" /> net.wars: November 2013 Archives

« October 2013 | Main | December 2013 »

November 29, 2013

The learning channel

On the eve of London's CryptoFestival, as everyone gears up to reconnect with their inner cypherpunk, it seems like a good moment to assess what we've learned over the last five months of revelations from the Snowden documents. Not what we've learned from the documents themselves; you can read all that over at the Guardian. I mean the lessons of it all.

When the intelligence agencies and law enforcement ask for new powers because the progress of technology is making it hard for them to do their jobs...they mean that they are already doing the things they're asking permission for and, like most people, they'd rather not have to lie about it. Kind of like your significant other saying they'd like to see other people. As Phoebe said on Friends all those years ago, it means, "Ha, ha, I already am!" (Season 1, episode 3, "The One with the Thumb"). Once the statutes are on the books, of course, they're free to push the next boundary. Which means...

...that at the highest level, the intelligence agencies and law enforcement are always operating a step or two beyond what the law allows them to do, building the systems they want while at the same time pushing for the law to be updated to make them legal. Unfortunately, most of the tradition of detective shows all the way back to Sherlock Holmes, tends to normalize this mode of behavior and dub it heroic. Our scripted dramas revere the maverick, the unstable genius, the misfit who pushes the boundaries and is always eventually right. From Carrie Mathison (bipolar, brilliant and unstoppable) on Homeland, Jack Bauer (torturer for truth and the American Way) on 24, and Reddington (omniscient, clever, and criminal) on The Blacklist to the more cerebral geniuses on Monk, Numb3rs , and Person of Interest, you'd be hard-pressed to find one who solves the toughest cases by following the rules. In fiction, defying authority makes for drama and conflict and engages the audience's root-for-the-underdog instincts. In real life, I have no doubt that pushing the envelope seems entirely justifiable: if I were the person who bears the weight of the nation's security on my shoulders it probably would to me, too.

The "safe harbour" agreement between the EU and the US over the transfer of data was as much of a bandaid as it seemed at the time. This is the agreement that gave US businesses a get-out-of-jail-free card given that the country does not have the standard of data protection laws that would normally allow EU organizations to transfer data there. Basically, under the arrangement US companies are allowed to sign up to a set of principles and self-certify their compliance. Unfortunately, the proposed changes won't actually stop US federal agencies from accessing your data - but they will require companies to inform you in their privacy policies if that's a risk you're taking on when you give them your data.

Loss of trust is expensive. Estimates of the impact on the businesses of Internet companies like Google, Apple, Facebook, and Yahoo! run between $35 billion and $185 billion a year - granted, a pretty wide range, but not cheap even at the bottom of it. Plus, which I'm sure didn't occur to the US experts quoted in the story, all that wasted money lobbying to derail data protection reform in the EU.

We can - and have already started to - upgrade infrastructure to make it more resistant to surveillance, for example by increasing the length of the keys used in already-deployed standards like SSL and TLS. Individually, however, most of the population is not technically adept enough to follow Bruce Schneier's sensible tips for safeguarding privacy. The crypto community's mailing lists have erupted into hotbeds of discussion of what to invent and how to implement it, but mass marketable solutions are a long way off.

The spy agencies seem to fail to understand that the exploits they devise to crack or undermine widespread security standards will come back to bite them as well as us when they escape into the wild to be used by all sorts of miscreants - including people they perceive as opponents.

The rest of the British press is willing to stand by while the government attacks the Guardian for publishing the revelations.

Many of the things privacy advocates have warned about for years that sounded like wild-eyed paranoia are not scare-tactic scenarios but real risks - such as claims of secret arrangements among governments to do each other's spying or the notion that governments have insufficient motivation to get serious about limiting data-gathering practices because it means they have all those nice databases to subpoena when they want to know stuff. You're not paranoid when they're really out to get your digital persona.

You may feel that none of these are lessons you really wanted to learn - and still less, lessons you wanted to pay handsomely for through your taxes. As the turkeys say, happy Thanksgiving.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 22, 2013

Schmidt happens

Google executive chairman Eric Schmidt has been making headlines again with a pair of loopy statements one hopes he chose out of a desire to be provocative rather than out of ignorance. First, he predicts that we may be able to end censorship within ten years. Second, he suggests that, "The solution to government surveillance is to encrypt everyone."

Oy. Let's take the last of these first.

"Mathematics is not your *friend*," Bruce Sterling declared in a wrap-up speech at the Computers, Freedom, and Privacy conference in 1994. At the time, it was not an overly popular message. The room was filled with people who passionately believed that freeing crypto from constraints on deployment and export was the key to privacy and security on the Internet. There were also comparisons to guns: as the argument goes, the Second Amendment is intended to ensure that the balance of power between citizens and the State is always somewhat equitable.

Granted, in the intervening nearly 20 years encryption has not spread as widely as the cypherpunks hoped. Only a tiny minority go to the trouble of encrypting email, but nonetheless you likely use encryption every day in forms that are invisible to you: every time you access a Web site via HTPPS, every time you buy something and SSL protects your credit card details in transit, and every time you make a phone call over a mobile network. And what has happened? The security services have, as we've been reading since June, gone all out to break, undermine, or bypass the encryption. And - as Sophos' Graham Cluley writes - UK prime minister David Cameron is praising them for it and wants them to do more of it to penetrate the "dark Web".

Sterling was right: mathematics has not been our friend, and for a very simple reason. No matter how powerful the encryption used to protect data in storage or transit, at some point it has to be removed so that the people using that data at either end can view and work on it. As Caspar Bowden has explained in his careful work analyzing the vulnerability of non-US cloud systems to the US's FISA, FISAA, and PATRIOT laws, we are talking here about surveillance-as-a-service. We're talking hardwired back doors and permanent taps at key points, in which case, as I wrote in July, "interception" is no longer a useful concept, and encryption is no longer a useful defense.

Adi Shamir, the "S" in the most widely used public key cryptography algorithm, RSA, has often said that you don't bother trying to crack the crypto, you just go around it. In a talk he gave in March, Shamir argued as above that crypto is less and less a useful defense. His example was advanced persistent threats, which hide out inside networked systems picking off tiny but valuable items of information to exfiltrate to the mother ship, but his comments apply as aptly to NSA taps, for the same reason. There is always a moment when the data is in clear text, and that's your target. I cannot believe that the former CEO of *Google* would not know this.

The ending censorship claim is sadly equally laughable. Censorship did not arrive with the Internet; it's probably as old as cave paintings. It's been known in all sorts of human cultures from China in 300 A.D. to medieval Europe. In his latest book, Writing on the Wall, in the process of exploring historical analogues to modern social networks, Tom Standage discusses historical censorship in pre-Revolutionary France and 17th century London; in the past I have written about Catholic values-driven controls in the Republic of Ireland. Either Schmidt knows nothing of history or he's just being provocative and media-friendly (at which he obviously succeeded).

Censorship is in the eye of the beholder. Presumably Schmidt does not view Google's various efforts to block access to child abuse images, videos of crimes, and, under court order, torrent sites as "censorship". This despite the fact that, as Cluley wrote, saving me the effort, the former head of the Child Exploitation and Online Protection Centre Jim Gamble has told the BBC, search engines aren't how pedophiles search for these images. Getting the search engines to do these things will make very little difference in terms of protecting real children from actual abuse. It's child protection theater, and it's being implemented under the same kinds of threats that were made against ISP in 1996 when they argued that blocking access to 133 Usenet newsgroups would be similarly ineffective. (These were the threats that drove the creation of the Internet Watch Foundation.)

Perhaps Schmidt thinks that censorship is the content blocking that *other countries* do. People who aren't us. Which we can fix, despite millennia of human history. As George Costanza said in Seinfeld when Jerry explains that he and Elaine have come up with a set of rules to allow them to remain friends while having sex on the side ("The Deal", season 2 episode 9): "Where do you get the ego?"

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 15, 2013

Content is king

Two big stories this week, both, in their separate ways, about content and its owners.

The first was the final despatch of the Google Books lawsuit by judge Denny Chin of the United States Court of Appeals for the Second Circuit. This thing has been percolating since 2005, a year after Google started its scanning project; the history is probably best explained in this 2011 article by Pamela Samuelson (PDF). Briefly, Google got sued, first by publishers and then by authors and settlements of the lawsuits were rejected on all sorts of grounds. Now, the last of these has been dismissed, a judgment that has been widely welcomed as a win for fair use and innovation: by Wired, the Washington Post, the New York Times, the Guardian.and digital libraries expert Karen Coyle.

The Authors Guild plans to appeal, but I'd suggest they try asking their members first how many of them actually use Google Books. I bet the answer will be: lots, just like Judge Chin's law clerks. I'd like to see alternatives (because I would like to stick to the terms of my 2010 divorce from Google), but the fact is it's damn useful to have a searchable repository that opens up access to work that otherwise increasingly might as well not exist. The best news about this decision really isn't the effect on Google; rather it's that by ruling that scanning books and allowing searches to return small chunks of their contents is fair use the court has opened the way for others to do the same thing. You may argue that very few others have Google's resources, but that doesn't have to stay true: Wikipedia, Open Street Map, and Open Corporates have all shown what can be done with collaborative hard work; why not Open Books?

Coyle, who makes the point that libraries have played a vital role in securing this judgment (the judge in the case frequently cites the American Library Association's amicus brief (PDF), welcomes the ruling as "an opportunity to rethink digital scholarship based on materials produced before information was in digital form." What she does call for, however, is a project to correcting the OCR errors in those scans.

The second big story of the week is, of course, the release of the text of the copyright chapter of the draft Trans-Pacific Partnership treaty, which until now has been kept secret. The guts of the actual provisions have already been helpfully analyzed; see for example Dan Gillmor in the Guardian, EFF, Canadian legal scholar Michael Geist, and James Love at Knowledge Ecology International, who calls it "bad for access to knowledge, bad for access to medicine, and profoundly bad for innovation".

What's clear, since the leaked chapter includes the detail of which country is pushing for which provision, is that the US is taking the lead in trying to expand intellectual property rights and shrink the exceptions to them. In Geist's analysis, he notes that his country is often one of the lead opponents. Which in turn means that the interests of ordinary Americans, as opposed to rightsholders, are being better protected by Canada than by the US government we actually pay to do it.

Love also writes eloquently about the many problems surrounding the secrecy of the negotiations - secrecy that extends even to much of the US Congress.

This is one time when it's absolutely clear that the negotiating parties cannot claim that they didn't know these provisions were contentious. There were - famously - street demonstrations to block the first attempt at getting these policies into international law, the SOPA and ACTA treaties. It wasn't just the improbability of people caring that much about what used to be such an obscure area of law - it was also that the demonstrations were in outdoors in mid-winter in places like Poland and Sweden.

But what matters even more than the reality is the principle. Even if TPP weren't a shady backroom effort to sneak the widely despised provisions of the deceased SOPA and ACTA into law, the secrecy would still be wrong. Even if you could make a reasonable case that there are parts of the treaty that are genuinely sensitive for security reasons, there is no possible way the copyright provisions are among them. But it *is* a shady backroom effort. The street demonstrations against ACTA must have left them in no doubt about its unpopularity. They can't say they didn't know how many people, experts, and organizations believe that expanding intellectual property rights is both morally and economically wrong.

What's that line that the security services and law enforcement are always telling us to justify installing privacy-invasive systems "for your safety"? Ah, yes: if you have nothing to hide, you have nothing to fear. Shouldn't this be more applicable to governments negotiating international treaties that are going to become domestic law than to ordinary citizens who just want to see their doctor in private?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 8, 2013

Unified field

For as long as I can remember, the notion that the Internet might break apart along nation-state or commercial boundaries has been a threat. Usually called "Balkanizing the Internet", the "Splinternet", as Becky Hogge called it at the Cybersalon last week, has become a topic for discussion due to the Snowden revelations. To some people it doesn't sound so bad any more; to others it's still automatically doominous.

There are at least four different ways the Internet could be "Balkanized". The current usage derives from threats by Brazil and Germany (chiefly, but not solely) to pass national laws requiring data pertaining to their citizens to be stored locally instead of shipped around the Internet into the purview of the NSA. Folks like the vocal Lauren Weinstein call this both hypocritical (because the countries spy on their citizens themselves) and dangerous (because it would split the Net by raising barriers to the free flow of information).

But this particular sense is about private data storage, not flows of data meant to be published. There are myriad vast data stores on the world's computers that do not touch the Internet or do so in very restricted ways and it matters not at all. What difference does it make if the entity demanding local control over its users' data is Brazil or Facebook? I would argue: none - and storing data locally is likely also to aid network efficiency. Sure, the US doesn't like the EU's widely copied data protection laws because they impede the free trade in data from which US data-driven companies make so much money. But that doesn't mean the rest of us have to facilitate that. More important, as Caspar Bowden has been pointing out (PDF), local storage won'tprotect against NSA spying because US companies' foreign subsidiaries are subject to FISA and the PATRIOT Act no matter where the data is stored.

The two original senses of "Balkanization" are more serious. The first is censorship. Twenty years ago, as now, there was much concern about attempts to regulate content at national borders. These would either turn the Internet into a patchwork of unpredictably unreliable access to information or a lowest-common-denominator medium hosting only the most universally acceptable (ie, blandest) content. Twenty years on, various countries do filter and censor, the Internet's somewhat porous quality has largely survived, even though some people can't access some types of information at some times from some locations.

The second was about the management of addressing, an issue of technical Internet governance overseen since 1998 by the Internet Corporation for Assigned Names and Numbers. Although there are many registrars selling domain names and many registries (one for each country and generic top-level domain), ultimately transforming human-friendly domain names into the numbers computers use is a monopoly distributed by 13 root servers. The feasibility and dangers of splitting the root have been the subject of many debates and disputes over the years. Snowden has revived the uneasiness outside the US about ICANN's remaining ties to the US Department of Commerce. The upshot is much more interest in other, more international governance efforts such as the Internet Governance Forum than there was six months ago. Still, what scares people about this is not so much Balkanization as that the participation of so many governments with conflicting regulatory agendas could stall the Internet's development entirely.

The final sense is the one network neutrality is meant to protect against. This would be the scenario in which access providers discriminate against traffic they don't like: the cable company that also owns TV stations and accordingly demands a very large ransom from Google and Microsoft to allow subscribers to access YouTube and Skype or slows down the connections to the point where those services are unusable. The answer to this is not allowing this sort of cross-ownership (a classic anti-trust issue) or, failing that, for regulators to insist that all types of traffic be treated equally. There's some delicacy surrounding how to phrase this so that it doesn't outlaw traffic-shaping, a legitimate tool for defending against certain kinds of attacks and for ensuring that you don't interrupt someone's video stream of live tennis at match point in order to deliver an email message whose recipient wouldn't notice a two-second delay. But delicately phrasing things is what lawyers and policy makers are for.

So, yes, all these threats have some potential to disrupt the Internet as we know it. Of the four, I'd say the local data aspect is more interest-group hype than real threat The bigger threats are structural censorship and the loss of network neutrality, both of which could play into the hands of large, commercial interests who would prefer to turn the Internet into a captured broadcast medium cum giant data collection platform. Whether local data storage can be meaningfully forced on a network that was specifically designed to connect people regardless of nationality or location is an entirely different matter,.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 1, 2013

The edge of writing

The unexpected point made at Wednesday's The Future of Text is that at any given moment text, like anything else, has had an imaginary future that's a logical extension of its present and an unexpected future, which is what actually went on to happen when the new technology hit a particular social and cultural context. When Sumerian accountants first began keeping track of commodity sales using marks on blobs of clay, they didn't imagine Jane Austen and Douglas Adams. Similarly, when ancient Egyptians began documenting their relationships with the gods, they did not imagine Martin Luther or the industrial revolution. But if we glance up from our word processors to look back, we can see a pair of tracks stretching back to those two motives for writing: business and philosophy (or maybe art).

Anyone who's ever struggled to organize their thoughts in Microsoft Word (as I wrote in the Guardian in 2006), finds it frustrating, from James Gleick (1992) to Charlie Stross (2013). In writers' circles, people trade ideas for workarounds: put paragraphs on index cards and shuffle them on a table. Or post-it notes on a wall. Or chalked-up small slabs of rock on a floor. Or wax tablets with letters cut into them...

In other words, as I see I wrote in 2006, computers haven't solved a damn thing.

Something about this discussion - perhaps under the influence of Tom Standage, there to explain that the ancient Romans had a highly developed social network - merged insidiously with previous day's first Open Data Institute summit. Ten years ago, our future looked to be about processor power; five years ago it was maybe about mobile and storage; today it's all about data. In any number of recent books you'll see the claim that human intuition and experience are on the way out, beaten by data analytics.

Yet the thing I took away from the summit is that *actually* it isn't about the data at all. The key story was that told by New York City's Michael Flowers. While his group now relies on patterns in inspection data that provide early warnings of fire risk, what enabled that was the labor-intensive process of talking to human inspectors about what the data they collected meant.

"We married knowledge and open data," he said. "We asked what they saw, then matched it to the data." In other words, it's the metadata - the data *about* the data - that really matters. I had an inkling of this when I watched a bunch of teens try to figure out what the headings meant in a spreadsheet displaying some government data they'd begged, borrowed, or stolen for Young Rewired State 2011. My guess is that if we don't keep collecting that metadata at some point today's data patterns will cease to accurately predict fire risk because the humans will have drifted in another direction.

Which, again, linked to a completely different event this week, Tuesday evening's Cybersalon event on surveillance. "Metadata" and "traffic analysis" aren't terms the general public knew much about until a couple of months ago, but of course they are the heart of what's going on with the NSA. Concern about what's being collected and analyzed are leading even Old Net Curmudgeons into some very dark places they never thought they'd consider going, such as what Becky Hogge called the "Splinternet". A number of countries - for example, Brazil - are considering legislation to force local data to be stored locally, out of the NSA's reach. For the last two decades, the Internet pioneers have seen splitting up the Net into national islands as a terrible danger and the reason not to make a number of decisions. But what's worse? The Splinternet or the Global Surveillance Platform? Are these our only choices of future?

On Wednesday a fine rant by Ted Nelson, the father of hypertext, argued that problem with today's word processors is the tyranny of printing. In other words: business won. What, asked the event's organizer, Frode Hegland, would it look like if some other paradigm had won? What if we were in an alternative future that enabled a different kind of thought? He is experimenting with an answer in the form of a different approach to word processors (unfortunately closed to me: it runs only in the parallel and alien Mac universe, though there are other niche other-paradigm word processors out there).

History, the British Museum's Jonathan Taylor said Wednesday, "is a series of accidents by people who don't understand what's going on." It took 300 years for writing to develop into telling stories. "You have to feel the need and the appropriateness," Taylor said.

Many engineers and cryptographers now feel the need and appropriateness of reinventing the Internet; I see pockets of people discussing how to build new, NSA-proof tools everywhere. While we're doing that - and while we're exploring this new universe of open data - we should keep Word in mind. We should remember to ask not just what kind of future we're creating, but what kind of future we're closing off.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.