" /> net.wars: February 2020 Archives

« January 2020 | Main | March 2020 »

February 28, 2020

The virtuous patient

US-health-insurance-coverage-state-2018.pngIt's interesting to speculate about whether our collective approach to cybersecurity would be different if the dominant technologies hadn't been developed under the control of US companies. I'm thinking about the coronavirus, which I fear is about to expose every bit of the class, race, and economic inequality of the US in the most catastrophic way.

Here in Britain, the question I'm most commonly asked has become, "Why do Americans oppose universal health care?" This question is particularly relevant as the Democratic primaries bed down into daily headlines and pundits opining on whether "democratic socialist" Bernie Sanders and Elizabeth Warren, who both favor "Medicare for All", are electable. How, UK friends ask, could they not be electable when what they're proposing is so obviously a good thing? How is calling health care a human right "socialist" rather than just "sane"? By that standard, Europe is full of socialist countries that are functioning democracies.

I respond that framing health insurance as an aspirational benefit of a "good job" was a stroke of evil genius that invoked everyone's worst meritocratic instincts while putting employers firmly in the feudal lord driving seat. I find it harder to explain how "socialist" became equated with "evil". "Socialized medicine" apparently began as a harmless description but in the 1960s the American Medical Association exploited it to scare people off. I thought doctors were supposed to first, do no harm?

Of course, a virus doesn't care who's paying for health care - the real crux of the debates - but it also doesn't care if you're rich, poor, upper crust, working class, Republic, Democrat, or a narcissist who thinks expertise is vastly overrated and scientists are just egos with degrees. The consequence of treating health care as an aspirational benefit instead of a human right is that in 2018 27.5 million Americans had no health insurance. As others have noticed, uninsured people cluster in "red" states. Since Donald Trump took office, however, the number of uninsured is slowly regrowing.

Some of the uninsured are undoubtedly people who are homeless, but most are from working families. They work in gas stations and convenience stores, as agency maids and security guards, as Uber drivers, and...in food service. Skeleton staffing levels mean bosses penalize anyone trying to call in sick; low wage levels make sick days an unaffordable "luxury"; without available child care, kids must go to school, sick or well. Every misplaced incentive forces this group to soldier on and to avoid doctors as much as possible. The story of Ozmel Martinez Azcue, who did the socially responsible thing and got himself to a hospital for testing only to be billed for $3,270 (of which his share is $1,400) when he tested negative for coronavirus, is a horror story deterrent. As Carl Gibson writes at the Guardian, "...when you combine a for-profit healthcare system - in which only those wealthy enough to get care actually receive it - with a global pandemic, the only outcome will be unmitigated disaster".

This is a country where 40% of the population can't come up with an emergency $400, for whom no vaccine or test is "affordable". CDC's sensible advice is out of reach for the nearly 10% of the population whose work requires their physical presence; a divide throroughly exposed by 2012's Hurricane Sandy.

Sanity would dictate making testing, treatment, and vaccines completely free for the duration of the crisis in the interests of collective public health. But even that would require a profound shift in how Americans understand health care. It requires Americans to loosen their sense that health insurance is an individual merit badge and exercise a modest amount of trust in government - at a time when the man in charge is generally agreed to be entirely untrustworthy. As Laurie Garrett, the author of 1994's Pulitzer Prize-winning The Coming Plague, warned last month, two years ago Trump trashed the pandemic response teams Barack Obama put in place in 2014, after H1N1 and Ebola made the necessity for them clear.

If the US survives this intact, Trump will take the credit, but the reality will be that the country got lucky this time. Individuals won't, however; a pandemic in these conditions will soon be followed by a wave of bankruptcies, many directly or indirectly a consequence of medical bills - and a lot of them will have had health insurance. Plus, there will be the longer-term, hard-to-quantify damage of the spreading climate of fear, sowing distrust in a society that already has too much of it.

So back to cybersecurity and privacy. The same type of individualistic thinking underlies computer and networking designers who take the view that securing them is the individual problem of each entity that uses them. Individual companies have certainly improved on usability in some cases, but even the discovery of widespread disinformation campaigns has not really led to a public health-style collective response even though pervasive interconnection means the smallest user and device can be the vector for infecting a whole network. In security, as in health care, information asymmetry is such that the most "virtuous patient" struggles to make good choices. If a different country had dominated modern computing, would we, as Americans tend to think, have less, or no, innovation? Or would we have much more resilient systems?


Illustrations: The map of uninsured Americans in 2018, from the US Census Bureau.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 20, 2020

Obsession

Vinci_-_Hammer_2A-PD-Wikimedia.jpgIn our universe everything is temporary except the rebellious nature of humans when you tell them something can't be done. For millennia, humans have sought to master the universe by controlling matter, creating synthetic life forms, conquering death, reading the future, and conjuring energy. As science and technology progressed, the methods changed from alchemy to chemistry, various fantastical ideas to bioengineering, astrology to astronomy, and learning to exploit more energy-dense fuels. "There's no such thing as a free lunch" applies to physical motion, perhaps more than to anything else in life.

Last week, a group of scientists, historians, and archivists convened at the Royal Institution, which organized the event jointly with the Leonardo da Vinci Society, to consider seriously the history of perpetual motion beginning with Leonardo da Vinci, as it's the quincentenary of his death. People tend to giggle when you say you're attending this sort of event. But "This is scientific!" protested one of the organizers.

It turns out perpetual motion provides enduring opportunities to drive you mad and injure your scientific respectability. In 1995, the paranormal debunker James Randi said (in An Encyclopedia of Claims, Frauds, and Hoaxes of the Occult and Supernatural) that perpetual motion "has probably cost more time, money, and mental effort for the crackpots than any other pursuit except for the philosopher's stone".

Last week, in Philip Steadman's gallop through historical devices such as thermoscopes and Cornelis Drebbel's variant, it was notable how often the same approaches reappeared. You can try them yourself.

Even building a fake requires meticulous engineering,Michael T. Wright, explained. For inspiration and technical foundations, many would-be makers turned to clockworks. "And vice-versa." The enemy is friction: it slows your mechanism, creates the need for new energy inputs, and generally means your motion isn't perpetual. Clockmakers have options - oil, shrinking and polishing moving parts, aligning gears - but at some point, Wright said, "They leave the perpetual motion maker to be crazy on his own."

As engineering developed in the 19th century, Ben Marsden said, scientists like WJM Rankine, William Thomson (aka Lord Kelvin), and Henry Dircks fretted over experimental engines, asking of each new iteration: "Is this perpetual motion?" In 1861, Dircks reviewed many of these efforts in Perpetuum Mobile, commenting, "The history of the search for perpetual motion does not afford a single instance of ascertained success." Its introduction reads as a warning: here lies obsession and madness.

At the Science Museum, Sophie Waring has been investigating that madness by mining the archives of the Board of Longitude, best-known for its competition, launched in 1714, to calculate longitude out at sea. Following John Harrison's successful solution, the Board enlarged its remit. "It led to streams of proposals for perpetual motion" to which the Board was persistently unsympathetic. The archives contain abrupt dismissals, seemingly without an underlying evidence-based principle.

In part, as Rupert Cole suggested, this blanket disapproval reflects a scientific culture that only began loosening up in the 1970s. His worked example was Eric Laithwaite, who in 1974 scandalized our host, the Royal Institution, by agreeing to show his RI lectures) on the BBC and suggesting that gyroscopes violated the laws of motion. They don't, but his showmanship inspired a generation of young inventors.

The history of failed ideas shows how hard it is to codify first principles. In Martin Kemp's guided tour through the 1510 Codex Leicester, we watched Leonardo da Vinci try to understand impetus: why does something keep moving after the thing pushing it is disconnected? Kemp characterized da Vinci's 70,000 crabbed, right-to-left words as working through "negative demonstrations". Much of this "heroic enterprise" was spent examining the movement of water. Maybe it's particulate?

We learn about inertia in grade school; it's so easy when you know. The laws of motion observed to that point followed a mathematical pattern proportionately relating force and distance. Throw a ball half as hard, and it travels only half as far. These observations don't help understand impetus mechanics. As JV Field (Birkbeck College) explained, it took nearly another two centuries of scientists building on each other's work - Nicolaus Copernicus, Johannes Kepler, Galileo Galilei, Rene Descartes - before Isaac Newton finally codified the laws of motion.

At that point, both astrology and the idea that a perpetual motion machine was possible really should have died. Unfortunately, humans don't work like that. In 1980, Robert Schadewald recounted a rebirth of interest, and in 1986 The Straight Dope's Cecil Adams roasted a patent application from Joseph Newman.

This sort of thing led New Scientist's "Daedalus", David Jones, to build fake perpetual motion machines. He sold several to museums on the understanding that he would fix them at his own expense if they stopped within five years and share the cost until ten years. He figured 15 years was "perpetual" enough.

"Perpetual" is a matter of perspective. Our lives are too short to perceive the universe slowing down. We can't even directly perceive Jones's admitted fake slowing down, although it is. When Martyn Poliakoff, who was given a coded version of the secret at Jones's death in 2017, agrees that Jones's papers are sealed at the Royal Society for 30 years, I quickly calculate: 2047. Yes, I might be alive to read the explanation. It's certainly worth staying alive for.


Illustrations: Pages from the Codex Leicester (via Wikimedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

2020-02-23:Updated to make clear that the event was organized in collaboration with the Leonardo da Vinci Society.

February 14, 2020

Pushy algorithms

cyberporn.jpgOne consequence of the last three and a half years of British politics, which saw everything sucked into the Bermuda Triangle of Brexit debates, is that things that appeared to have fallen off the back of the government's agenda are beginning to reemerge like so many sacked government ministers hearing of an impending cabinet reshuffle and hoping for reinstatement.

One such is age verification, which was enshrined in the Digital Economy Act (2017) and last seen being dropped to wait for the online harms bill.

A Westminster Forum seminar on protecting children online shortly before the UK's December 2019 general election, reflected that uncertainty. "At one stage it looked as if we were going to lead the world," Paul Herbert lamented before predicting it would be back "sooner or later".

The expectation for this legislation was set last spring, when the government released the Online Harms white paper. The idea was that a duty of care should be imposed on online platforms, effectively defined as any business-owned website that hosts "user-generated content or user interactions, for example through comments, forums, or video sharing". Clearly they meant to target everyone's current scapegoat, the big social media platforms, but "comments" is broad enough to include any ecommerce site that accepts user reviews. A second difficulty is the variety of harms they're concerned about: radicalization, suicide, self-harm, bullying. They can't all have the same solution even if, like one bereaved father, you blame "pushy algorithms".

The consultation exercise closed in July, and this week the government released its response. The main points:

- There will be plentiful safeguards to protect freedom of expression, including distinguishing between illegal content and content that's legal but harmful; the new rules will also require platforms to publish and transparently enforce their own rules, with mechanisms for redress. Child abuse and exploitation and terrorist speech will have the highest priority for removal.

- The regulator of choice will be Ofcom, the agency that already oversees broadcasting and the telecommunications industry. (Previously, enforcing age verification was going to be pushed to the British Board of Film Classification.)

- The government is still considering what liability may be imposed on senior management of businesses that fall under the scope of the law, which it believes is less than 5% of British businesses.

- Companies are expected to use tools to prevent children from accessing age-inappropriate content "and protect them from other harms" - including "age assurance and age verification technologies". The response adds, "This would achieve our objective of protecting children from online pornography, and would also fulfill the aims of the Digital Economy Act."

There are some obvious problems. The privacy aspects of the mechanisms proposed for age verification remain disturbing. The government's 5% estimate of businesses that will be affected is almost certainly a wild underestimate. (Is a Patreon page with comments the responsibility of the person or business that owns it or Patreon itself?). At the Guardian, Alex Hern explains the impact on businesses. The nastiest tabloid journalism is not within scope.

On Twitter, technology lawyer Neil Brown identifies four fallacies in the white paper: the "Wild West web"; that privately operated computer systems are public spaces; that those operating public spaces owe their users a duty of care; and that the offline world is safe by default. The bigger issue, as a commenter points out, is that the privately operated computer systems UK government seeks to regulate are foreign-owned. The paper suggests enforcement could include punishing company executives personally and ordering UK ISPs to block non-compliant sites.

More interesting and much less discussed is the push for "age-appropriate design" as a method of harm reduction. This approach was proposed by Lorna Woods and Will Perrin in January 2019. At the Westminster eForum, Woods explained, "It is looking at the design of the platforms and the services, not necessarily about ensuring you've got the latest generation of AI that can identify nasty comments and take it down."

It's impossible not to sympathize with her argument that the costs of move fast and break things are imposed on the rest of society. However, when she started talking about doing risk assessments for nascent products and services I could only think she's never been close to software developers, who've known for decades that from the instant software goes out into the hands of users they will use it in ways no one ever imagined. So it's hard to see how it will work, though last year the ICO proposed a code of practice.

The online harms bill also has to be seen in the context of all the rest of the monitoring that is being directed at children in the name of keeping them - and the rest of us - safe. DefendDigital.me has done extensive work to highlight the impact of such programs as Prevent, which requires schools and libraries to monitor children's use of the Internet to watch for signs of radicalization, and the more than 20 databases that collect details of every aspect of children's educational lives. Last month, one of these - the Learning Records Service - was caught granting betting companies access to personal data about 28 million children. DefendDigital.me has called for an Educational Rights Act. This idea could be usefully expanded to include children's online rights more broadly.


Illustrations: Time magazine's 1995 "Cyberporn" cover, which marked the first children-Internet panic.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 6, 2020

Mission creep

Haystack-Cora.png"We can't find the needles unless we collect the whole haystack," a character explains in the new play The Haystack, written by Al Blyth and in production at the Hampstead Theatre through March 7. The character is Hannah (Sarah Woodward), and she is director of a surveillance effort being coded and built by Neil (Oliver Johnstone) and Zef (Enyi Ororonkwo), familiarly geeky types whose preferred day-off activities are the cinema and the pub, rather than catching up on sleep and showers, as Hannah pointedly suggests. Zef has a girlfriend (and a "spank bank" of downloaded images) and is excited to work in "counter-terrorism". Neil is less certain, less socially comfortable, and, we eventually learn, more technically brilliant; he must come to grips with all three characteristics in his quest to save Cora (Rona Morison). Cue Fleabag: "This is a love story."

The play is framed by an encrypted chat between Neil and Denise, Cora's editor at the Guardian (Lucy Black). We know immediately from the technological checklist they run down in making contact that there has been a catastrophe, which we soon realize surrounds Cora. Even though we're unsure what it is, it's clear Neil is carrying a load of guilt, which the play explains in flashbacks.

As the action begins, Neil and Zef are waiting to start work as a task force seconded to Hannah's department to identify the source of a series of Ministry of Defence leaks that have led to press stories. She is unimpressed with their youth, attire, and casual attitude - they type madly while she issues instructions they've already read - but changes abruptly when they find the primary leaker in seconds. Two stories remain; because both bear Cora's byline she becomes their new target. Both like the look of her, but Neil is particularly smitten, and when a crisis overtakes her, he breaks every rule in the agency's book by grabbing a train to London, where, calling himself "Tom Flowers", he befriends her in a bar.

Neil's surveillance-informed "god mode" choices of Cora's favorite music, drinks, and food when he meets her remind of the movie Groundhog Day, in which Phil (Bill Murray) slowly builds up, day by day, the perfect approach to the women he hopes to seduce. In another cultural echo, the tense beginning is sufficiently reminiscent of the opening of Laura Poitras's film about Edward Snowden, CitizenFour, that I assumed Neil was calling from Moscow.

The requirement for the haystack, Hannah explains at the beginning of Act Two, is because the terrorist threat has changed from organized groups to home-grown "lone wolves", and threats can come from anywhere. Her department must know *everything* if it is to keep the nation safe. The lone-wolf theory is the one surveillance justification Blyth's characters don't chew over in the course of the play; for an evidence-based view, consult the VOX-Pol project. In a favorite moment, Neil and Hannah demonstrate the frustrating disconnect between technical reality and government targets. Neil correctly explains that terrorists are so rare that, given the UK's 66 million population, no matter how much you "improve" the system's detection rate it will still be swamped by false positives. Hannah, however, discovers he has nonetheless delivered. The false positive rate is 30% less! Her bosses are thrilled! Neil reacts like Alicia Florrick in The Good Wife after one of her morally uncomfortable wins.

Related: it is one of the great pleasures of The Haystack that its three female characters (out of a total of five) are smart, tough, self-reliant, ambitious, and good at their jobs.

The Haystack is impressively directed by Roxana Silbert. It isn't easy to make typing look interesting, but this play manages it, partly by the well-designed use of projections to show both the internal and external worlds they're seeing, and partly by carefully-staged quick cuts. In one section, cinema-style cross-cutting creates a montage that fast-forwards the action through six months of two key relationships.

Technically, The Haystack is impressive; Zef and Neil speak fluent Python, algorithms, and Bash scripts, and laugh realistically over a journalist's use of Hotmail and Word with no encryption ("I swear my dad has better infosec"), while the projections of their screens are plausible pieces of code, video games, media snippets, and maps. The production designers and Blyth, who has a degree in econometrics and a background as a research economist, have done well. There were just a few tiny nitpicks: Neil can't trace Cora's shut-down devices "without the passwords" (huh?); and although Neil and Zef also use Tor, at one point they use Firefox (maybe) and Google (doubtful). My companion leaned in: "They wouldn't use that." More startling, for me, the actors who play Neil and Zef pronounce "cache" as "cachet"; but this is the plaint of a sound-sensitive person. And that's it, for the play's 1:50 length (trust me; it flies by).

The result is an extraordinary mix of a well-plotted comic thriller that shows the personal and professional costs of both being watched and being the watcher. What's really remarkable is how many of the touchstone digital rights and policy issues Blyth manages to pack in. If you can, go see it, partly because it's a fine introduction to the debates around surveillance, but mostly because it's great entertainment.


Illustrations: Rona Morison, as Cora, in The Haystack.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.