" /> net.wars: November 2020 Archives

« October 2020 | Main | December 2020 »

November 27, 2020

Data protection in review

Thumbnail image for 2015_Max_Schrems_(17227117226).jpgA tax on small businesses," a disgusted techie called data protection, circa 1993. The Data Protection Directive became EU law in 1995, and came into force in the UK in 1998.

The narrow data protection story of the last 25 years, like that of copyright, falls into three parts: legislation, government bypasses to facilitate trade, and enforcement. The broader story, however, includes a power struggle between citizens and both public and private sector organizations; a brewing trade war; and the difficulty of balancing conflicting human rights.

Like free software licenses, data protection laws seed themselves across the world by requiring forward compliance. Adopting this approach therefore set the EU on a collision course with the US, where the data-driven economy was already taking shape.

Ironically, privacy law began in the US, with the Fair Credit Reporting Act (1970), which gives Americans the right to view and correct the credit files that determine their life prospects. It was joined by the Privacy Act (1974), which covers personally identifiable information held by federal agencies, and the Electronic Communications Privacy Act (1986), which restricts government wiretaps on transmitted and stored electronic data. Finally, the 1996 Health Insurance Portability and Accountability Act protect health data (with now-exploding exceptions. In other words, the US's consumer protection-based approach leaves huge unregulated swatches of the economy. The EU's approach, by contrast, grew out of the clear historical harms of the Nazis' use of IBM's tabulation software and the Stasi's endemic spying on the population, and regulates data use regardless of sector or actor, minus a few exceptions for member state national security and airline passenger data. Little surprise that the results are not compatible.

In 1999, Simon Davies saw this as impossible to solve for Scientific American (TXT): "They still think that because they're American they can cut a deal, even though they've been told by every privacy commissioner in Europe that Safe Harbor is inadequate...They fail to understand that what has happened in Europe is a legal, constitutional thing, and they can no more cut a deal with the Europeans than the Europeans can cut a deal with your First Amendment." In 2000, he looked wrong: the compromise Safe Harbor agreement enabled EU-US data flows.

In 2008, the EU began discussing an update to encompass the vastly changed data ecosystem brought by Facebook, YouTube, and Twitter, the smartphone explosion, new types of personally identifiable information, and the rise and fall of what Andres Guadamuz last year called "peak cyber-utopianism". By early 2013, it appeared that reforms might weaken the law, not strengthen it. Then came Snowden, whose revelations reanimated privacy protection. In 2016, the upgraded General Data Protection Regulation was passed despite a massive opposing lobbying operation. It the month before GDPR came into force">came into force in 2018, but even now many US sites still block European visitors rather than adapt because "you are very important to us".

Everyone might have been able to go on pretending the fundamental incompatibility didn't exist but for two things. The first is the 2014 European Court of Justice decision requiring Google to honor "right to be forgotten" requests (aka Costeja). Americans still see Costeja as a terrible abrogation of free speech; Europeans more often see it as a balance between conflicting rights and a curb on the power of large multinational companies to determine your life.

The second is Austrian lawyer Max Schrems. While still a student, Schrems saw that Snowden's revelations utterly up-ended the Safe Harbor agreement. He filed a legal case - and won it, in 2016, just as GDPR was being passed.The EU and US promptly negotiated a replacement, Privacy Shield. Schrems challenged again. And won again, this year. "There must be no Schrems III!", EU politicians said in September. In other words: some framework must be found to facilitate transfers that passes muster within the law. The US's approach appears to be trying to get data protection and localization laws barred via trade agreements despite domestic opposition. One of the Trump administration's first acts was to require federal agencies to exempt foreigners from Privacy Act protections.

No country is more affected by this than the UK, which as a new non-member can't trade without an adequacy decision and no longer gets the member-state exception for its surveillance regime. This dangerous high-wire moment for the UK traps it in that EU-US gap.

Last year, I started hearing complaints that "GDPR has failed". The problem, in fact, is enforcement. Schrems took action because the Irish Data Protection Regulator, in pole position because companies like Facebook have sited their European headquarters there, was failing to act. The UK's Information Commissioner's Office was under-resourced from the beginning. This month, the Open Rights Group sued the ICO to force it to act on the systemic breaches of the GDPR it acknowledged in a June 2019 report (PDF) on adtech.

Equally a problem are the emerging limitations of GDPR and consent, which areentirely unsuited for protecting privacy in the onrushing "smart" world in which you are at the mercy of others' Internet of Things. The new masses of data that our cities and infrastructure will generate will need a new approach.

Illustrations: Max Schrems in 2015.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 20, 2020

Open access in review

Edward_Jenner._Oil_painting._Wellcome_V0023503.jpgLast week's review of 30 years of writing about the Internet and copyright focused on rightsholders' efforts to protect a business model developed for physical media and geographical restrictions in the face of new, global, digital media. Of the counter-efforts, mainstream attention has focused on the illegal ones; I squeezed in links to most of my past writing on "pirate" sites, although I missed pieces on The Pirate Bay, BitTorrent, and new business models. I also missed out discussing large-scale appropriation by companies that are apparently too big to sue, such as Google books and the more recent fuss over the Internet Archive's Controlled Digital Lending and National Emergency Library.

More interesting, however, are the new modes of access the Internet clearly could open up to niche material and frustrated artists, creators, and collaborators. At the MIT Media Lab's 1994 open day (TXT), a remarkable collection of Hollywood producers, and creative artists predicted that the Internet would unlock a flood of (American) creativity that previously had no outlet (although Penn Jillette doubted the appeal of interactive storytelling).

Lots of this has actually happened. Writers have developed mainstream audiences through self-publishing; web-based publishing enabled generations of cartoonists; and YouTube and TikTok offer options that would never fit into a TV schedule. Mass collaboration has also flourished: Wikipedia, much despised in some quarters 15 years ago, has ripened into an invaluable resource (despite its flaws that need fixing), as has OpenStreetMap, which was outed this week as a crucial piece of infrastructure for Facebook, Apple, Amazon, and Microsoft.

Developing new forms of copyright law has been a critical element in all this, beginning with the idea of copyleft, first used in 1976 and fleshed out in more detail by Richard Stallman in 1985. Traditionally, either you copyrighted the work and claimed all rights or you put the work into the public domain for everyone to use for free, as the satirist Tom Lehrer has recently done.

Stallman, however, wanted to ensure that corporate interests couldn't appropriate the work of volunteers, and realized that he could write a copyright license that dictates those terms, paving the way for today's open source community. In 2001, Lawrence Lessig, Hal Abelson, and Eric Eldred founded Creative Commons to make it easy for people posting new material to the web to specify whether and how others can use it. It's easy to forget now how big an undertaking it was to create licenses that comply with so many legal systems. I would argue that it's this, rather than digital rights management that has enabled widespread Internet creative publishing.

The third piece of this story has played a crucial role in this pandemic year of A.D. 2020. In the halls of a mid-1990s Amsterdam conference on copyright, a guy named Christopher Zielinski made this pitch: a serious problem was brewing around early paywall experiments. How were people in poorer countries going to gain access to essential scientific and medical information? He had worked for the WHO, I think; in a later email I remember a phrase about information moving through disadvantaged countries in "armored trucks".

Zielinski was prescient. In 2015, the Ebola virus killed 10,000 people in Liberia, Sierra Leone, and Guinea, in part because received wisdom held that Ebola was not present in West Africa, slowing the initial response. It was only later that three members of a team drafting Liberia's Ebola recovery plan discover that scientific researchers had written articles establishing its presence as long ago as 1982. None of the papers were co-written with Liberian scientists, and they were published in European journals, which African researchers cannot afford. In this case, as writers Bernice Dahn, Vera Mussah, and Cameron Nutt laid out, closed access cost lives: "Equity must be an indispensable goal in protecting from threats like Ebola, and in the quality of care delivered when prevention fails."

Meanwhile, in another part of the forest...as early as 1991 others saw the potential of using the Internet to speed up scientific publishing and peer review, leading Paul Ginsparg to respond by creating the arXiv repository to share preprints of physics journal articles. Numerous copies for other fields followed. In 2003, leading research, scientific, and cultural institutions created and signed the Berlin Declaration on Open Access to Knowledge in the Sciences and Humanities laying out steps to promote the Internet as a medium for disseminating global knowledge. By 2006, the six-year-old Public Library of Science had set up PLOS ONE, the first peer-reviewed open access scientific journal for primary research in science and medicine.

While there are certainly issues to be solved, such as the proliferation of fake journals, improving peer review, and countering enduring prejudice that ties promotions and prestige to traditional proprietary journals, open access continues to grow. Those who believe that the Internet is going to destroy science are likely to be wrong, and publishers who don't plan for this future are likely to crater.

The global distribution accessible to artists and creators is valuable, but openness is critical to the scientific method of building knowledge. The open approach has been critical during the pandemic. As vaccine candidates prepare for takeoff, we can thank the Internet and the open access movement that it's taken a year, not decades.

Illustrations: Edward Jenner, who created the first vaccine, for smallpox (from the Wellcome images collection, via Wikimedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 13, 2020

Copyright in review

SitaHanuBananaSm.jpgAs if on cue, after last week's conclusion that the battle over crypto will never reach a settlement, the Irish Times, reports that the EU Council of Ministers has a draft council resolution demanding "lawful and targeted" access to encrypted communications. Has no one learned anything in the last four years?

Crypto was the first of a series of reviews of the most durable, intractable disputes of the last 20 years by highlighting how net.wars has written about it as the 1,000th column approaches. The second is copyright, which has been irredeemably altered by the arrival of digital technologies.

Where crypto is the same story endlessly repeated, copyright is a collection of interlinked conflicts that comprise a struggle by rightsholder industries (entertainment, music, publishing, news, software) to continue business as usual while the world changed. Loosely, these conflicts fall into three clusters: legislation, enforcement, and expansion.

New legislation beginning in the 1990s essentially sought to limit what many would see as the normal functioning of computer networks. The Digital Millennium Copyright Act (1998) in the US and the EU Copyright Directive (1996), modified in 2001 and 2019 both include banning technology that can be used to bypass copy protection. Contemporary critics pointed out that this could as easily be scissors and Liquid Paper, but the intended target was software to break digital rights management and copy protection. Today, DRM is built into ebooks and Blu-Ray discs - but also HDMI TV cables, third-party ink cartridges and even remote garage door openers.

These anti-circumvention provisions, however, have been abused to block security researchers from publishing unwanted findings, by John Deere to stop farmers from repairing their tractors, and by Apple to oppose modifying iPhones. It's also been used more creatively.

The DMCA and the EUCD are also vectors for censorship when rightsholders overreach in demanding the removal of copyrighted material or automated takedown systems make mistakes. The 2019 revision of the EUCD expects sites to pay for even small news snippets accompanying links (an old EU obsession) and filter copyrighted content at time of upload, requirements Poland has challenged in court.

Conflicts around enforcement have pursued each new method of sharing material in turn, beginning with bulletin boards and floppy disks and seguing through Usenet, Napster (2000), file-sharing, and torrents in the mid-2000s. The oft-forgotten case that originally created today's notice and takedown rules was the 1994-1995 fight between the Church of Scientology and Usenet critics that saw Scientology's secrets sprayed across the Internet. That case also heralded a period when rightsholders were decidedly hostile. The two biggest photo agencies pursued small businesses with licensing fee demands; recording companies and movie studios took downloaders to court; some rightsholders issued takedown notices against fan fiction and even knitting patterns based on Dr Who. Many of us said from the beginning that the best answer to pirate sites was building legal sites; by the 2010s this was proving correct.

The stage has shifted for both legislation and enforcement, as the US government in particular (but not solely) seeks to embed expansion of IP laws and anti-piracy enforcement in free trade agreements. In 2014, copyright was taken out of the Transatlantic Trade Investment Partnership agreement, but digital rights NGOs know they have to keep watching carefully - when they can get a look at the text.

Expansion has two forms: length and scope. Term extension means that when a song was written in 1969 its copyright would have expired in 1997, renewable until 2025 but now lasts for the author's life plus 70 years (2088, for the song I have in mind). Scope has expanded inevitably as copyrightable software becomes embedded in every physical device.

The fundamental conflict was predicted in 1996, when Pamela Samuelson published The Copyright Grab in Wired. Under "copyright maximalism", she warned, every piece of copyrighted work, no matter how small, would be chargeable, as suggested by Mark Stefik's Letting Loose the Light essay.

As Samuelson and others pointed out, until the Internet IP law only mattered to a few specialists. By opening universal distribution, the Internet turned the laws appropriate for geographically-delineated commercial publishers into laws that make no sense to consumers, as universities were the first to find out. These mismatches; many copyright revisions of the 1990s and 2000s sought "harmonization", always in the most restrictive direction. The Canadian legal scholar Michael Geist to established that these apparently distinct national initiatives had a common source.

There have been some exceptions, such as legal reviews and work to open orphan works and parody. Challenges such as 3D printing still await.

The real story, though, is the very difficult landscape for artists and creators, who lost much control over their work because of media consolidation in the 1980s and 1990s the economic shocks of 9/11 and the 2008 financial crash, and advertising's online shift. Creators seeking income are also facing floods of free blog postings, videos, music, and, especially, images. No amount of copyright shenanigans is solving the fundamental problem: how to help artists and creators make a living from their work. That is what copyright law was created to enable. Never forget that.

Illustrations: A still from Sita Sings the Blues, written and directed by Nina Paley, who believes copyright should be abolished.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 6, 2020

Crypto in review

Caspar_Bowden-IMG_8994-2013-rama.jpgBy my count, this is net.wars number 990; the first one appeared on November 2, 2001. If you added in its predecessors - net.wars-the-book, and its sequel From Anarchy to Power, as well as the more direct precursors, the news analysis pieces I wrote for the Daily Telegraph between 1997 and early 2001, you'd get a different number I don't know how to calculate. Therefore: this is net.wars #990, and the run-up to 1,000 seems a good moment to review some durable themes of the last 20 years via what we wrote at the time.

net.wars #1 has, sadly, barely aged; it could almost be published today unchanged. It was a ticked-off response to former Home Secretary Jack Straw, who weeks after the 9/11 attacks told Britain's radio audience that the people who had opposed key escrow were now realizing they'd been naive. We were not! The issue Straw was talking about was the use of strong cryptography, and "key escrow" was the rejected plan to require each individual to deposit a copy of their cryptographic key with a trusted third party. "Trusted", on its surface meant someone *we* trusted to guard our privacy; in subtext it meant someone the government trusted to disclose the key when ordered to do so - the digital equivalent of being required to leave a copy of the key to your house with the local police in case they wanted to investigate you. The last half of the 1990s saw an extended public debate that concluded with key escrow being dropped for the final version of the Regulation of Investigatory Powers Act (2000) in favor of requiring individuals to produce cleartext when law enforcement require it. A 2014 piece for IEEE Security & Privacy explains RIPA and its successors and the communications surveillance framework they've created.

With RIPA's passage, a lot of us thought the matter was settled. We were so, so wrong. It did go quiet for a decade. Surveillance-related public controversy appeared to shift, first to data retention and then to ID cards, which were proposed soon after the 2005 attacks on London's tube and finally canned in 2010 when the incoming coalition government found a note from the previous chancellor, "There's no money".

As the world discovered in 2013, when Edward Snowden dropped his revelations of government spying, the security services had taken the crypto debate into their own hands, undermining standards and making backroom access deals. The Internet community reacted quickly with first advice and then with technical remediation.

In a sense, though, the joke was on us. For many netheads, crypto was a cause in the 1990s; the standard advice was that we should all encrypt all our email so the important stuff wouldn't stand out. To make that a reality, however, crypto software had to be frictionless to use - and the developers of the day were never interested enough in usability to make it so. In 2011, after I was asked to write an instruction manual for installing PGP (or GPG), the lack of usability was maddening enough for me to write: "There are so many details you can get wrong to mess the whole thing up that if this stuff were a form of contraception desperate parents would be giving babies away on street corners."

The only really successful crypto at that point were backend protocols like SSL (used to secure ecommerce transactions over the web), TLS (secures communications), and HTTPS (secures web connections) and the encryption built into mobile phone standards. Much has changed since, most notably Facebook's and Apple's decision to protect user messages and data, at a stroke turning crypto on for billions of users. The result, as Ross Anderson predicted in 2018, was to change the focus of governments' demand for access to hacking devices rather than cracking individual messages.

The arguments have not changed in all those years; they were helpfully collated by a group of senior security experts in 2015 in the report Keys Under Doormats (PDF). Encryption is mathematics; you cannot create a hole that only "good guys" can use. Everyone wants uncrackable encryption for themselves - but to be able to penetrate everyone else's. That scenario is no more possible than the suggestion some of Donald Trump's team are making that the same votes that are electing Republican senators and Congresspeople are not legally valid when applied to the presidency.

Nonetheless, we've heard repeated calls from law enforcement for breakable encryption: in 2015, 2017, and, most recently, six weeks ago. In between, while complaining that communications were going dark, in 2016 the FBI tried to force Apple to crack its own phones to enable an investigation. When the FBI found someone to crack it to order, Apple turned on end-to-end encryption.

I no longer believe that this dispute can be settled. Because it is built on logic proofs, mathematics will always be hard, non-negotiable, and unyielding, and because of their culture and responsibilities security services and law enforcement will always want more access. For individuals, before you adopt security precautions, think through your threat model and remember that most attacks will target the endpoints, where cleartext is inevitable. For nations, remember whatever holes you poke in others' security will be driven through in your own.

Illustrations: The late Caspar Bowden (1961-2015), who did so much to improve and explain surveillance policy in general and crypto policy in particular (via rama at Wikmedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.