to inspire activism, not to prescribe a new world order, and his goal was to be lyrical and aspirational, not legislative." In that, Barlow certainly succeeded.


Illustrations: John Perry Barlow.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 2, 2018

Schrödinger's citizen

cpdp-nationality2.pngOne of the more intriguing panels at this year's Computers, Privacy, and Data Protection (obEgo: I moderated) began with a question from Peter Swire: Can the nationality of the target ever be a justified basis for different surveillance rules?

France, the Netherlands, Sweden, Germany, and the UK, explained Mario Oetheimer, an expert on data protection and international human rights with the European Union Agency for Fundamental Rights, do apply a lower level of safeguards for international surveillance as compared to domestic surveillance. He believes Germany is the only EU country whose surveillance legislation includes nationality criteria.

The UK's 2016 Investigatory Powers Act (2016), parts of which were struck down this week in the European Court of Justice, was an example. Oetheimer, whose agency has a report on fundamental rights in surveillance, said introducing nationality-based differences will "trickle down" into an area where safeguards are already relatively underdeveloped and hinder developing further protections.

Thumbnail image for peterswire-cpdp2018.pngIn his draft paper, Swire favors allowing greater surveillance of non-citizens than citizens. While some countries - he cited the US and Germany - provide greater protection from surveillance to their own citizens than to foreigners, there is little discussion about why that's justified. In the US, he traces the distinction to Watergate, when Nixon's henchmen were caught unacceptably snooping on the opposition political party. "We should have very strong protections in a democracy against surveilling the political opposition and against surveilling the free press." But granting everyone else the same protection, he said, is unsustainble politically and incorrect as a matter of law and philosophy.

This is, of course, a very American view, as the late Caspar Bowden impatiently explained to me in 2013. Elsewhere, human rights - including privacy - are meant to be universal. Still, there is a highly practical reason for governments and politicians to prefer their own citizens: foreigners can't vote them out of office. For this reason (besides being American), I struggle to believe in the durability of any rights granted to non-citizens. The difference seems to me the whole point of having citizens in the first place. At the very least, citizens have the unquestioned right to live and enter the country, which non-citizens do not have. But, as Bowden might have said, there is a difference between *fewer* rights and *no* rights. Before that conversation, I did not really understand about American exceptionalism.

Like so many other things, citizenship and nationality are multi-dimensional rather than binary. Swire argues that it's partly a matter of jurisdiction: governments have greater ability and authority to ask for information about their own citizens. Here is my reference to Schrödinger's cat: one may be a dual citizen, simultaneously both foreign and not-foreign and regarded suspiciously by all.

Joseph Cannataci disagreed, saying that nationality does not matter: "If a person is a threat, I don't care if he has three European passports...The threat assessment should reign supreme."

German privacy advocate Thorsten Wetzling outlined Germany's surveillance law, recently reformulated in response to the Snowden revelations. Germany applies three categories to data collection: domestic, domestic-foreign (or "international"), and foreign. "International" means that one end of the communication is in Germany; "foreign" means that both ends are outside the country. The new law specifically limits data collected on those outside Germany and subjects non-targeted foreign data collection to new judicial oversight.

Wetzling believes we might find benefits in extending greater protection to foreigners than accrues to domestic citizens. Extending human rights protection would mean "the global practice of intelligence remains within limits", and would give a country the standing to suggest to other countries that they reciprocate. This had some resonance for me: I remember hearing the computer scientist George Danezis say something about since we all have few nationalities, at any given time we can be surveilled by a couple of hundred other countries. We can have a race to the bottom...or to the top.

One of Swire's points was that one reason to allow greater surveillance of foreigners is that it's harder to conduct. Given that technology is washing away that added difficulty, Amie Stepanovich asked, shouldn't we recognize that? Like Wetzling, she suggested that privacy is a public good; the greater the number of people who have it the more we may benefit.

As abstruse as these legal points may sound, ultimately the US's refusal to grant human rights to foreigners is part of what's at stake in determining whether the US's privacy regime is strong enough for the EU-US Privacy Shield to pass its legal challenges. As the internet continues to raise jurisdictional disputes, Swire's question will take its place alongside others, such as how much location should matter when law enforcement wants access to data (Microsoft v. United States, due to be heard in the US Supreme Court on February 27) and countries follow the UK's lead in claiming extraterritorial jurisdiction over data and the right to bulk-hack computers around the world.

But, said Cannataci in disputing Swire's arguments, the US Constitution says, "All men are created equal". Yes, it does. But in "men" the Founding Fathers did not include women, black people, slaves, people who didn't own property.... "They didn't mean it," I summarized. Replied Cannataci: "But they *should* have." Indeed.


Illustrations: The panel, left to right: Cannataci, Swire, Stepanovich, Grossman, Wetzling, Oetheimer.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.