" /> net.wars: July 2015 Archives

« June 2015 | Main

July 31, 2015

Girlish GUIs

I spent some time this week reading Lean Out: The Struggle for Gender Equality in Tech and Start-Up Culture, a collection of essays, articles, and blog postings written by 25 women in, as you might guess, the technology field. (The review should be up at ZDNet soon.) Their collective experiences make depressing reading despite the courage, humor, and thoughtfulness with which they approach their various situations. elissashevinsky-book.jpgHere we are in 2015, nearly 50 years since feminism became a mainstream movement, and, as the book's editor, Elissa Shevinsky, writes, many women are departing the technology industry because they find the conditions too hostile.

As a 1970s person, I want to scream, "No! Come back!" But these are different times. A woman entering a technical profession in, say, 1975, the year the number - not percentage - of women in Cornell's veterinary college nearly doubled, from 6 (out of 60) to 11 - wanted above all things to survive in her chosen profession. We were a generation for whom "lady" was a four-letter word. That was what our mothers wanted us to be, and breaking those constraints was a gleeful liberation. Among other things, for me, it meant not wanting men to self-consciously censor what they said in my presence. If it was sexist crap, I'd rather hear it openly; it's the secret back-channel stuff that can really hurt you. And the more men feel required to alter their behavior when women are present, the more they want men-only areas in which to unwind and be themselves...and those opportunities to game the system in their own favor are the unfortunate situation we wanted to end.

The saddest conundrum posed by Shevinsky's book is this one: do we encourage more women to enter the technology professions on the basis that these are good, interesting jobs that should be open to everyone while knowing they are likely to be miserable when they get there? What do you say to a technically inclined 13-year-old girl who is just beginning to encounter some of the many obstacles she will face? Can you honestly tell her that once she's run the gamut described in these essays of sexual harassment in labs, internships, and workplaces it will get easier? In the Silicon Valley that emerges from the writing of the 25 women who contributed to Lean Out, that would seem to be an outright lie. Yet discouraging her is unthinkable, both for her own life prospects and for an industry that truthfully cannot afford to overlook this enormous pool of talent. So we have to encourage them - as, for example, Emma Mulqueeny has been doing this week with Young Rewired State's annual Festival of Code - and we have to tell them honestly that it's a good road but a hard one.

Reading the book inspired me to revisit the now out-of-print 1996 collection Wired Women, edited by Elizabeth RBethWeise.jpgeba Weise and Lynn Cherny. At the time, media tropes held that the online world was dangerous for women, who were then approximately a quarter of the online population, and that they should style themselves with male or unisex names in order to avoid unwanted attention. I always thought it was bad advice, since the more women masked their presence the less women would feel welcome. Plus: how dangerous could online be, when the beings there couldn't reach through your modem to hurt you? This collection was an attempt to show women's varying experiences online, both the wonderful (as in Weise's own "A Thousand Aunts with Modems") and the less wonderful (Stephanie Brail's "The Price of Admission: Harassment and Free Speech in the Wild, Wild West").

Broadband and mass adoption have changed a lot of things. Cyberspace is no longer somewhere we go to encounter predominantly strangers, but somewhere we are, alongside everyone else we know. Those who want to lash out have not only an amplifier but myriad vectors by which to operate. "Why is flaming acceptable at all?" Lauren A. Sutton asked in her 1996 essay on online manners, baffled at the way even guides to "netiquette" seemed to regard it as something people should just get used to. We see the same arguments made today over flaming's descendants: cyberbullying, public shaming, rape and death threats, and whatever went on in the now-killed subReddits whose death Ellen Pao oversaw.

One of the more startling essays to revisit is digital library specialist Karen Coyle's "How Hard Can It Be?", in which she takes apart the prevailing masculine narrative surrounding computing. Graphical interfaces were relatively young then, recent enough for Coyle to quote John Dvorak's writing praising the old command-line DOS system over this new-fangled Windows business. Thusly: "The original split between PC users and Mac users was a battle between the masculine command-line interface and the girlish GUI." Coyle concluded by suggesting one possible future: the computer as appliance. "We must learn to read the computer culture for the social myth that it is."

Well, we've done that. Appliance computers - tablets, smartphones - are with us by the billion. No one seriously thinks of a computer - or the internet - as a "male thing" any more. One day we'll be saying the same about the technology industry. It just may not be in Silicon Valley any more.


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 24, 2015

Hubbub

One of the least fun aspects of the copyright wars has been the persistent sameness of the arguments. One side wants copyright terms extended; the other wants them shortened or even removed entirely. One side wants ever-increasing enforcement; the other wants new exceptions. Changing this conversation is the goal of the Copyright Hub.

One of the big issues it - and its CEO, Dominic Young - keeps coming up against is the kind of thinking that wants every problem solved up front. dominicyoung-small.jpgAs Young explains, this isn't what the Copyright Hub is trying to do. Instead, it's trying to pick a starting point from where the process of change can start. That point is a plug-in for Firefox and Chrome that allows anyone landing on a piece of content to right-click to find a URI - uniform resource identifier - that uses an index to find the server belonging to the owner of that content. The URI has two parts, one an ordinary URL to identify the server from which the content can be licensed, and the second a specific identifier for that piece of content. Once connected to the server, a simple app pops up offering options to get a valid license for the content, which might include (as in the demonstration I saw - paying a small fee for non-commercial use and a larger one for commercial use. copyrighthub.jpgBut there's no reason the content owner can't include in the offered options "public domain", any of the various Creative Commons licenses, or GNU's General Public License. The Copyright Hub is not an intermediary in any of these transactions; like a torrent site it's merely an index that connects a prospective user with a rights holder. The Copyright Hub takes no commission from any money that changes hands, and holds no data about who obtains licenses. Young argued strongly against offering time-limited licenses. As he says, no one is going to remember to renew a license for a photograph on a blog post they wrote five years ago. The code is all open source.

The way Young describes the system, it reminds me most of the way the domain name system works, where every name used to send email or access a website (such as pelicancrossing.net) is sent to a resolver, which responds to the query with the matching numbered Internet Protocol address. The chief difference: unlike the DNS, which traditionally limited the number of available top-level domains, the Copyright Hub is intended to scale up indefinitely. Young's idea is that eventually there will be myriad such hubs run by commercial organizations, countries, creator collectives, and so on. In his imagining, eventually the need for *this* particular Copyright Hub, the one that's kicking all this off, will become surplus to requirements.

"Our ambition," he told me, "is to create no centralized infrastructure, and the Hub can disappear."

The notion of assigning a locator string to an individual piece of content within a page feels reassuringly old-school to me, somewhat returning the web to its original conception as a read/write medium and to precursors such as Ted Nelson's Project Xanadu. The difficulty is that it's easy to find all sorts of ways in which the Copyright Hub's system is inadequate. For example:

- Hackers and social media sites have techniques for removing metadata like the URI that will be attached to these bits of content. Yes, they do. But, Young argues, providing options for paying for the content users like and use means that those who want to can actually pay. If lots don't, that doesn't change the fact that the content's owner has gotten some revenue where now they wouldn't. "It won't prevent shoplifting, but it will make it easy to take it through a till if you want to pay," he says.

- The system might open up new avenues of surveillance and privacy invasion. Given the design, where the Hub hosts just an index, has no part in transactions, and keeps no data, it shouldn't be the Hub that's the risk there. The identifier attached to the piece of content tells you - or your computer - nothing more than where to find more information about it. Content owners, especially those that want money in trade for licenses, are a different story. By analogy: although DNS data can be immensely revealing, it isn't the root servers that are the risk so much as the destination servers. The Hub only knows how to resolve identifiers and uses the existing DNS to do it.

- Plug-ins are an ex-technology. Young agrees: but they're a place to start. "I can't change what Google does." Ultimately, Young would like to see the plug-in's functionality built natively into browsers and mobile.

The Hub has, Young says, 94 use cases - implementations people want - in the pipeline, with more coming in all the time. Over time, given that the system is all open source, he assumes others will build their own implementations. The idea of dumb identifiers that resolve to servers can describe much more than a piece of content, but doesn't require rethinking how the internet functions.

"It has to be something the world can adopt," he says. "What we're launching is one implementation of something which will evolve rapidly and in ways we can't know."


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 17, 2015

Trifecta

A remarkable consensus of high-level opinion seemed to be emerging about the state of communications surveillance in the UK until this morning, when the High Court ruled in favour of the MPs Tom_watson_communia2009_cropped.jpgTom Watson (Labour - West Bromwich East) and David Davis (Conservative - Haltemprice and Howden) in their suit against the government over last summer's pass-in-haste-gloat-at-leisure vacation special, the Data Retention and Investigatory Powers Act. The government now has until March 2016 to pass new legislation that conforms to the April 2014 European Court of Justice (CJEU) ruling that invalidated the UK's data retention regulations in the first place. It also may appeal the judgment. A cynic might imagine that the government's next move might be to propose judicial reform that does away with the High Court.

The main point is that this court judgment matches that of the CJEU: DRIPA's section 1, David Davis.jpgwhich reinstated the requirement for ISPs to retain traffic data for 12 months, violates the same human rights laws the 2009 data retention rules did. Legal minds will be picking at the bones of this judgment for a while. The more immediate question is how the government will now proceed: the post-election Queen's speech included an investigatory powers bill intended to "close gaps" in access to communications data; this has been universally interpreted as a revival of the "https://www.openrightsgroup.org/issues/ccdp">Communications Data Bill, aka "snooper's charter".

The judgment makes plain, however, that it is not ruling on whether data retention is legal. Merely that this implementation is invalid because it fails to restrict the use of the retained data to prevention, investigation, and prosecution of serious offenses and fails to require review by a court or independent body as a condition of access. In this, it follows the pattern that was forming over the past few months.

Three rings for the Elven-kings...no, three *reports* on the workings of surveillance in Britain were due in the first half of 2015. These were produced by: the Intelligence and Security Committee; the independent reviewer, David Anderson, QC; and the Royal United Services Institute panel.

All these reports received their due press attention when they were released. What's notable is the similarity of their conclusions: the system is legislatively fragmented and complex, needs greater transparency, and lacks sufficient access safeguards. Similarly, some of their recommendations match; in particular all call for replacing today's piecemeal-created legislative structure with a single, less complex law and greater transparency about the system in general. Like today's court ruling, none calls either data retention or GCHQ's activities illegal, and although they all call for reforming legislation to make it simpler, none suggests the legislation should be changed to remove powers the surveillance agencies currently have. We say "surveillance agencies", a term that suggests a handful of experts; Anderson notes that the ISC report covers 600 bodies "with powers in this field", a number that should be spread more widely.

The ISC, established by the Intelligence Services Act 1994, reports once a year, and described this year's report as unprecedentedly comprehensive; its work on the report it released in March began in July 2013, a month after the Snowden revelations began. A month ago, it was joined by the report written by Anderson, the independent reviewer of terrorism legislation. This job dates to the 1970s, though it's been expanded since, most recently by the Counter-Terrorism and Security Act (2015). Finally, the RUSI report, which the Liberal Democrats boasted they had secured as a condition of supporting DRIPA, arrived this week.

The ISC report reads as though it was designed to be reassuring: no one's doing anything illegal, nothing to see here. The ISC particularly supported the present situation, where warrants are signed by the Secretary of State, on the basis that they are thoroughly scrutinized even before they reach her desk, explicitly stating that GCHQ is not engaged in "blanket surveillance" or "indiscriminate surveillance". Anderson, on the other hand, advocated for replacing that system with independent judicial review, though he thought the data retention capabilities in DRIPA should be retained.

On one point, the status of encryption, Anderson seems already to have been superseded: prime minister David Cameron's recent statements on encryption contradict his comment that "neither [the agencies] nor anyone else has made a case to me for encryption to be placed under effective Government control". The RUSI report again says the panel has seen no evidence that the British government "knowingly acts illegally in intercepting private communications or that the ability to collect data in bulk is used by the government to provide it with a perpetual window into the private lives of British citizens." They came down on the side of requiring judicial authorization for warrants and offered ten principles by which privacy intrusion could be tested. This report also advocated maintaining the " capability of the security and intelligence agencies to collect and analyse intercepted material in bulk". However, they also seemed to support the government's contention with regards to encryption that there shouldn't be anything it can't read.

It's worth remembering that, as Sir Humphrey says in Yes, Minister ("The Greasy Pole"), inquiries, however independent, cannot answer questions they are not asked. The big one is this: how do we measure the system's value in protecting public safety? It's a hard one to answer, and it's unlikely the government will try by, for example, taking today's DRIPA judgment as definitive.


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 10, 2015

Fight on

A conspiracy theorist would make something dramatic of this week's raw materials. In both the US and the UK government and law enforcement insist more and more loudly that encryption must be weakened so they can read everything, Meanwhile, in uncharacteristic silence, Caspar Bowden, one of the UK's leading advocates against such notions, has died.

256px-Caspar_Bowden-IMG_8974.jpgBowden sprang into my life so fully formed as a privacy advocate that I was startled to discover he was not ever thus: conversational hints and online biographies indicate that he studied mathematics at Cambridge, worked in investment banking (writing proprietary trading risk management software for option arbitrage) and software engineering (graphics engines and cryptography). In the roughly 20 years I knew him, which encompassed his ten years trying to implement privacy at Microsoft, I never heard him mention family other than his wife. He argued with everyone: "Prickly for the right reasons," a friend said on hearing the news. I was astonished and flattered when, years afterwards, he told me that one of the things that led him into the politics of cryptography was articles I wrote in the early 1990s. Moments like that can keep a writer motivated for decades.

What he did discuss, copiously and passionately, was privacy: he fought demands (such as those our governments are reviving) for back-doored encryption, spotted the "snooper's charter" while it was still just a wish list item, and issued very early warnings about the dangers of the rampant collection of metadata (the "data" in "data retention") and the risks posed even to data stored outside American borders by provisions in US laws like the FISA amendments and PATRIOT Act. Latterly, he was particularly incensed about American exceptionalism, which reserves human rights for Americans and refuses them to "foreigners". He was, you could say, advocacy all the way down. At a party he gave in 1999, I recall the two of us getting animatedly stuck into some of these subjects somewhere around 2am. Feeling left out, "I came for the craic," the person sitting next to him drunkenly protested. "You don't understand," he replied. "For us, this *is* the craic."

He leaves a hole but not a void. This week saw anti-encryption rhetoric much on display in both the UK (by Prime Minister David Cameron and Home Secretary Theresa May) and in the US by FBI director James Comey and Deputy Attorney General Sally Yates. In the US, Comey and Yates, plus opponents Peter Swire and Herb Lin, testified in front of the Senate Judiciary Committee. At Lawfare, Benjamin Wittes has a summary: he suggests that Comey is gathering political support with diligence and skill.

In the post-election UK, Cameron's statements are increasingly intemperate: social media privacy is "unsustainable"; he will ban communications government can't read; privacy-oriented services like Whatsapp and Snapchat are threats to national security. cryptophone.jpgThe possibility that both governments may try to pass legislation banning strong cryptography is becoming increasingly real, a rerun of 1991, when Phil Zimmermann pre-emptively released PGP to render the idea moot, or 1997, when Bowden helped organize the first of the Scrambling for Safety public debates that led up to the passage of the Regulation of Investigatory Powers Act. It's like watching people deliberately eliminate all other forms of transport and then remove all airplanes' safety features.

Pre-emption by technology won't help this time. PGP and other privacy-enhancing technologies such as Tor seem to have withstood cracking, but they are unusable enough that they won't achieve mass adoption. The authorities focus on major companies because we now know that to be usable encryption must be built invisibly into services like SSL (cracked by the NSA) or mobile standards. The tiny sufficiently motivated minority won't be deterred by a ban, they will stick out in a world that's 90% readable. For Cameron and Comey that'd good enough.

In response to these threats to (inter)national security, on Wednesday 14 computer scientists and security experts released Keys under Doormats, a paper explaining the precise level of danger Cameron and Comey are advocating. The New York Times, among many others, has a summary (see also many past net.wars).

These governments are refusing to learn from their own headlines: the Hacking Team hack (more here being a prime example. Here we have a company (apparently conceived by sf writer Philip K. Dick) that sells governments products so they can spy on all of us, with backdoors the company can use to spy on them. Bruce Schneier's comment: " It's one thing to have dissatisfied customers. It's another to have dissatisfied customers with death squads. " Meanwhile, the hack at the Office of Personnel Management has exposed 19.7 million security clearance applications, 127 pages each, plus 1.8 million spouses and co-habitants, the intimate details of people's entire lives that encryption should have protected from exactly this. OPM has, for the moment, gone back to processing applications on paper (a good conspiracy theorist would suspect the paper manufacturers).

Bowden spent the last 20 years being called paranoid and watching people discover he was right. In one of his last public talks, at last December's Chaos Computer Congress, he discusses privacy and cloud computing. In the coming Second Crypto Wars - we will need all his legacy, and much more.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 3, 2015

Schottische

This week saw the official launch of Open Rights Group Scotland, and I found myself doing a mini-tour of talks on something like the history of the battles over civil liberties in cyberspace to help celebrate. I have no idea what I actually said but there are recordings...somewhere.

What follows is a précis of what I learned in the process about the situation in Scotland, some from ORG's new Scotland officer, Pol Clement-Smith, but mostly, of course, from various audience members.

- The sheer relish and pride with which new MP for Dundee West Chris Law is exploring the weird and wacky rituals of Parliament is awe-inspiring. chrislaw-small.jpgThe 56, as he explained, represent a real cross-section of Scottish society (he himself is a Dundee-based self-employed financial advisor). Few are lawyers, some are new to political office of any kind. If they're all as enthusiastic and widely gregarious as he is, maybe they can keep each other from being infected by the Westminster bubble. (Note Law's saltire cufflinks in the photo.)

- The Regulation of Investigatory Powers Act (2000)'s Scottish analogue, the Regulation of Investigatory Powers Scotland Act, seems to have all the familiar problems. In November, Glasgow Herald reported that in 2013 there were 19,390 authorizations and notices issued under RIPSA, up from 18,382 in 2012; police had used RIPSA to access journalists' sources and security services to spy on lawyers and their clients. ORG Scottish officer Pol Clement-Smith notes that half of all RIPSA requests come from...Dundee. Not the name you would really expect to be the interception capital of Scotland - although Clement-Smith did mention that the notorious Kray twins hid out there at some point when they needed to escape London.

- A big issue - and one of the reasons for setting up ORG Scotland - is the plans for "entitlement cards" (a name that brings back memories from the ID card battles in England from 2005 to 2010, when the incoming coalition government finally killed it) that will not only provide a national ID register but link to NHS data. The plans were opposed by the now largely voiceless LibDems, and No2ID Scotland has taken up the cudgels.

- Among the 120 agencies and other organizations that would have access to all this data, health included, is Quality Meat Scotland, for reasons that puzzle Clement-Smith. A search returns Scottish Parliamentary questions (in which the opinion is given that CCTV should be operating in all abattoirs) and myriad news stories about illegal halal meat, such as this one mentioning "traceability issues" may be relevant: apparently the sparsely settled areas of the Scottish highlands are hotbeds of meat crimes.

- More interesting, an audience member in Glasgow pointed out a risk of the Internet of Things that we suspected but hadn't yet been found in the wild. In 2013, at a Westminster eForum event on smart living, Brian Devlin, from Glasgow City Council outlined the city's plans for smart street lighting, which would save a large portion of the council's energy bill by powering down when no one was around. The audience member, involved with the Scottish Palestine Solidarity Campaign, commented that these streetlights are also fully kitted out with surveillance equipment such as microphones, cameras, and other sensors. In other words, what was presented and sold to the public as an energy-saving device carried comprehensive monitoring facilities as a stowaway - to fight crime, of course. Part of her objection was that the system was made by an Israeli company; that seems less important than the fundamental point, which is that there are many dangers inherent in the Internet of Things, not least the difficulty of auditing what all the Things do. Eugene Kaspersky has taken to calling it the Internet of Threats, though his meaning has much more to do the vulnerability of each element to attacks.

- Also highly controversial is the Named Person legislation, part of the Children and Young People (Scotland) Act, which requires every child under 18 in Scotland to be assigned a state-approved "named person" - a teacher, health visitor, or someone else who is not the child's parent and who will be authorized to report concerns about the child''s well-being to the authorities. All sorts of people are worried about this - Christians, the Scottish Parent-Teacher Council, and others. As a non-lawyer, it's hard to see how the law conforms to the right to privacy of family life enshrined in article 8 of the European Convention on Human Rights. The law has been challenged in court by the No2NP (No to Named Persons) campaign.

- Other details from Clement-Smith: Scotland is the most centralized country in Europe: a unicameral parliament and a single police agency, Police Scotland. The age of criminal responsibility - eight - is one of the lowest in Europe, and Scotland also has the highest figures in the UK for stop-and-search of children. A 2014 study found 72 instances regarding kids under seven. Four hundred and fifty-five people own two-thirds of the land, a situation that a government commission is looking, astonishingly, at reforming. Also an issue: large, single contracts that tie councils into sole vendors who then own all the data.

So: watch that space.


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.