" /> net.wars: April 2021 Archives

« March 2021 | Main | May 2021 »

April 30, 2021

The tonsils of the Internet

Screenshot from 2021-04-30 13-02-46.pngLast week the US Supreme Court decided the ten-year-old Google v. Oracle copyright case. Unlike anyone in Jarndyce v. Jarndyce, which bankrupted all concerned, Google will benefit financially, and in other ways so will the rest of us.

Essentially, the case revolved around whether Google violated Oracle's copyright by copying about 11,500 lines of the software code (out of millions) that makes up the Java platform, part of the application programming interface. Google claimed fair use. Oracle disagreed.

Tangentially: Oracle owns Java because in 2010 it bought its developer, Sun Microsystems, which open-sourced the software in 2006. Google bought Android in 2005; it, too, is open source. If the antitrust authorities had blocked the Oracle acquisition, which they did consider, there would have been no case.

The history of disputes over copying and interoperability case goes back to the 1996 case Lotus v. Borland, in which Borland successfully argued that copying the way Lotus organized its menus was copying function, not expression. By opening the way for software programs to copy functional elements (like menus and shortcut keys), the Borland case was hugely important. It paved the way for industry-wide interface standards and thereby improved overall usability and made it easier for users to switch from one program to another if they wanted to. This decision, similarly, should enable innovation in the wider market for apps and services.

Also last week, the US Congress conducted both the latest in the series of antitrust hearings and interrogated Lina Khan, who has been nominated for a position at the Federal Trade Commission. Biden's decision to appoint her, as well as Tim Wu to the National Economic Council, has been taken as a sign of increasing seriousness about reining in Big Tech.

The antitrust hearing focused on the tollbooths known as app stores; in his opening testimony, Mark Cooper, director of research at the Consumer Federations of America, noted that the practices described by the chair, Senator Amy Klobuchar (D-MN) were all illegal in the Microsoft case, which was decided in 1998. A few minutes later, Horacio Gutierrez, Spotify's head of global affairs and chief legal officer, noted that "even" Microsoft never demanded a 30% commission from software developers to run on its platform".

Watching this brought home the extent to which the mobile web, with its culture of walled gardens and network operator control, has overwhelmed the open web we Old Net Curmudgeons are so nostalgic about. "They have taken the Internet and moved it into the app stores", Jared Sine told the committee, and that's exactly right. Opening the Internet back up requires opening up the app stores. Otherwise, the mobile web will be little different than CompuServe, circa 1991.

BuzzFeed technology reporter Ryan Mac posted on Twitter the anonymous account of a just-quit Accenture employee's account of their two and a half years as a content analyst for Facebook. The main points: the work is a constant stream of trauma; there are insufficient breaks and mental health support; the NDAs they are forced to sign block them from turning to family and friends for help; and they need the chance to move around to other jobs for longer periods of respite. "We are the tonsils of the Internet," they wrote. Medically, we now know that the tonsils that doctors used to cheerfully remove play an important role in immune system response. Human moderation is essential if you want online spaces to be tolerably civil; machines simply aren't good enough, and likely never will be, and abuse appears to be endemic in online spaces above a certain size. But just as the exhausted health workers who have helped so many people survive this pandemic should be viewed as a rare and precious resource instead of interchangeable parts whose distress the anti-lockdown, no-mask crowd are willing to overlook, the janitors of the worst and most unpleasant parts of the Internet need to be treated with appropriate care.

The power differential, the geographic spread, their arms-length subcontractor status, and the technology companies' apparent lack of interest combine to make that difficult. Exhibit B: Protocol reports that contract workers in Google's data centers are required to leave the company for six months every two years and reapply for their jobs, apparently just so they won't gain the rights of permanent employees.

In hopes of change, many were watching the Bessemer, Alabama Amazon warehouse workers' vote on unionizing. Now, the results are in: 1,798 to 738 against. You would think that one thing that could potentially help these underpaid, traumatized content moderators - as well as the drivers, warehouse workers, and others who are kept at second-class arm's length from the technology companies who so diligently ensure they don't become full employees - is a union. Because of the potential impact on the industry at large, many were watching closely, both the organizating efforts and Amazon's drive to oppose them.

Nonetheless, this isn't over. Moves toward unionizing have been growing for years in pockets all over the technology industry, and eventually it will be inescapable. We're used to thinking about technology companies' power in terms of industry consolidating and software licensing; workers are the ones who most directly feel the effects.

Illustrations: The chancellor (Ian Richardson), announcing the end of Jarndyce and Jarndyce in the BBC's 2005 adaptation of Bleak House.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

April 23, 2021

Fast, free, and frictionless

Sinan-Aral-20210422_224835.jpg"I want solutions," Sinan Aral challenged at yesterday's Social Media Summit, "not a restatement of the problems". Don't we all? How many person-millennia have we spent laying out the issues of misinformation, disinformation, harassment, polarization, platform power, monopoly, algorithms, accountability, and transparency? Most of these have been debated for decades. The big additions of the last decade are the privatization of public speech via monopolistic social media platforms, the vastly increased scale, and the transmigration from purely virtual into physical-world crises like the January 6 Capitol Hill invasion and people refusing vaccinations in the middle of a pandemic.

Aral, who leads the MIT Initiative on the Digital Economy and is author of the new book The Hype Machine, chose his panelists well enough that some actually did offer some actionable ideas.

The issues, as Aral said, are all interlinked. (see also 20 years of net.wars). Maria Ressla connected the spread of misinformation to system design that enables distribution and amplification at scale. These systems are entirely opaque to us even while we are open books to them, as Guardian journalist Carole Cadwalladr noted, adding that while US press outrage is the only pressure that moves Facebook to respond, it no longer even acknowledges questions from anyone at her newspaper. Cadwalladr also highlighted the Securities and Exchange Commission's complaint that says clearly: Facebook misled journalists and investors. This dismissive attitude also shows in the leaked email, in which Facebook plans to "normalize" the leak of 533 million users' data.

This level of arrogance is the result of concentrated power, and countering it will require antitrust action. That in turn leads back to questions of design and free speech: what can we constrain while respecting the First Amendment? Where is the demarcation line between free speech and speech that, like crying "Fire!" in a crowded theater, can reasonably be regulated? "In technology, design precedes everything," Roger McNamee said; real change for platforms at global or national scale means putting policy first. His Exhibit A of the level of cultural change that's needed was February's fad, Clubhouse: "It's a brand-new product that replicates the worst of everything."

In his book, Aral opposes breaking up social media companies as was done incases such as Standard Oil, the AT&T. Zephyr Teachout agreed in seeing breakup, whether horizontal (Facebook divests WhatsApp and Instagram, for example) or vertical (Google forced to sell Maps) as just one tool.

The question, as Joshua Gans said, is, what is the desired outcome? As Federal Trade Commission nominee Lina Khan wrote in 2017, assessing competition by the effect on consumer pricing is not applicable to today's "pay-with-data-but-not-cash" services. Gans favors interoperability, saying it's crucial to restoring consumers' lost choice. Lock-in is your inability to get others to follow when you want to leave a service, a problem interoperability solves. Yes, platforms say interoperability is too difficult and expensive - but so did the railways and telephone companies, once. Break-ups were a better option, Albert Wenger added, when infrastructures varied; today's universal computers and data mean copying is always an option.

Unwinding Facebook's acquisition of WhatsApp and Instagram sounds simple, but do we want three data hogs instead of one, like cutting off one of Lernean Hydra's heads? One idea that emerged repeatedly is slowing "fast, free, and frictionless"; Yael Eisenstat wondered why we allow experimental technology at global scale but policy only after painful perfection.

MEP Marietje Schaake (Democrats 66-NL) explained the EU's proposed Digital Markets Act, which aims to improve fairness by preempting the too-long process of punishing bad behavior by setting rules and responsibilities. Current proposals would bar platforms from combining user data from multiple sources without permission; self-preferencing; and spying (say, Amazon exploiting marketplace sellers' data), and requires data portability and interoperability for ancillary services such as third-party payments.

The difficulty with data portability, as Ian Brown said recently, is that even services that let you download your data offer no way to use data you upload. I can't add the downloaded data from my current electric utility account to the one I switch to, or send my Twitter feed to my Facebook account. Teachout finds that interoperability isn't enough because "You still have acquire, copy, kill" and lock-in via existing contracts. Wenger argued that the real goal is not interoperability but programmability, citing open banking as a working example. That is also the open web, where a third party can write an ad blocker for my browser, but Facebook, Google, and Apple built walled gardens. As Jared Sine told this week's antitrust hearing, "They have taken the Internet and moved it into the app stores."

Real change will require all four of the levers Aral discusses in his book, money, code, norms, and laws - which Lawrence Lessig's 1996 book, Code and Other Laws of Cyberspace called market, software architecture, norms, and laws - pulling together. The national commission on democracy and technology Aral is calling for will have to be very broadly constituted in terms of disciplines and national representation. As Safiya Noble said, diversifying the engineers in development teams is important, but not enough: we need "people who know society and the implications of technologies" at the design stage.

Illustrations: Sinan Aral, hosting the summit.l

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

April 16, 2021


London-in-lockdown`20201124_144850.jpgThis week, an update to the UK's contact tracing app (which, confusingly, is labeled "NHS" but is actually instead part of the private contractor-run test and trace system) was blocked by Google and Apple because it broke their terms and conditions. What the UK wanted: people who tested positive to upload their collected list of venue check-ins, now that the latest national lockdown is easing. Under Google's and Apple's conditions, to which the government had agreed: banned. Oops.

The previouslies: this time last year, it was being widely suggested that contact tracing apps could save us. In May 2020, the BMJ blog called downloading the app a "moral obligation".

That reaction was part of a battle over privacy. Step One: Western horror at the Chinese Alipay Health Code app that assigned everyone a traffic light code based on their recent movements and contacts and determined which buildings and public places they could enter - the permission-based society at a level that would surely be unacceptable in a Western democracy. Step Two: the UK, like France, designed its own app to collect users' data for centralized analysis, tracking, and tracing. Privacy advocates argued that this design violated data protection law and that public health goals could be met by less invasive means. Technical advisers warned it wouldn't work. Step Three: Google and Apple built a joint "exposure notification" platform to underpin these contact tracing apps and set the terms: no centralized data collection. Data must remain local unless the user opts to upload it. The UK, and France grumpily switched when they discovered everyone else was right: their design didn't work. Later, the two companies embedded exposure notification into their operating systems so public health departments didn't have to build their own app.

Make no mistake: *contact tracing* works. It's a well-established practice in public health emergencies. But we don't know if contact tracing *apps* work where "work" means "reduce infections" as opposed to work technically, are well-designed, or even reject these silly privacy considerations. Most claimed success for these apps seems to have come shortly after release and measure success in download numbers, on the basis that the apps will only work if enough people use them. The sole exception appears to be Singapore, where claimed download rates near 60% and authorities report the app has halved the time to complete contact tracing from four days to two.

In June, Italian biologist Emanuele Rizzo warned in the British Medical Journal that the apps are poorly suited for the particular characteristics of how the coronavirus spreads and the heightened risk for older people, who are least likely to have smartphones. In October, AI researcher Allison Gardner wrote at The Conversation that the worldwide average for downloading these apps was an inadequate 20%.

The UK was slow to get its contact tracing app working, and by the time it did we were locking down for the winter. Even so, last summer most UK venues posted QR codes for visitors to scan to log their visit. If someone tests positive in that venue it's reported to a database, from where your phone retrieves it and alerts you if you were there at the same time so you can get tested and, if necessary, self-isolate.

Of course, for the last five months nothing's been open. Check-ins and contact tracing apps aren't much use when no one is going anywhere. But during the period when people tried this out, there were many reported problems, such as that the app may decide exposure has taken place when you and the infected person only overlapped briefly. It remains simpler, probably overall cheaper, and more future-proof to improve ventilation and make venues safer.

Google's and Apple's action means, I suppose, that I am supposed to be grateful, however grumpily, to Big Tech for protecting me against government intrusion. What I want, though, to be able to trust the health authorities so this sort of issue only arises when absolutely necessary. Depending on the vagaries of private companies' business models to protect us is not a solution.

This is a time when many are not happy with either company. Google's latest wheeze is to replace third-party cookies with Federated Learning of Cohorts, which assign Chrome users to categories it then uses to target ads. EFF has a new tool that shows if you've been "FLoCed" (Firefox users need not apply). Google calls this setup a privacy sandbox, and claims it will more privacy-protective than the present all-tracking, by-everyone, all-the-time situation. EFF calls this "old tracking" versus "new tracking", and argues for a third option: *not* tracking, and letting users decide what information to share and with whom.

Apple, meanwhile, began blocking tracking via third-party cookies last year, with dramatic results, and rejects apps that aren't compliant, though some companies are finding workarounds. This year, new Apple rules requiring privacy labels that identify the categories of data apps collect have exposed the extent of data collection via Google's Chrome browser and search app.

The lesson to be drawn here is not that these companies are reinventing themselves as privacy protectors. The lesson to be drawn is that each wants to be the *only* one to invade our privacy. It's only a coincidence that the result was that they refused to accommodate government demands.

Illustrations: Empty central London in lockdown in November 2020.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

April 9, 2021

Which science?

covid-stringency-index-2021.pngThe spring of 2021 is all about "last year at this time..."

Last year at this time I was frantically helping Privacy International track covid responses as every country passed laws, mandated curfews and other restrictions, and awarded police enforcement powers. It transpires that lots of others were thinking similarly about the need to track the different policies countries were pursuing to contain the pandemic. Tracking surveillance is important, if only to ensure that we can identify new intrusions inwhatever "new normal" emerges post-pandemic, but there are many other lessons to learn from comparisons across the world in this global, uncontrolled experiment in public health we call a pandemic.

One group doing this sort of study recently reported initial findings based on collected contributions from 600 data collectors in 186 countries comparing policies, vaccine rollouts, and so on. Most of it is negative, listing what *didn't* make a difference: the wealth of nations hasn't counted for much, nor did a nation's scientific and health care capacity by itself, and neither did the democratic or autocratic nature of a country's government.

The instinctive answer to this sort of question is that the countries that had recent experience of epidemics - HN1, SARS, MERS - understood the seriousness of the danger and how quickly exponential - viral! - growth can get out of hand and responded quickly and decisively. In some cases, such as New Zealand (26 deaths in total to April 8, 2021 for a rate of five per million population), Taiwan (10. 0.4), Vietnam (35, 0.4), China (4,636, 3), and Mongolia (18) that response has been effective over the last year (all figures from Worldometers. Other countries, such as the Czech Republic, Hungary, and Bulgaria, responded quickly to the initial threat, but then failed to use that experience to reimpose the measures that had worked for them when new waves of the pandemic arose. Some of the countries that were slow and/or chaotic about imposing lockdowns and other restrictions are at the front of vaccine rollouts. Mongolia, which has done fantastically well at curbing both case numbers and deaths, especially given its limited resources, by starting as early as January 2020 to implement low-tech public health measures, has abruptly seen its daily case load spike from 65 cases a day to 500 in the last month. The prime minister has announced a lockdown.

Eventually those doing this kind of work will be able to look across the entire experience of the pandemic to assess what worked and what didn't and make recommendations for more effective responses in future. That won't, however, be possible for at least another two years. In the meantime, some thoughts.

Even with this many countries to compare, the number of variables is staggering. Are you aiming to minimize deaths, contain costs, ensure your health care system doesn't collapse, or minimize spread? In one sense those are all the same: limit infection and the rest follows. But take vaccines, still patchily available, which goal you prioritize changes who gets protected first: minimizing deaths and hospital admissions means starting with the oldest, as in the US and UK, while minimizing spread might mean first targeting the most mobile, 20- and 30-somethings. If you're a scientist you develop models you hope resemble reality that let you see the results of different strategies. If you're a politician in the US or UK, you might be tempted to remember that old people vote.

One thing I think will become (even more) clear in hindsight is the tension in many countries between the magnetic attraction of new information technology approaches such as AI and risk modeling and the plodding effectiveness of low-tech public health approaches. It's very tempting to view this as the difference between "male" and "female" approaches, particularly because washing your hands, avoiding people when you're sick, and opening a window are the kinds of things your mother might have told you to do, and you're a grown-up now. It's more likely, though, that the last 50 years of high-speed computer industry developments have left us too inclined to think newer must be better.

In some cases this is true; certainly, the new mRNA vaccines seem set to achieve numerous breakthroughs against diseases that have proved recalcitrant until now, and without the Internet we would have been far more isolated and scientists could never have responded so quickly and so collaboratively. But in others our modern gizmos have been largely a distraction. Remember last year's mad rush to develop contact tracing apps? That whole controversial effort appears to have been largely pointless. The UK's app has been downloaded 21 million times...and so what? The country still has one of the highest covid death rates in the world (fifth in number of deaths, 13th in deaths per million population). As Jonny Ball and Michael Goodier write at New Statesman, contact tracing apps help provide manual contact tracers with leads to work with; they are no substitute for robust local laborious effort.

So my guess is that when the dust settles key advice will be that you can't automate your way out of a pandemic. Last year around this time, US Speaker of the House Nancy Pelosi said, "...And for those who choose prayer over science, I say that science is the answer to our prayers." Science, yes, but not just *new* science.

Illustrations: A visualization of the Stringency Index from the Covid-19 Government Response Tracker project.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

April 2, 2021

Medical apartheid

swiss-cheese-virus-defence.jpgEver since 1952, when Clarence Willcock took the British government to court to force the end of wartime identity cards, UK governments have repeatedly tried to bring them back, always claiming they would solve the most recent public crisis. The last effort ended in 2010 after a five-year battle. This backdrop is a key factor in the distrust that's greeting government proposals for "vaccination passports" (previously immunity passports). Yesterday, the Guardian reported that British prime minister Boris Johnson backs certificates that show whether you've been vaccinated, have had covid and recovered, or had a test. An interim report will be published on Monday; trials later this month will see attendees to football matches required to produce proof of negative lateral flow tests 24 hours before the game and on entry.

Simultaneously, England chief medical officer Chris Whitty told the Royal Society of Medicine that most experts think covid will become like the flu, a seasonal disease that must be perennially managed.

Whitty's statement is crucial because it means we cannot assume that the forthcoming proposal will be temporary. A deeply flawed measure in a crisis is dangerous; one that persists indefinitely is even more so. Particularly when, as this morning, culture secretary Oliver Dowden tries to apply spin: "This is not about a vaccine passport, this is about looking at ways of proving that you are covid secure." Rebranding as "covid certificates" changes nothing.

Privacy advocates and human rights NGOs saw this coming. In December, Privacy International warned that a data grab in the guise of immunity passports will undermine trust and confidence while they're most needed. "Until everyone has access to an effective vaccine, any system requiring a passport for entry or service will be unfair." We are a long, long way from that universal access and likely to remain so; today's vaccines will have to be updated, perhaps as soon as September. There is substantial, but not enough, parliamentary opposition.

A grassroots Labour discussion Wednesday night showed this will become yet another highly polarized debate. Opponents and proponents combine issues of freedom, safety, medical efficacy, and public health in unpredictable ways. Many wanted safety - "You have no civil liberties if you are dead," one person said; others foresaw segregation, discrimination, and exclusion; still others cited British norms in opposing making compulsory either vaccinations or carrying any sort of "papers" (including phone apps).

Aside from some specific use cases - international travel, a narrow range of jobs - vaccination passports in daily life are a bad idea medically, logistically, economically, ethically, and functionally. Proponents' concerns can be met in better - and fairer - ways.

The Independent SAGE advisory group, especially Susan Michie, has warned repeatedly that vaccination passports are not a good solution for solution life. The added pressure to accept vaccination will increase distrust, she has repeatedly said, particularly among victims of structural racism.

Instead of trying to identify which people are safe, she argues that the government should be guiding employers, businesses, schools, shops, and entertainment venues to make their premises safer - see for example the CDC's advice on ventilation and list of tools. Doing so would not only help prevent the spread of covid and keep *everyone* safe but also help prevent the spread of flu and other pathogens. Vaccination passports won't do any of that. "It again puts the burden on individuals instead of spaces," she said last night in the Labour discussion. More important, high-risk individuals and those who can't be vaccinated will be better protected by safer spaces than by documentation.

In the same discussion, Big Brother Watch's Silkie Carlo predicted that it won't make sense to have vaccination passports and then use them in only a few places. "It will be a huge infrastructure with checkpoints everywhere," she predicted, calling it "one of the civil liberties threats of all time" and "medical apartheid" and imagining two segregated lines of entry to every venue. While her vision is dramatic, parts of it don't go far enough: imagine when this all merges with systems already in place to bar access to "bad people". Carlo may sound unduly paranoid, but it's also true that for decades successive British governments at every decision point have chosen the surveillance path.

We have good reason to be suspicious of this government's motives. Throughout the last year, Johnson has been looking for a magic bullet that will fix everything. First it was contact tracing apps (failed through irrelevance), then test and trace (failing in the absence of "and isolate and support"), now vaccinations. Other than vaccinations, which have gone well because the rollout was given to the NHS, these failed high-tech approaches have handed vast sums of public money to private contractors. If by "vaccination certificates" the government means the cards the NHS gives fully-vaccinated individuals listing the shots they've had, the dates, and the manufacturer and lot number, well fine. Those are useful for those rare situations where proof is really needed and for our own information in case of future issues, it's simple, and not particularly expensive. If the government means a biometric database system that, as Michie says, individualizes the risk while relieving venues of responsibility, just no.

Illustrations: The Swiss Cheese Respiratory Virus Defence, created by virologist Ian McKay.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.