" /> net.wars: March 2020 Archives

« February 2020 | Main | April 2020 »

March 27, 2020

The to-do list

Thumbnail image for casablanca-dooley-wilson-as-time-goes-by.pngWith so much insecurity and mounting crisis, there's no time now to think about a lot of things that will matter later. But someday there will be. And at that time...

Remember that health workers - doctors, nurses, technicians, ambulance drivers - matter just as much every day as they do during a crisis. Six months after everyone starts feeling safe and starts to forget, remind them how much we owe health workers..

The same goes for other essential services workers, the ones who keep the food stores open, the garbage and recycling being picked up, who harvest the crops, catch the fish, and raise and slaughter the animals and birds, who drive the trucks and supply the stores, and deliver post, takeout, and packages from Amazon et. al, and keep the utilities running, and the people who cook the takeout food, and clean the hospitals and streets. Police. Fire. Pharmacists. Journalists. Doubtless scores of other people doing things I haven't thought of. In developed countries, we forget how our world runs until something breaks, evidenced by Steve Double (Con-St Austell and Newquay), the British MP who said on Monday, "One of the things that the current crisis is teaching us is that many people who we considered to be low-skilled are actually pretty crucial to the smooth running of our country - and are, in fact, recognised as key workers." (Actually, a lot of us knew this.)

Stop taking travel, particularly international travel, for granted. Even when bans and lockdowns are eventually fully lifted, it's likely that pre-boarding and immigration health checks will become as routine as security scanning and showing ID have since 2001. Even if governments don't mandate it the public will demand it: who will sit crammed next to a random stranger unless they can believe it's safe?

Demand better travel conditions. Airlines are likely to find the population is substantially less willing to be crammed in as tightly as we have been.

Along those lines, I'm going to bet that today's children and young people, separated from older relatives by travel bans and lockdowns in this crisis, will think very differently about moving across the country or across the world, where they might be cut off in a future health crisis. Families and friends have been separated before by storms, earthquakes, fires, and floods - but travel links have rarely been down this far for this long - and never so widely. The idea of travel as conditional has been growing through security and notification requirements (I'm thinking of the US's ESTA requirements), but health will bring a whole new version of requiring permission.

Think differently about politicians. For years now it's been fashionable for people to say it doesn't matter who gets in because "they're all the same". You have only to compare US governors' different reactions to this crisis to see how false that is. As someone said on Twitter the other day, when you elect a president you are choosing a crisis manager, not a friend or favorite entertainer.

Remember the importance of government and governance. The US's unfolding disaster owes much of its amplitude to the fact that the federal government has become, as Ed Yong, writing in The Atlantic, calls it, "a ghost town of scientific expertise".

Stop asking "How much 'excess' can we trim from this system?" to asking "What surge capacity do we need, and how can we best ensure it will be available?" This will apply not only to health systems, hospitals, and family practices but to supply chains. The just-in-time fad of the 1990s and the outsourcing habits of the 2000s have left systems predictably brittle and prone to failure. Much of the world - including the US - depends on China to supply protective masks rather than support local production. In this crisis, Chinese manufacturing shut down just before every country in the world began to realize it had a shortage. Our systems are designed for short, sharp local disasters, not expanding global catastrophes where everyone needs the same supplies.

Think collaboratively rather than competitively. In one of his daily briefings this week, New York State governor Andrew Cuomo said forthrightly that sending ventilators to New York now, as its crisis builds, did not mean those ventilators wouldn't be available for other places where the crisis hasn't begun yet. It means New York can send them on when the need begins to drop. More ventilators for New York now is more ventilators for everyone later.

Ensure that large companies whose policies placed their staff at risk during this time are brought to account.

Remember these words from Nancy Pelosi: "And for those who choose prayer over science, I say that science is the answer to our prayers."

Reschedule essential but timing-discretionary medical care you've had to forego during the emergency. Especially, get your kids vaccinated so no one has to fight a preventable illness and an unpreventable one at the same time.

The final job: remember this. Act to build systems so we are better prepared for the next one before you forget. It's only 20 years since Y2K, and what people now claim is that "nothing happened"; the months and person-millennia that went into remediating software to *make* "nothing" happen have faded from view. If we can remember old movies, we can remember this.

Illustrations: Dooley Wilson, singing "As Time Goes by", from Casablanca (1942).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 20, 2020

The beginning of the world as we don't know it

magnolia-1.jpgOddly, the most immediately frightening message of my week was the one from the World Future Society, subject line "URGENT MESSAGE - NOT A DRILL". The text began, "The World Future Society over its 60 years has been preparing for a moment of crisis like this..."

The message caused immediate flashbacks to every post-disaster TV show and movie, from The Leftovers (in which 2% of the world's population mysteriously vanishes) to The Last Man on Earth (in which everyone who isn't in the main cast has died of a virus). In my case, it also reminds unfortunately of the very detailed scenarios I saw posted in the late 1990s to the comp.software.year-2000 Usenet newsgroup, in which survivalists were certain that the Millennium Bug would cause the collapse of society. In one scenario I recall, that collapse was supposed to begin with the banks failing, pass through food riots and cities burning, and end with four-fifths of the world's population dead: the end of the world as we know it (TEOTWAWKI). So what I "heard" in the World Future Society's tone was that the "preppers", who built bunkers, stored sacks of beans, rice, dried meat, and guns, were finally right and this was their chance to prove it.

Naturally, they meant no such thing. What they *did* mean was that futurists have long thought about the impact of various types of existential risks, and that what they want is for as many people as possible to join their effort to 1) protect local government and health authorities, 2) "co-create back-up plans for advanced collaboration in case of societal collapse", and 3) collaborate on possible better futures post-pandemic. Number two still brings those flashbacks, but I like the first goal very much, and the third is on many people's minds. If you want to see more, it's here.

It was one of the notable aspects of the early Internet that everyone looked at what appeared to be a green field for development and sought to fashion it in their own desired image. Some people got what they wanted: China, for example, defying Western pundits who claimed it was impossible, successfully built a controlled national intranet. Facebook, while coming along much later, through zero rating deals with local telcos for its Free Basics, is basically all the Internet people know in countries like Ghana and the Philippines, a phenomenon Global Voices calls "digital colonialism". Something like that mine-to-shape thinking is visible here.

I don't think WFS meant to be scary; what they were saying is in fact what a lot of others are saying, which is that when we start to rebuild after the crisis we have a chance - and a need - to do things differently. At Wired, epidemiologist Larry Brilliant tells Steven Levy he hopes the crisis will "cause us to reexamine what has caused the fractional division we have in [the US]".

At Singularity University's virtual summit on COVID-19 this week, similar optimism was on display (some of it probably unrealistic, like James Ehrlich's land-intensive sustainable villages). More usefully, Jamie Metzl compared the present moment to 1941, when US president Franklin Delano Roosevelt began to imagine how the world might be reshaped after the war would end in the Atlantic charter. Today, Metzl said, "We are the beneficiaries of that process." Therefore, like FDR we should start now to think about how we want to shape our upcoming different geopolitical and technological future. Like net.wars last week and John Naughton at the Guardian, Metzl is worried that the emergency powers we grant today will be hard to dislodge later. Opportunism is open to all.

I would guess that the people who think it's better to bail out businesses than support struggling people also fear permanence will become true of the emergency support measures being passed in multiple countries. One of the most surreal aspects of a surreal time is that in the space of a few weeks actions that a month ago were considered too radical to live are suddenly happening: universal basic income, grounding something like 80% of aviation, even support for *some* limited free health care and paid sick leave in the US.

The crisis is also exposing a profound shift in national capabilities. China could build hospitals in ten days; the US, which used to be able to do that sort of thing, is instead the object of charity from Chinese billionaire Alibaba founder Jack Ma, who sent over half a million test kits and 1 million face masks.

Meanwhile, all of us, with a few billionaire exceptions are turning to the governments we held in so little regard a few months ago to lead, provide support, and solve problems. Libertarians who want to tear governments down and replace all their functions with free-market interests are exposed as a luxury none of us can afford. Not that we ever could; read Paulina Borsook's 1996 Mother Jones article Cyberselfish if you doubt this.

"It will change almost everything going forward," New York State governor Andrew Cuomo said of the current crisis yesterday. Cuomo, who is emerging as one of the best leaders the US has in an emergency, and his counterparts are undoubtedly too busy trying to manage the present to plan what that future might be like. That is up to us to think about while we're sequestered in our homes.


Illustrations:: A local magnolia tree, because it *is* spring.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 12, 2020

Privacy matters

china-alihealth.jpegSometime last week, Laurie Garrett, the Pulitzer Prize-winning author of The Coming Plague, proposed a thought experiment to her interviewer on MSNBC. She had been describing the lockdown procedures in place in China, and mulling how much more limited actions are available to the US to mitigate the spread. Imagine, she said (or more or less), the police out on the interstate pulling over a truck driver "with his gun rack" and demanding a swab, running a test, and then and there ordering the driver to abandon the truck and putting him in isolation.

Um...even without the gun rack detail...

The 1980s AIDS crisis may have been the first time my generation became aware of the tension between privacy and epidemiology. Understanding what was causing the then-unknown "gay cancer" involved tracing contacts, asking intimate questions, and, once it was better understood, telling patients to contact their former and current sexual partners. At a time when many gay men were still closeted, this often meant painful conversations with wives as well as ex-lovers. (Cue a well-known joke from 1983: "What's the hardest part of having AIDS? Trying to convince your wife you're Haitian.")

The descriptions emerging of how China is working to contain the virus indicate a level of surveillance that - for now - is still unthinkable in the West. In a Huangzhou project, for example, citizens are required to install the Alipay Health Code app on their phones that assigns them a traffic light code based on their recent contacts and movements - which in turn determines which public and private spaces they're allowed to enter. Paul Mozur, who co-wrote that piece for the New York Times with Raymond Zhong and Aaron Krolik, has posted on Twitter video clips of how this works on the ground, while Ryutaro Uchiyama marvels at Singapore's command and open publication of highly detailed data This is a level of control that severely frightened people, even in the West, might accept temporarily or in specific circumstances - we do, after all, accept being data-scanned and physically scanned as part of the price of flying. I have no difficulty imagining we might accept barriers and screening before entering nursing homes or hospital wards, but under what conditions would the citizens of democratic societies accept being stopped randomly on the street and our phones scanned for location and personal contact histories?

The Chinese system has automated just such a system. Quite reasonably, at the Guardian Lily Kuo wonders if the system will be made permanent, essentially hijacking this virus outbreak in order to implement a much deeper system of social control than existed before. Along with all the other risks of this outbreak - deaths, widespread illness, overwhelmed hospitals and medical staff, widespread economic damage, and the mental and emotional stress of isolation, loss, and lockdown - there is a genuine risk that "the new normal" that emerges post-crisis will have vastly more surveillance embedded in it.

Not everyone may think this is bad. On Twitter, Stewart Baker, whose long-held opposition to "warrant-proof" encryption we noted last week, suggested it was time for him to revive his "privacy kills" series. What set him off was a New York Times piece about a Washington-based lab that was not allowed to test swabs they'd collected from flu patients for coronavirus, on the basis that the patients would have to give consent for the change of use. Yes, the constraint sounds stupid and, given the situation, was clearly dangerous. But it would be more reasonable to say that either *this* interpretation or *this* set of rules needs to be changed than to conclude unliterally that "privacy is bad". Making an exemption for epidemics and public health emergencies is a pretty easy fix that doesn't require up-ending all patient confidentiality on a permanent basis. The populations of even the most democratic, individualistic countries are capable of understanding the temporary need for extreme measures in a crisis. Even the famously national ID-shy UK accepted identity papers during wartime (and then rejected them after the war ended (PDF)).

The irony is that lack of privacy kills, too. At The Atlantic, Zeynep Tufecki argues that extreme surveillance and suppression of freedom of expression paradoxically results in what she calls "authoritarian blindness": a system designed to suppress information can't find out what's really going on. At The Bulwark, Robert Tracinski applies Tufecki's analysis to Donald Trump's habit of labeling anything he doesn't like "fake news" and blaming any events he doesn't like on the "deep state" and concludes that this, too, engenders widespread and dangerous distrust. It's just as hard for a government to know what's really happening when the leader doesn't want to know as when the leader doesn't want anyone *else* to know.

At this point in most countries it's early stages, and as both the virus and fear of it spread, people will be willing to consent to any measure that they believe will keep them and their loved ones safe. But, as Access Now agrees, there will come a day when this is past and we begin again to think about other issues. When that day comes, it will be important to remember that privacy is one of the tools needed to protect public health.


Illustrations: Alipay Health Code in action (press photo).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 6, 2020

Transitive rage

cropped-Spies_and_secrets_banner_GCHQ_Bude_dishes.jpgSomething has changed," a privacy campaigner friend commented last fall, observing that it had become noticeably harder to get politicians to understand and accept the reasons why strong encryption is a necessary technology to protect privacy, security, and, more generally, freedom. This particular fight had been going on since the 1990s, but some political balance had shifted. Mathematical reality of course remains the same. Except in Australia.

At the end of January, Bloomberg published a leaked draft of the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT), backed by US Senators Lindsey Graham (R-SC) and Richard Blumenthal (D-CT). In its analysis the Center for Democracy and Technology find the bill authorizes a new government commission, led by the US attorney general, to regulate online speech and, potentially, ban end-to-end encryption. At Lawfare, Stewart Baker, a veteran opponent of strong cryptography, dissents, seeing the bill as combating child exploitation by weakening the legal liability protection afforded by Section 230. Could the attorney general mandate that encryption never qualifies as "best practice"? Yes, even Baker admits, but he still thinks the concerns voiced by CDT and EFF are overblown.

In our real present, our actual attorney general, William Barr believes "warrant-proof encryption" is dangerous. His office is actively campaigning in favor of exactly the outcome CDT and EFF fear.

Last fall, my friend connected the "change" to recent press coverage of the online spread of child abuse imagery. Several - such as Michael H. Keller and Gabriel J.X. Dance's November story - specifically connected encryption to child exploitation, complaining that Internet companies fail to use existing tools, and that Facebook's plans to encrypt Messenger, "the main source of the imagery", will "vastly limit detection".

What has definitely changed is *how* encryption will be weakened. The 1990s idea was key escrow, a scheme under which individuals using encryption software would deposit copies of their private keys with a trusted third party. After years of opposition, the rise of ecommerce and its concomitant need to secure in-transit financial details eventually led the UK government to drop key escrow before the passage of the Regulation of Investigatory Powers Act (2000), which closed that chapter of the crypto debates. RIPA and its current successor, the Investigatory Powers Act (2016), requires individuals to descrypt information or disclose keys to government representatives. There have have been three prosecutions.

In 2013, we learned from Edward Snowden's revelations that the security services had not accepted defeat but had gone dark, deliberately weakening standards. The result: the Internet engineering community began the work of hardening the Internet as much as they could.

In those intervening years, though, outside of a few very limited cases - SSL, used to secure web transactions - very few individuals actually used encryption. Email and messaging remained largely open. The hardening exercise Snowden set off eventually included companies like Facebook, which turned on end-to-end encryption for all of WhatsApp in 2016, overnight turning 1 billion people into crypto users and making real the long-ago dream of the crypto nerds of being lost in the noise. If 1 billion people use messaging and only a few hundred use encryption, the encryption itself is a flag that draws attention. If 1 billion people use encrypted messaging, those few hundred are indistinguishable.

In June 2018, at the 20th birthday of the Foundation for Information Policy Research, Ross Anderson predicted that the battle over encryption would move to device hacking. The reasoning is simple: if they can't read the data in transit because of end-to-end encryption, they will work to access it at the point of consumption, since it will be cleartext at that point. Anderson is likely still to be right - the IPA includes provisions allowing the security services to engage in "bulk equipment interference", which means, less politely, "hacking".

At the same time, however, it seems clear that those governments that are in a position to push back at the technology companies now figure that a backdoor in the few giant services almost everyone uses brings back the good old days when GCHQ could just put in a call to BT. Game the big services, and the weirdos who use Signal and other non-mainstream services will stick out again.

At Stanford's Center for Internet and Society, Riana Pfefferkorn believes the DoJ is opportunistically exploiting the techlash much the way the security services rushed through historically and politically unacceptable surveillance provisions in the first few shocked months after the 9/11 attacks. Pfefferkorn calls it "transitive rage": Congresspeople are already mad at the technology companies for spreading false news, exploiting personal data, and not paying taxes, so encryption is another thing to be mad about - and pass legislation to prevent. The IPA and Australia's Assistance and Access Act are suddenly models. Plus, as UN Special Rapporteur David Keye writes in his book Speech Police: The Global Struggle to Govern the Internet, "Governments see that company power and are jealous of it, as they should be."

Pfefferkorn goes on to point out the inconsistency of allowing transitive rage to dictate banning secure encryption. It protects user privacy, sometimes against the same companies they're mad at. We'll let Alec Muffett have the last word, reminding that tomorrow's children's freedom is also worth protecting.


Illustrations: GCHQ's Bude listening post, at dawn (by wizzlewick at Wikimedia, CC3.0).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

cropped-Spies_and_secrets_banner_GCHQ_Bude_dishes.jpg