" /> net.wars: March 2016 Archives

« February 2016 | Main | April 2016 »

March 25, 2016

Murphy's internet

jonpostel.gifThe Internet Corporation for Assigned Names and Numbers has been inching along for years towards the moment when its tether to the US government is severed. This week, the Oxford Internet Institute and ICANN convened a meeting to outline the plans for the multi-stakeholder replacement structure. For someone who remembers the domain name system when it was just Jon Postel, ICANN's ever-more-complicated org chart is still pretty startling.

Monday's discussion started with a group of presentations explaining the new structure and the planned provisions in the bye-laws intended to protect ICANN from capture by governments - or other large self-interested organizations - either individually or collectively - and the rest of us from overstepping by ICANN. Both concerns are as old as ICANN, as are accountability and transparency. The bye-laws being written to implement the agreement reached a few weeks ago in n what sounds like a tortuous conclave in Marrakesh are intended to solve all these issues.

The transition requirements set by the National Telecommunications and Information Administration, the section of the Department of Commerce that has had ICANN under contract all these years, reflect these same values, with an added focus on "multistakeholder". NTIA, ; ICANN's ICANN vice-president Jean-Jacques Sahel said Monday to open the meeting, would not accept a proposal that replaced NTIA with a multi-government or intergovernmental solution. But it's as reasonable to be concerned about capture by the large companies that can afford funding for representatives, as Kieren McCarthy reported French government officials complained after Marrakesh, claiming that the result gives too much power to GAFA (Google-Apple-Facebook-Amazon); others doubtless agree. Either way, it means nerts to the ITU, the agency of the United Nations that thought back in 1997 (and again in 2012) that it was the natural choice.

MariaFarrellPortrait.jpgWriting in the Guardian, the consultant Maria Farrell, who has both worked for ICANN and represented civil society on its GNSO, outlines the process by which the present arrangement was reached, calling the multistakeholder model "slightly mysterious". On Monday, speakers suggested it may be unprecedented: a non-governmental multistakeholder corporation devised to govern a piece of critical international infrastructure. I sense future PhD dissertations.

The big question, several of us agreed before the floor was opened to questions, is "what can go wrong"? Essentially, we were assuming Murphy's Law's evil twin: "Anything that can be gamed, will be gamed."

There are at present two workstreams in progress, Matthew Shears from the Center for Democracy and Technology explained. The first is covering all the things that have to be finished before September's handover: changing bye-laws and ensuring accountability. The second workstream, intended to complete by the end of this year, is focused on issues whose solutions don't have to be in placer before transition. The latter effort, he said, needs to find ways to encourage greater diversity, ensure the accountability of stakeholder groups; and handle bye-law changes that for now are placeholders until agreement can be reached. The two biggest of these are human rights and jurisdiction.

Jurisdiction is the question of where legal disputes should be settled. For the last 15 years that's been California, but the legal implications have to be thought through.

It's human rights that's the really difficult question. Even if you have consensus on exactly what "human rights" means in this context, what should ICANN's role be? The Internet Governance Project's 2014 analysis of the then-current situation highlights some of the inherent difficulties and collisions. If ICANN were to get into the business of blocking content on human rights grounds, how far should it go and why does it get to stop at human rights? A similar conflict arises around privacy: how much should you be required to disclose about yourself as the owner of a domain name? The meeting raised questions about ICANN's funding model (Chatham House Fellow Emily Taylor noted that 55% of ICANN's funding come from just two domain name registrars, Verizon and GoDaddy) and what support should be available to those attending its far-flung meetings.

A questioner speculated that ICANN might be too big for the narrowness of its mission. Domain names have become progressively less important with the rise of search engines and social networks. Will ICANN need to scale down, or find legitimate new governance functions to justify its size? The latter strikes me as the biggest temptation towards mission creep.

But alongside that may be the professionalization that Sahel believes will now come to this area, which until now has been dominated by volunteers. As a result, Taylor suggested, the people taking over will gradually become businesspeople interested in doing deals. "It will take the heart out of the decision-making process." This leads into a thought I didn't have time to express: how do we keep ICANN from becoming like the ITU, which is despised by many internet cognoscenti as having stalled technical innovation and development for decades?

So this is what change looks like, as Farrell said: very, very slowly, and then very quickly. Right now, we're still in the slow bit where decisions are being made, so anyone can contribute by joining a working group, submitting comments, or, at the very least, staying up-to-date on developments..

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 18, 2016

Bypass

Failure_to_Communicate_-_'Cool_Hand_Luke'.jpgI've spent a good portion of the last three years listening to smart, highly qualified researchers from a variety of disciplines try to develop real science around cybersecurity. And along in today's news comes exactly the kind of situation they're trying to eliminate.

At Ars TechnicaSean Gallegher reports that the reason Hillary Clinton used her private email server for work email was that the NSA refused to let her have a secure Blackberry like the one they cleared for President Obama. This news was found by Judicial Watch in documents released in response to its FOIA request. In the released communications, NSA dismisses Clinton's request as too expensive and a matter of "personal comfort" rather than real need.

hillary clinton-isis-speech-cover-photo.original.jpgClinton was, in other words, faced with the same dilemma as millions of people all over the world: do you do your job effectively or do you hobble and frustrate yourself daily by trying to comply with what the IT security department is ordering you to do? The security folks, meanwhile, made the same mistake tens of thousands of their colleagues do every day: they seem to have assumed that their unilateral decisions were so clearly right that they did not need to bother with the realities of human behavior. Electronic Frontier Foundation co-founder John Gilmore's often-repeated aphorism, "The Internet perceives censorship as damage, and routes around it" could be more correctly expanded to, "Humans perceive frustrating rules as blockages, and route around them."

Poorly designed security offers many examples. The rest rooms are positioned outside the secure staff area, so rather than get up repeatedly to let visitors in and out, staff prop the door open with a wastebasket. Staff are banned from using social networks at work, but that's where all their contacts and messages are, so they use a VPN, a personal laptop, or a mobile phone and the company has no idea and no backups. And, everyone's favorite, users are forced to change their passwords every 30 days and, unable to remember the current one, they write it down, recycle earlier passwords, rely on frequent resets, or pick something dumb but easily remembered.

So, in this case: the Secretary of State of the United States of America wants to use a Blackberry. She's used to it, it fits her and her staff's mobile lives, and she doesn't like using desktop computers. Lots of us probably think that's dumb, as in the exasperated quote in one of those documents, "Why doesn't she use her desktop [in the secure area]?" Desktops have nice keyboards, big screens, and mature email clients. They're perfect for people who get lots of email - and spend most of their time in one location. A smart security person listens when the head of a department says, "We need this to do our jobs" because that's where the workaround will happen if they don't. The documents Justice Watch uncovered make it appear that the NSA was completely intransigent in considering Clinton's request.

Thumbnail image for A.Sasse.jpgIt seems apposite to invoke the 1967 Cool Hand Luke line "What we've got here is a failure to communicate." You sort of know that security people are reading that same article and thinking, "Users are idiots." There's certainly some justification for that, but as Angela Sasse has written and said so often, security problems can't be solved by "fixing the users" - that is, by issuing orders and forcing them through awareness training. This is a clash of goals. Of course users don't want to see their companies (or governments) hacked and their (state) secrets leaked to the world, but securing those assets is not the job they've been hired to do. Security people, because it's both their job and their bent see security as paramount. In many cases, that makes them rigid, and they fail to work with users to find solutions that enable both sets of goals.

A lot has to do with risk perception. To a journalist, encrypting their hard drive protects their data and their sources - but it also raises the risk that they might lose access to that data while on deadline. Between those colliding objectives, which is a greater risk personal for the journalist? Similarly, one can imagine Clinton and her staff deciding that the risk of missing an essential email until it's too late outweighed the risk of using her personal server.

From what I can see, computer security still languishes in the stage usability was in the early 1990s. Usability improved greatly when companies began hiring anthropologists and psychologists and setting them to watch where users got frustrated with hardware and software designs. (It's worth noting that this is getting worse now - what genius decided to plaster the web with grey type, for example?) Stories like this one cast security as the natural enemy of usability. Instead, security needs to draw on usability's toolkit. Security people need to think about how their rules will be inconvenient. The secure way of doing things needs to be built in from the beginning. It needs to not get in the way. The secure approach needs to be the easiest and most natural one to adopt - not for the security practitioner, but for the users.


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 11, 2016

Don't stand so close to me

Social_Network_Diagram_(segment).svg.pngAt last week's Internet Law Works-in-Progress - a New York Law School invitation event where lawyers play hooky by critiquing each other's half-finished papers - Nizan Geslevich-Packin and Yafit Lev-Aretz came up with an intriguing idea: the right to be unnetworked. "Tell me who your friends are and I will tell you who you are," their paper's abstract begins.

Their idea is inspired by concerns about alternative forms of credit scoring for people whose histories aren't a good match for the commercial methods currently in use, This looks like a good thing for making traditional credit-scoring less rigid. People who've never had loans are considered terrible risks (no payment history), and 12 to 15% of the US population are unbanked or underbanked, and their lack of access to financial services is a vicious circle of self-fulfilling prophecies.

LevAretz.jpgSo: use all that webby stuff you can find out about them instead, like websites, Wikipedia pages, and social media presence. My social graph, of such interest to security agencies and law enforcement in determining whether I'm dangerous, can serve a similar function for banks.

When applied to financial services, this idea is not unlike the future outlined by Consult Hyperion's technical director, Dave Birch in his 2014 book Identity is the New Money. In it, Birch proposes that we have come full circle: centuries ago, your word was your bond, and today, given digital payments and all-knowing smartphones, it can be again. As I might have back then, I currently owe my local shop 33p, and I have this credit (as small as it is) because they know from 25 years' experience that I will settle that next time I'm in with enough change. Their experience and recognition of my person is my bond. That's great if you're long-established in a friendly neighborhood where the shops are run by their owners personally.

This is not most people's lives, and so we keep devising substitutes for that personal knowledge. Strangers don't have to trust you if they can trust the form of money you give them, whether that's physical cash (guaranteed by a government), a credit card (a bank), or a bitcoin (technology). And so to social credit. Would you give a loan officer your Facebook password? How much do you want the loan?

NizanPic.jpgIn this game, as Geslevich-Packin and Lev-Aretz analyze it, the richest people - not measured numerically but by the amount of need for debt to finance one's lifestyle - have the best option. They can simply refuse to participate. It's a version of "fuck-you money" in Hollywood. There it means enough money that you don't have to take crap from anyone you don't want to. Here, enough money means never having to tell your bank you're my friend.

And you might be wise not to. I slum around with a lot of low-lifes - folksingers (perennially broke), serial entrepreneurs (high-risk), and people I know nothing about who requested I add them to my Friends list and who for all I know are dangerous weirdos. With a little care and forethought, however, a reputation rescuer might be able to prune my profile to highlight an Ivy League education and the more respectable of my journalism credits. The presence of Labour Deputy Leader Tom Watson in my Twitter and Facebook profile pictures (several people away and ignoring me) could cut either way.

Geslevitch-Pakin and Lev-Aretz talk about these strategies. Your rich-enough-to-say-hell-no person can afford to be Type A, refusing to play and choosing privacy over financial assistance. Type B optimizes as above, deleting the damaging connections to all those folksingers and goofballs, and sucking up to the ones wearing suits in their photos, just as ambitious students maximize their chances of getting into the fancy university or high-paying job of their choice by carefully curating their activities and social presence. Type C would like to be smart like A or B and has the assets to do so, but is too lazy, passive, or ignorant to manage it. Type D would also like to be smart, but knowing they are poor candidates, seek to hide their flaws by avoiding social networks altogether - more likely to brand them deadbeats (the authors' term: "lemons") than credit-worthy. Either way, the overall result is to invade the privacy of the third parties in everyone's social circle, who are not consulted in these arrangements; decrease social mobility; and institutionalize discrimination.

Therefore: the right to be unnetworked, the authors' suggestion for limiting and regulating social scoring. Many details remain for discussion, but there are two reasons I like the concept. The first is that the aggregated data on today's social networks was not supplied with credit scoring in mind; it's more authentic than similar posted information 20 years' hence will be if social scoring continues. Using this information for credit assessment is a distinct change of use. The other reason is that it seems to me to derive logically from the American Fifth Amendment, the one that allows you to refuse to testify on the basis that you may incriminate yourself; the UK equivalent used to be the right to silence. Seems to me, that right ought to extend to refusing to supply my Facebook password to an inquisitive loan shark.


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 4, 2016

The seven-percent solution

200px-PDmaybe-icon.svg.png"Copyright is a solved problem," a friend said the other week, and I was too stunned to reply beyond, "What?"

She explained: she lives in a "streaming environment". She has Netflix, Spotify, and I forget what else, and so there is no conceivable reason to engage in illegal file-sharing. Therefore: solved problem.

Many of us said long before iTunes that the answer to file-sharing was not to make it illegal or continue to extend copyright law but to build legal, reliable "Napster-killer" services, and certainly her experience helps prove that point. But unauthorized copying is such a shallow, surface, *single* issue: the real problems in copyright are about how to remunerate artists and creators for their work. My friend's "streaming environment" pays royalties, sure, but the bulk of those go to the record labels. Songwriters, upon whom the entire industry depends for new work, are watching their income collapse. I suppose you could argue that's not a copyright problem. But if it's not, then streaming isn't a solution.

Music, film, TV, and publishing are still only the start. Sci-Hub is the next move: it's a giant "pirate" repository of journal articles, partially aided by sympathetic academics willing to loan their user names and passwords to help build the site. Unlike, sites like The Pirate Bay, which was built by snotty nerds who seemed to get off on defying legal authority and which relies on advertising to bring in revenue, Sci-Hub was built by a frustrated Russian neuroscientist who thinks the current structure of scientific publishing ought to be illegal. She's being sued in New York; her site may be the thing that really breaks Tor Hidden Services loose from its porn-and-drugs-hub reputation.

There is, of course, a key difference. Downloading music - movies - TV - photographs - is easily characterized as consumers stealing entertainment that formerly they had to pay for, either by subscribing to a cable channel, or by watching ads, or by buying physical media, or by some combination of all three. The "pirates" helping fuel Sci-Hub are scientists and the producers of the work it's making available for free download. The people who most appreciate it, in other words, are the people whose work appears on it, who in turn most need it to continue to do more such work.

Journal publishers are the people on the receiving end of the damage, and they are widely perceived to have been profiting from all sides. Theirs is - or possibly was - a fabulous business model: they paid nothing for content because academics needed to participate in order to get promotions and tenure; and the same universities who paid academics to contribute had to buy copies of the printed journals so their scientists could stay current in their fields. *And* the publishers got to keep the copyrights. As journal prices have continued to rise, we have now reached the point where even Harvard, widely acknowledged as the richest university in the world, is saying it can no longer afford the subscription fees (ditto Cornell). No wonder it's the scientists and academics themselves who are ticked off.

The prospective solution to this is open access, where papers are automatically added to free archives, and academics pay relatively modest fees for peer review and publication. I guess you could call that a kind of streaming, and though I doubt the journal publishers would agree with you it's a "victimless crime" in the sense that the people who are getting damaged are people no one likes and who at one time provided a valuable service but are now impediments to vital science.

The fundamental problem copyright was invented to solve, however, was not how to prevent people from sharing files illegally but how to enable artists and creators to make enough from their work that they would be encouraged to go on doing it. Streaming would help with that if it created a vastly larger market than existed before - and maybe one day it will. But in the meantime creators of all kinds are struggling, in part because the companies that enable discovery of their work are giants who really don't care whether you listen to Beyonce or Bill Steele because they get paid just the same.

freeculture.gifI think it was in Free Culture that Lawrence Lessig wrote that the earliest version of copyright law was intended to curb the power of publishers. If that was the purpose it's arguably failed: only the biggest stars can now make any inroads on negotiating contracts with today' s giant conglomerated publishers, a balance so obviously un that it shouldn't require a #fairterms campaign to point it out.

Banning ad blocking, as the UK government is suggesting might be necessary, is not a solution either because you can't make people consume ads they find obnoxious.

So, what's left is plenty of problems for the enterprising to solve. How do we construct payment schemes so that small-time artists get paid their fair share instead of being regarded as a rounding error that can be safely allocated to the big stars? How do we redress the balance of power so that artists and creators are not stripped of their rights, followed by their royalties? How do we avoid creating new and even bigger intermediaries that scoop the pools of money available? Pick one, and be prepared to rethink it for 3D printing.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.