" /> net.wars: December 2020 Archives

« November 2020 | Main | January 2021 »

December 31, 2020

Build back

New_Years_2014_Fireworks_-_London_Eye-WM.jpgIn my lifetime there has never been a New Year that has looked so bleak. At 11pm last night, Big Ben tolled the final severance of the UK's participation in the European Union. For the last few days, as details of the trade agreement agreed last night become known, Twitter has been filling up with graphics and text explaining the new bureaucracy that will directly or indirectly affect every UK resident and the life complications still facing the 3 million EU citizens resident in the UK and the UK expatriates in the EU. Those who have pushed for this outcome for many years will I'm sure rejoice, but for many of us it's a sad, sad moment and we fear the outcome.

The bright spot of the arriving vaccines is already being tarnished by what appears to be a panic response pushing to up-end the conditions under which they were granted an emergency license. Case numbers are rising out of control, and Twitter is filled with distress signals from exhausted, overwhelmed heath care workers. With Brexit completed and Trump almost gone, 2021 will be a year of - we hope - renewed sanity and sober remediation, not just of the damage done this year in specific but of the accrued societal and infrastructural technical debt that made everything in 2020 so much worse. It is already clear that the cost of this pandemic will be greater than all the savings ever made by cuts to public health and social welfare systems.

Still, it *is* a new year (because of human-made calendars), and because we love round numbers - defining "round" as the number of digits our hands happen to have - there's a certain amount of "that was the decade" about it. There is oddly less chatter about the twenty years since the turn of the millennium, which surprises me a bit: we've completed two-fifths of the 21st century!

Even the pre-pandemic change was phenomenal. Ten years ago - 2010 - was when smartphones really took off, pouring accelerant on Facebook, Twitter, and other social media, which were over-credited for 2011's "Arab Spring" ("useful but not sufficient", the linked report concludes). At Gikii 2019, Andres Guademuz described this moment as "peak cyber-utopia". In fact, it was probably the second peak, the first having been circa 1999, but who's counting? Both waves of cyber-utopianism seem quaint now, in the face of pandemic-fueled social and economic disruption. We may - we do - look to social media for information - but we've remembered we need governments for public health measures, economic support, and leadership. The deliberate thinning of the institutions we now need to save us in countries like the US and UK is one legacy of the last 30 years of technology-fueled neoliberalism. Ronald Reagan, US president from 1980 to 1988, liked to say that the most frightening words in the English language were "I'm from the government and I'm here to help". Far more frightening is the reality of a government that can't, won't, or chooses not to help.

Twenty years ago - 2000 - was the year of the dot-com peak, when AOL disastrously merged with Time-Warner. The crash was well underway when 9/11 happened and ushered in 20 years of increasing surveillance: first an explosion of CCTV cameras in the physical world and, on the Internet, data retention and interception, and finally, in the last year or so, the inescapability of automated facial recognition, rolled out without debate or permission.

Despite having argued against all these technologies as they've come along, I wish I could report that investing in surveillance instead of public health had paid dividends in the Year of Our Pandemic 2020. Contact tracing apps, which we heard so much about earlier in the year, have added plenty of surveillance capabilities and requirements to our phones and lives, but appear to have played little part in reducing infection rates. Meanwhile, the pandemic is fueling the push to adopt the sort of MAGIC flowthrough travel industry execs have imagined since 2013. Airports and our desire to travel will lead the way to normalizing pervasive facial recognition, fever-scanning cameras, and, soon, proof of vaccination.

This summer, many human rights activists noted the ethical issues surrounding immunity passports. Early in the year this was easy pickings because the implementations were in China. Now, however, anyone traveling to countries like Canada and the US must be able to show a negative covid test within 72 hours before traveling from the UK. Demand for vaccination certificates is inevitable. Privacy International taken the view that " Until everyone has access to an effective vaccine, any system requiring a passport for entry or service will be unfair." Being careful about this is essential, because unfairness entrenched while we rebuild will be *very* hard to dislodge.

So, two big things to work towards in 2021. The first is to ensure that new forms of unfairness do not become the new normal. The second, which will take a lot of luck, even more diligence, and a massive scientific effort, is to ensure that one item on the Mindset list of 2040's 18-year-olds will be "There has never been a pandemic."

Happy new year.

Illustrations: New year's eve fireworks in London, 2014 (via Clarence Ji).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

December 25, 2020

Year out

Katalin_Kariko.jpgSometime like five or 15 years from now, I imagine someone will look back and see that the seeds of some wonderful new technology were sown off-camera during this year and be surprised we never noticed. But the reality is that from March onwards the coronavirus swallowed up the news, challenged only - and only in the UK - by the awful crawl to Brexit.

Even the advance in AI - or what passes for it - represented by DeepMind's having solved protein folding only occupied the news for a day or so, then sank under the unrelenting sameness of watching the latest case numbers and getting by, a day at a time (and that was the *privileged* version of life in the pandemic). In retrospect, the overwhelming information technology trend was the culmination of years of rising awareness of the many adverse consequences of the things net.wars complains about: consolidation, centralization, and users' loss of privacy and autonomy.

The giant exception to both the general inattention and technological discontent was the collaborative scientific muscle on display in biotech, from the first rapid sequencing of the novel coronavirus's genome to the successful, cavalry-to-the-rescue arrival of the new mRNA vaccine platform that has been in the making for 20-odd years. In this case, the Internet delivered as promised, from enabling scientists to exchange preprint research and collaborate across the globe to giving individuals direct access to solid science, to providing a safe and necessary alternative to high-risk in-person action.

Three big technology stories did achieve traction:

- The new and aggressive push in the US to rein in the four biggest technology companies. Forty-six states, plus Guam and Washington, DC, and the Federal Trade Commission have filed antitrust suits against Facebook, which elsewhere is being described as a Doomsday Machine that may wipe out the planet. Ten states and the Department of Justice have filed suits against Google. Amazon, already subject to antitrust action in the EU surely won't be far behind. Apple, the last of the four whom Congress summoned last summer, won't escape even if it's never sued directly because the Google suit targets the $8 to $12 billion it pays Apple every year to make its search engine the default.

- The discovery that Russia has mounted a long and successful cyber attack on US federal agencies, with slowly-emerging ramifications for countries and companies all over the world.

- The speed with which both governments and industry jumped on surveillance technologies in response to the health crisis. Some of it is not bad. Wastewater epidemiology, a polite term for surveilling sewage for early warnings of virus outbreaks, isn't personal and is a longstanding public health technique, although one can conceive of unfair and intrusive implementations. Many other technologies - immunity passports, fever scanning, and contact tracing apps most obviously, but also automated facial recognition - have yet to fully take hold, but it seems likely that despite warnings about unfairness and intrusion they will be too tempting for governments to resist in the name of safety, particularly for travel. All of this will be hard to dislodge later. The UK in particular has ignored expert advice to take advantage of the person-centuries of contact tracing experience in local authorities, instead paying billions to cronies and companies like Serco. Palantir in particular appears to be embedding itself for the longer term.

Everything else is dithering.

Prominent among the dithering is Section 230 of the Communications Decency Act, which Jeff Kosseff, the law's biographer, has explained all year on Twitter. Every content moderation discontent is being blamed on this short law limiting intermediary liability. With the antitrust suits pending and so many other crises - and with repeal-happy Donald Trump's departure from power - it's hard to believe that this law will change in 2021.

In the UK, the last-second Brexit deal leaves data protection and the online harms legislation lurking in wait.

The big lessons of this tortured year:

- Basic research can pay off in unexpected ways. As Charles Arthur has noted, the speed of the novel coronavirus's genetic sequencing was a result of the Human Genome Project, whose value at the time was purely speculative. The carrot was personalized medicine, which, with a few exceptions, has yet to fulfill its imagined promise. DNA sequencing did, however, spawn an industry of genealogical sites and services promising to use DNA for everything from finding your soul mate to predicting your medical future; I'm not a fan or either for both privacy and scientific validity reasons. But that blue-sky project is now saving both our individual lives and our civilization.

- It really is, as Bruce Schneier writes, long past time to stop imagining that "we" "good guys" deserve exceptional access to the rest of the world's computers. It. Does. Not. Work. As I keep writing, a hole is a hole. Neither the coronavirus nor the hole cares about race, wealth, class, or perceived virtue. This applies as much to the long-running battle over requiring backdoors in encryption as to a nation's broader cybersecurity. Politicians and PR people take the view that the best defense is a good offense; in this case, the best offense is a good defense.

Merry Christmas. Only one more week before 2021.


Illustrations: Katalin Karikó, the Hungarian biochemist behind the mRNA vaccines.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

December 18, 2020

Ghost hackers

Screenshot from 2020-12-17 23-55-51.pngYears ago, a by-then-retired former teenaged hacker listened to my account of what mid-1990s hackers were saying, and sighed at how little things had changed since his 1980s heyday. "It's still that thing of doing it day after day," he said, or more or less, meaning tedious daily hours doggedly poking around sites, trying logins, keeping meticulous records, and matching a user name collected one year with a password spotted the next. Grueling, painstaking work for which you could get arrested. Which he eventually was, leading to said retirement.

Today's young hackers, brought up on video games, are used to such lengthy keyboard stints to grind out points. Does that make them better suited for the kind of work my former hacker, brought up on pinball machines, described? Not necessarily.

In a paper presented this week at the 2020 Workshop on Economics of Information Security, by Cambridge postdoc Ben Collier, he and co-authors Richard Clayton, Alice Hutchings, and Daniel R. Thomas lay out the lives of the vast majority of today's hackers. Attracted by the idea of being part of a "cool cybercrime", they find themselves doing low-level tech support, customer service, and 24/7 server maintenance for well-worn exploits, all while under the threat of disruption from intermediaries, law enforcement, and bugs left by incompetent software coders while impatient, distrustful customers fume at them. Worse, this kind of work doesn't attract the admiration of other hackers and these workers don't get to make creative leaps. It's just routine, boring office work, nothing like the hacker ethic they embraced or the hacker culture's self-image, which hasn't changed in any real sense since the 1990s, when it was described to me with evangelical fervor as thrilling.

The disappointment "fundamentally changes the experience of being in this world," Collier said. Isn't that always the way when your hobby becomes your day job?

These guys are little different from the "ghost workers", Mary L. Gray and Siddharth Suri profile in their 2019 book. However, this group don't expect these conditions, unlike the millions of invisible fixers and maintainers for companies like Uber, Amazon, and every other company that boasts of its special "AI" sauce. In the legitimate economy, these workers occupy the low-status bottom of the hierarchy and have little prospect of attaining the respect and perks of the engineers, research scientists, and top-level management who get all the visibility. The illegitimate economy is no different.

The authors got their idea from a leap of logic that seems obvious in retrospect: the gradual transition from the exploits of lone bedroom hackers to organized cybercrime-as-a- service. What was high-impact, low-volume crime is now high-volume crime, which requires a large, built infrastructure. "True scaling up needs lots of invisible supportive labor to enable true scale." Think the electrical or water grid in a large city.

Based on their forays onto cybercrime forums and numerous interviews, the authors find that neither the public at large nor the hackers themselves have adapted their mental models. "The heart of the subculture is still based on this idea of the mythic, lone, high-skilled hacker," Collier said. "It looks nothing like this invisible maintenance work." Or, of course, like this week's discovery that nation-state hackers have penetrated numerous US federal agencies.

In other words, the work these hackers are doing is exactly the same as life as a sysadmin for a legitimate business - with the same "deep, deep boredom" but with the added difficulty of how to spend their earnings. One of their many interviewees was able to monetize his efforts unusually well. "He ran out of stuff to buy himself and his friends, and finally quit because he was piling up Amazon gift cards in shoeboxes under his bed and it stressed him out." At one point, he even cut up thousands of dollars' worth of the cards "just for something to do". Closed to him: using the money to buy a house or education and improve his life.

WEIS began in 2002 as a unique effort to apply familiar concepts of economics - incentives, externalities, asymmetric information, and moral hazard - to information security, understanding that despite the growing threats no organizations has infinite resources. Over the years, economists have increasingly taken an interest. The result is a cross-the-streams event where a study like this one may be followed by a math-heavy analysis of the relationship between pricing and security-related business strategies, each offering possibilities for new approaches.

Collier concluded that arresting, charging, and convicting these guys is counter-productive because, "It's important not to block their escape routes. They often get in because the main routes in society are blocked." He added, "The systems of value and capital and social status that exist in the world are not working for loads of people, or they don't have access so they make their own alternatives." Cracking down and conducting mass arrests also blocks those routes back into mainstream society.

Would today's teens choose the hacking life if they really understood what the job was going to be like? As someone commented, at the next big arrest perhaps the press release should stress the number of hours the miscreants worked, the sub-McDonalds hourly pay they eventually earned, and the permanent anomie induced by their disappointment, disillusionment, and alienation.


Illustrations: Ben Collier, presenting "Cybercrime is (often) boring: maintaining the infrastructure of cybercrime economies" at WEIS 2020.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

December 11, 2020

Facebook in review

parliament-whereszuck.jpgLed by New York attorney general Letitia James, this week 46 US states, plus Guam, and Washington, DC, and, separately, the Federal Trade Commission filed suits against Facebook alleging that it has maintained an illegal monopoly while simultaneously reducing privacy protections and services to boost its bottom line. The four missing states: Alabama, Georgia, South Carolina, and South Dakota.

As they say, we've had this date from the beginning.

It's seemed likely for months that legal action against Facebook was on the way. There were the we-mean-business Congressional hearings and the subsequent committee report, followed by the suit against Google the Department of Justice filed in October.

Facebook seems peculiarly deserving. It began in 2004 as a Harvard-only network, using its snob appeal to expand to the other Ivy League schools, then thousands of universities and high schools, and finally the general public. Mass market adoption grew in tandem with the post-2009 explosion of smart phones. By then, Facebook had frequently tweaked its privacy settings and repeatedly annoyed users with new privacy-invasive features in the (sadly correct) and arrogant belief they'd never leave. By 2010, Zuckerberg was claiming that "privacy is no longer a social norm", adding that were he starting then he would make everything public by default, like Twitter.

It's hard to pick Facebook's creepiest moments out of so many, but here are a few: in 2011 it began auto-recognizing user photographs, in 2012 it dallied with in-network "democracy" - a forerunner of today's unsatisfactory oversight board, and in 2014 it tested emotionally manipulating its users.

In 2011, based on the rise and fall of earlier services like CompuServe, AOL, Geocities, LiveJournal, and MySpace you can practically carbon-date people by their choice of social media - some of us wrongly surmised that perhaps Facebook had peaked. "The [online] party keeps moving" is certainly true; what was different was that Zuckerberg knew it and launched his program of aggressive and defensive acquisitions.

The 2012 $1 billion acquisition of Instagram and 2014 $19 billion purchase of WhatsApp are the heart of the suits. The lawsuits suggest that without Facebook's intervention we'd have social media successfully competing on privacy. In his summary, Matt Stoller credits this idea to Dina Srinivasan, who argued in 2019 that Facebook saw off then-dominant MySpace by presenting itself as "privacy-centered" at a time when the press was claiming that MySpace's openness made it unsafe for children. Once in pole position, Facebook began gradually pushing greater openness on its users - bait and switch, I called it in 2010.

I'm less convinced that MySpace's continued existence could have curbed Facebook's privacy invasion. In 2004, the year of Facebook's birth, Australian privacy activist Roger Clarke surveyed the earliest social networks - chiefly Plaxo - and predicted that all social networks would inevitably exploit their users. "The only logical business model is the value of consumers' data," he told me for the Independent (TXT). I think, therefore, that the privacy-destructive race to the bottom-of-the-business-model was inevitable given the US's regulatory desert. Google began heading that way soon after its 2004 IPO; by 2006 privacy advocates were already warning of its danger.

Srinivasan details Facebook's progressive privacy invasion: the cooption of millions of third parties via logins and the Like button propagandize its service to collect and leverage vast amounts of personal data while it became a vector for the unscrupulous to hack elections. This is all without considering non-US issues such as Free Basics, which has made Facebook effectively the only Internet service in parts of the world. Facebook also had Silicon Valley's venture capital ethos at its back and Facebook's share structure, which awards Zuckerberg full and permanent control.

In a useful paper on nascent competitors, Tim Wu and C. Scott Hemphill discuss how to spot anticompetitive acquisitions. As I recall, though, many - notably the ever-prescient Jeff Chester - protested the WhatsApp and Instagram acquisitions at the time; the EU only agreed because Facebook promised not to merge the user databases, and issued a €110 million fine when it realized the company lied. Last year Facebook announced it would merge the databases, which critics saw as a preemptive move to block a potential breakup. Allowing the mergers to go ahead seems less dumb, however, if you remember that it took until 2017 and Lina Khan to realize that the era of two guys in a garage up-ending entrenched monopolists was over.

The suits ask the court to find Facebook guilty under Section 2 of the Sherman Act (which is a felony) and Section 7 of the Clayton Act, block it from making further acquisitions valued at $10 million or above, and require it to divest or restructure illegally acquired companies or current Facebook assets or business lines. Restoring some competition to the Internet ecosystem in general and social media in particular seems within reach of this action - though there are many other cases that also need attention. It won't be enough to fixing the damage to democracy and privacy, but perhaps the change in attitude it represents will ensure the next Facebook doesn't become a monster.


Illustrations: Mark Zuckerberg's empty chair at last year's Grand Committee hearing.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

December 4, 2020

Scraped

Somehow I had missed the hiQ Labs v. LinkedIn case until this week, when I struggled to explain on Twitter why condemning web scraping is a mistake. Over the years, many have made similar arguments to ban ordinary security tools and techniques because they may also be abused. The usual real world analogy is: we don't ban cars just because criminals can use them to escape.

The basics: hiQ, which styles itself as a "talent management company", used automated bots to scrape public LinkedIn profiles, and analyze them into a service advising companies what training they should invest in or which employee might be on the verge of leaving. All together now: *so* creepy! LinkedIn objected that the practice violates its terms of service and harms its business. In return, hiQ accused LinkedIn of purely anti-competitive motives, and claimed it only objected now because it was planning its own version.

LinkedIn wanted the court to rule that hiQ's scraping its profiles constitutes felony hacking under the Computer Fraud and Abuse Act (1986). Meanwhile, hiQ argued that because the profiles it scraped are public, no "hacking" was involved. EFF, along with DuckDuckGo and the Internet Archive, which both use web scraping as a basic tool, filed an amicus brief arguing correctly that web scraping is a technique in widespread use to support research, journalism, and legitimate business activities. Sure, hiQ's version is automated, but that doesn't make it different in kind.

There are two separate issues here. The first is web scraping itself, which, as EFF says, has many valid uses that don't involve social media or personal data. The TrainTimes site, for example, is vastly more accessible than the National Rail site it scrapes and re-presents. Over the last two decades, the same author, Matthew Somerville, has built numerous other such sites that avoid the heavy graphics and scripts that make so many information sites painful to use. He has indeed gotten in trouble for it sometimes; in this example, the Odeon movie theaters objected to his making movie schedules more accessible. (Query: what is anyone going to do with the Odeon movie schedule beyond choosing which ticket to buy?)

As EFF writes in its summary of the case, web scraping has also been used by journalists to investigate racial discrimination on Airbnb and find discriminatory pricing on Amazon; in the early days of the web, civic-minded British geeks used web scraping to make information about Parliament and its debates more accessible. Web scraping should not be illegal!

However, that doesn't mean that all information that can be scraped should be scraped or that all information that can be scraped should be *legal* to scrape. Like so many other basic techniques, web scraping has both good and bad uses. This is where the tricky bit lies.

Intelligence agency personnel these days talk about OSINT - "open source intelligence". "Open source" in this context (not software!) means anything they can find and save, which includes anything posted publicly on social media. Journalists also tend to view anything posted publicly as fair game for quotation and reproduction - just look at the Guardian's live blog any day of the week. Academic ethics require greater care.

There is plenty of abuse-by-scraping. As Olivia Solon reported last year, IBM scraped Flickr users' innocently posted photographs repurposed them into a database to train facial recognition algorithms, later used by Immigration and Customs Enforcement to identify people to deport. (In June, when the protests after George Floyd's murder led IBM to pull back on selling facial recognition "for mass surveillance or racial profiling".) Clearview AI scraped billions of photographs off social media and collating them into a database service to sell to law enforcement. It's safe to say that no one posted their profile on LinkedIn with the intention of helping a third-party company get paid by their employer to spy on them.

Nonetheless, those abuse cases do not make web scraping "hacking" or a crime. They are difficult to rectify in the US because, as noted in last week's review of 30 years of data protection, the US lacks relevant privacy laws. Here in the UK, since the data Somerville was scraping was not personal, his complainants typically argued that he was violating their copyright. The hiQ case, if brought outside the US, would likely be based in data protection law.

In 2019, the Ninth Circuit ruled in favor of hiQ, saying it did not violate CFAA because LinkedIn's servers were publicly accessible. In March, LinkedIn asked the Supreme Court to review the case. SCOTUS could now decide whether scraping publicly accessible data is (or is not) a CFAA violation.

What's wrong in this picture is the complete disregard for the users in the case. As the National Review says, a ruling for hiQ could deprive users of all control over their publicly posted information. So, call a spade a spade: at its heart this case is about whether LinkedIn has an exclusive right to abuse its users' data or whether it has to share that right with any passing company with a scraping bot. The profile data hiQ scraped is public, to be sure, but to claim that opens it up for any and all uses is no more valid than claiming that because this piece is posted publicly it is not copyrighted.


Illustrations: I simply couldn't think of one.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.