" /> net.wars: July 2021 Archives

« June 2021 | Main | August 2021 »

July 23, 2021

Immune response

Thumbnail image for china-alihealth.jpegThe slight reopening of international travel - at least inbound to the UK - is reupping discussions of vaccination passports, which we last discussed here three months ago. In many ways, the discussion recapitulates not only the ID card battles of 2006-2010 but also last year's concerns about contact tracing apps.

We revisit so soon for two reasons. First, the UK government has been sending out conflicting messages for the last month or more. Vaccination passports may - or may not - be required for university attendance and residence; they may be required for domestic venues - and football games! - in September. One minister - foreign secretary Dominic Raab - says the purpose would be to entice young people to get vaccinated, an approach that apparently worked in France, where proposing to require vaccination passports in order to visit cafes caused a Eiffel Tower-shaped spike in people presenting for shots. Others seem to think that certificates of either vaccination or negative tests will entice people to go out more and spend money. Or maybe the UK won't do them at all; if enough people are vaccinated why would we need proof of any one individual's status? Little has been said about whatever the government may have learned from the test events that were supposed to show if it was safe to resume mass entertainment gatherings.

Second, a panel discussion last month hosted by Allyson Pollack raised some new points. Many of us have thought of covids passport for international travel as roughly equivalent to proof of vaccination for yellow fever. However, Linet Taylor argues that the only time someone in a high-income country needs one is if they're visiting a country where the disease is endemic. By contrast, every country has covid, and large numbers - children, especially - either can't access or do not qualify for covid vaccinations. The problems that disparity caused for families led Israel to rethink its Green Pass, which expired in June and was not renewed. Therefore, Taylor said, it's more relevant to think about lowering the prevalence of the disease than to try to distinguish between vaccinated and unvaccinated. The chief result of requiring vaccination passports for international travel, she said, will be to add extra barriers for those traveling from low-income countries to high-income countries and cement into place global health inequality and unequal access to vaccines. She concluded that giving the responsibility to technology companies merely shows we have "no plan to solve them any other way".

It also brings other risks. Michael Veale, and Seda F. Gürses explain why the computational infrastructure required to support online vaccination verification undercuts public health objectives. Ellen Ullman wrote about this in 1997: computer logic eliminates fuzzy human accommodations, and its affordances foster administrative change from help to surveillance and inclusion to exclusion. No one using the system - that is people going to pubs and concerts - will have any control over what it's doing.

Last year, Westerners were appalled at the passport-like controls China put in place. This year, New York state is offering the Excelsior Pass. Once you load the necessary details into the pass, a mobile phone app, scanning it gains you admission to a variety of venues. IBM, which built the system, is supposedly already investigating how it can be expanded.

As Veale pointed out, a real-time system to check vaccination certificates will also know everywhere each individual certificate hass been checked, adding inevitable intrusion far beyond the vaccinated-yes/no binary. Two stories this week bear Veale out. The first is the New York Times story that highlighted the privacy risks of QR codes that are proliferating in the name of covid safety. Again, the average individual has no way to tell what data is incorporated into the QR code or what's being saved.

The second story is the outing of Monsignor Jeffrey Burrill by The Pillar, a Medium newsletter that covers the Catholic Church. The Pillar says its writers legally obtained 24 months' worth of supposedly anonymized, aggregated app signal data. Out of that aggregated mass they used known locations Burrill frequents to pick out a phone ID with matching history, and used that to track the phone's use of the LGBTQ dating app Grindr and visits to gay nightclubs. Burrill resigned shortly after being informed of the story.

More important is the conclusion Bruce Schneier draws: location data cannot be successfully anonymized. So checking vaccination passports in fact means building the framework of a comprehensive tracking system, whether or not that's the intention..

Like contact tracing apps before them, vaccination passports are a mirage that seem to offer the prospect of living - in this case, to people who've been vaccinated against covid - as if the pandemic does not exist. Whether it "works" depends on what your goal is. If it's to create an airport-style fast track through everyday life, well, maybe. If it's to promote public health, then safety measures such as improved ventilation, moving events outdoors, masks, and so on are likely a better bet. If we've learned anything from the last year and a half, it should be that no one can successfully create an individual bubble in which they can pretend the pandemic is over even while it rages in the rest of the world,


Illustrations: China's Alipay Health Code in March, 2020 (press photo).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

Internet fragmentation as a service

Screenshot from 2021-07-23 11-48-13.png"You spend most of your day telling a robot that you're not a robot. Think about that for two minutes and tell me you don't want to walk into the ocean," the comedian John Mulaney said in his 2018 comedy special, Kid Gorgeous. He was talking about captchas.

I was reminded of this during a recent panel at the US Internet Governance Forum hosted by Mike Nelson. Nelson's challenge to his panelists: imagine alternative approaches to governments' policy goals that won't damage the Internet. They talked about unintended consequences (and the exploitation thereof) of laws passed with good intentions, governments' demands for access to data, ransomware, content blocking, multiplying regional rulebooks, technical standards and interoperability, transparency, and rising geopolitical tensions, which cyberspace policy expert Melissa Hathaway suggested should be thought about by playing a mash-up of the games Risk and Settlers of Catan.The main topic: is the Internet at risk of Internet fragmentation?

So much depends on what you mean by "fragmentation". No one mentioned the physical damage achievable by ten backhoes. Nor the domain name system that allows humans and computers to find each other; "splitting the root" (that is, the heart of the DNS) used to dominate such discussions. Nor captchas, but the reason Mulaney sprang to mind was that every day (in every way) captchas frustrate access. Saying that makes me privileged; in countries where Facebook is zero-rated but the rest of the Internet costs money people can't afford on their data plans, the Internet is as cloven as it can possibly be.

Along those lines, Steve DelBianco raised the idea of splintering-by-local-law, the most obvious example being the demand in many countries for data localization. DelBianco, however, cited Illinois' Biometric Information Privacy Act (2008), which has been used to sue platforms on behalf of unnamed users for automatically tagging their photos online. Result: autotagging is not available to Illinois users on the major platforms, and neither is the Google Nest and Amazon Ring doorbells' facility for recognizing and admitting friends and family. See also GDPR, noted above, which three and a half years after taking force still has US media sites blocking access by insisting that our European visitors are important to us.

You could also say that the social Internet is splintering along ideological lines as the extreme right continue to build their own media and channels. In traditional media, this was Roger Ailes' strategy. Online, the medium designed to connect people doesn't care who it connects or for what purpose. Commercial social media engagement algorithms have exacerbated this, as many current books make plain.

Nelson, whose Internet policy experience goes back to the Clinton administration, suggested that policy change is generally driven by a big event: 9/11, for example, which led promptly to the passage of the PATRIOT Act (US) and the Anti-Terrorism, Crime, and Security Act (UK), or the Colonial Pipeline hack that has made ransomware an urgent mainstream concern. So, he asked: what kind of short, sharp shock would cause the Internet to fracture? If you see data protection law as a vector, the 2013 Snowden revelations were that sort of event; a year earlier, GDPR looked like fading away.

You may be thinking, as I was, that we're literally soaking in global catastrophes: the COVID-19 pandemic, and climate change. Both are slow-burning issues, unlike the high-profile drivers of legislative panic Nelson was looking for, but both generate dozens of interim shocks.

I'm always amazed so little is said about climate change and the future of the Internet; the IT industry's emissions just keep growing. China's ban on cryptocurrency mining, which it attributes to environmental concerns, may be the first of many such limits on the use of computing power. Disruptions to electricity supplies - just yesterday, the UK's National Grid warned there may be blackouts this winter - don't "break" the Internet, but they do make access precarious.

So far, the pandemic's effect has mostly been to exacerbate ideological splits and accelerate efforts to curb the spread of misinformation via social media. It's also led to increased censorship in some places; early on, China banned virus-related keywords on WeChat, and this week the Indian authorities raided a newspaper that criticized the government's pandemic response. In addition, the exposure and exacerbation of social inequalities brought by the pandemic may, David Bray suggested in the panel, be contributing to the increase in cybercrime, as "failed states" struggle to rescue their economies. This week's revelations of the database of numbers of interest to NSO Group clients since 2016 doesn't fragment the Internet as a global communications system, but it might in the sense that some people may not be able to afford the risk of being on it.

This is where Mulaney comes in. Today, robots gatekeep web pages. Three trends seem likely to expand their role: online, age verification and online safety laws; covid passports, which are beginning to determine access to physical-world events; and the Internet of Things, which is bridging what's left of the divide between cyberspace and the real world. In the Internet subsumed into everything of our future, "splitting the Internet" may no longer be meaningful as the purely virtual construct Nelson's panel was considering. In the cyber-physical world world, Internet fragmentation must also be hybrid.


Illustrations: The IGF-USA panel in action.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 16, 2021

When software eats the world

The_National_Archives_at_Kew_-_geograph.org.uk_-_2127149.jpgOne part of our brains knows that software can be fragile. Another part of our brains, when faced with the choice of trusting the human or trusting the machine...trusts the machine. It may have been easier to pry trust away from the machine twenty years ago, when systems crashed more often, sometimes ruining months of work and the mantra, "Have you tried turning it off and back on again?" didn't yet work as a reliable way of restoring function. Perhaps more important, we didn't *have* to trust software because we had canonical hard copies. Then, as predicted, the copies became "backups". Now, often, they don't exist at all, with the result that much of what we think we know is becoming less well-attested. How many of us even print out our bank statements any more? Three recent stories highlight this.

First is the biggest UK computer-related scandal for many years, the outrageous Post Office prosecution of hundreds of subpostmasters of theft and accounting fraud, all while insisting that their protests of innocence must all be lies because its software, sourced from Fujitsu, could not possibly be wrong. Eventually, the Court of Appeal quashed 39 convictions and excoriated both the Post Office and Fujitsu for denying the existence of two known bugs that led to accounting discrepancies. They should never have been able to get away with their claim of infallibility - first, because generations of software engineers could have told the court that all software has bugs, and second, because Ross Anderson's work proving that software vulnerabilities were the cause of phantom ATM withdrawals, overriding the UK banking industry's insistence that its software, too, was infallible.

At Lawfare, Susan Landau, discussing work she did in collaboration with Steve Bellovin, Matt Blaze, and Brian Owsley. uses the Post Office fiasco as a jumping-off point to discuss the increasing problem of bugs in software used to produce evidence presented in court. Much of what we think of as "truth" - Breathalyzer readings, forensic tools, Hawkeye line calls in tennis matches - are not direct measurements but software-derived interpretations of measurements. Hawkeye at least publishes its margin for error even though tennis has decided to pretend it doesn't exist. Manufacturers of evidence-producing software, however, claim commercial protection, leaving defendants unable to challenge the claims being made about them. Landau and her co-authors conclude that courts must recognize that they can't assume the reliability of evidence produced bysoftware and that defendants must be able to conduct "adversarial audits".

Second story. At The Atlantic, Jonathan Zittrain complains that the Internet is "rotting". Link rot - broken links when pages get deleted or reorganized - and content drift, which sees the contents of a linked page change over time, are familiar problems for anyone who posts anything online. Gabriel Weinberg, the founder of search engine DuckDuckGo, has has talked about API rot, which breaks dependent functionality. Zittrain's particular concern is legal judgments, which increasingly may incorporate disappeared or changed online references like TikTok videos and ebooks. Ebooks in particular can be altered on the fly, leaving no trace of that thing you distinctly remember seeing.

Zittrain's response has been to help create sites to track these alterations and provide permanent links. It probably doesn't matter much that the net.wars archive has (probably) thousands of broken links. As long as the Internet Archive's Wayback Machine continues to exist as a source for vaped web pages, most of the ends of those links can be recovered. The Archive is inevitably incomplete, and only covers the open web. But it *does* matter if the basis for a nation's legal reasoning and precedents - what Zittrain calls "long-term writing" - can't be established with any certainty. Hence the enormous effort put in by the UK's National Archives to convert millions of pages of EU legislation so all could understand the legitimacy of post-Brexit UK law.

Third story. It turns out the same is true for the brick-by-brick enterprise we call science. In the 2020 study Open is not forever, authors Mikael Laakso, Lisa Matthias, and Najko Jahn find journal rot. Print publications are carefully curated and preserved by librarians and archivists, as well as the (admittedly well-funded) companies that publish them. Open access journals, however, have had a patchy record of success, and the study finds that between 2000 and 2019 174 open access journals from all major research disciplines and from all geographical regions vanished from the web. In science, as in law, it's not enough to retain the end result; you must be able to show your work and replicate your reasoning.

It's more than 20 years since I heard experts begin to fret about the uncertain durability of digital media; the Foundation for Information Research included the need for reliable archives in its 1998 founding statement. The authors of the journal study note that the journals themselves are responsible for maintaining their archives and preserving their portion of the scholarly record; they conclude that solving this problem will require the participation of the entire scholarly community.

What isn't clear, at least to me, is how we assure the durability of the solutions. It seemed a lot easier when it was all on paper in a reassuringly solid building.

Illustrations: The UK National Archives, in Kew (photo by Erian Evans via Wikimedia)..

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 9, 2021

The border-industrial complex*

Rohingya_Refugee_Camp_26_(sep_2020).jpgMost people do not realize how few rights they have at the border of any country.

I thought I did know: not much. EFF has campaigned for years against unwarranted US border searches of mobile phones, where "border" legally extends 100 miles into the country. If you think, well, it's a big country, it turns out that two-thirds of the US population lives within that 100 miles.

No one ever knows what the border of their own country is like for non-citizens. This is one reason it's easy for countries to make their borders hostile: non-citizens have no vote and the people who do have a vote assume hostile immigration guards only exist in the countries they visit. British people have no idea what it's like to grapple with the Home Office, just as most Americans have no experience of ICE. Datafication, however, seems likely to eventually make the surveillance aspect of modern border passage universal. At Papers, Please, Edward Hasbrouck charts the transformation of travel from right to privilege.

In the UK, the Open Rights Group and the3million have jointly taken the government to court over provisions in the post-Brexit GDPR-enacting Data Protection Act (2018) that exempted the Home Office from subject access rights. The Home Office invoked the exemption in more than 70% of the 19,305 data access requests made to its office in 2020, while losing 75% of the appeals against its rulings. In May, ORG and the3million won on appeal.

This week's announced Nationality and Borders Bill proposes to make it harder for refugees to enter the country and, according to analyses by the Refugee Council and Statewatch, make many of them - and anyone who assists them - into criminals.

Refugees have long had to verify their identity in the UK by providing biometrics. On top of that, the cash support they're given comes in the form of prepaid "Aspen" cards, which means the Home Office can closely monitor both their spending and their location, and cut off assistance at will, as Privacy International finds. Scotland-based Positive Action calls the results "bureaucratic slow violence".

That's the stuff I knew. I learned a lot more at this week's workshop run by Security Flows, which studies how datafication is transforming borders. The short version: refugees are extensively dataveilled by both the national authorities making life-changing decisions about them and the aid agencies supposed to be helping them, like the UN High Commissioner for Refugees (UNHCR). Recently, Human Rights Watch reported that UNHCR had broken its own policy guidelines by passing data to Myanmar that had been submitted by more than 830,000 ethnic Rohingya refugees who registered in Bangladeshi camps for the "smart" ID cards necessary to access aid and essential services.

In a 2020 study of the flow of iris scans submitted by Syrian refugees in Jordan, Aalborg associate professor Martin Lemberg-Pedersen found that private companies are increasingly involved in providing humanitarian agencies with expertise, funding, and new ideas - but that those partnerships risk turning their work into an experimental lab. He also finds that UN agencies' legal immunity coupled with the absence of common standards for data protection among NGOs and states in the global South leave gaps he dubs "loopholes of externalization" that allow the technology companies to evade accountability.

At the 2020 Computers, Privacy, and Data Protection conference a small group huddled to brainstorm about researching the "creepy" AI-related technologies the EU was funding. Border security represents a rare opportunity, invisible to most people and justified by "national security". Home Secretary Priti Patel's proposal to penalize the use of illegal routes to the UK is an example, making desperate people into criminals. People like many of the parents I knew growing up in 1960s New York.

The EU's immigration agencies are particularly obscure. I had encoutnered Warsaw-based Frontex, the European Border and Coast Guard Agency which manages operational control of the Schengen Area, but not of EU-LISA, which since 2012 has managed the relevant large-scale IT systems SIS II, VIS, EURODAC, and ETIAS (like the US's ESTA). Unappetizing alphabet soup whose errors few know how to challenge.

The behind-the-scenes the workshop described sees the largest suppliers of ICT, biometrics, aerospace, and defense provide consultants who help define work plans and formulate calls to which their companies respond. The list of vendors appearing in Javier Sánchez-Monedero's 2018 paper for the Data Justice Lab, begins to trace those vendors, a mix of well-known and unknown. A forthcoming follow-up focuses on the economics and lobbying behind all these databases.

In the recent paper on financing border wars, Mark Akkerman analyzes the economic interests behind border security expansion, and observes "Migration will be one of the defining human rights issues of the 21st century." We know it will increase, increasingly driven by climate change; the fires that engulfed the Canadian village of Lytton, BC on July 1 made 1,000 people homeless, and that's just the beginning.

It's easy to ignore the surveillance and control directed at refugees in the belief that they are not us. But take the UK's push to create a hostile environment by pushing border checks into schools, workplaces, and health services as your guide, and it's obvious: their surveillance will be your surveillance.

*Credit the phrase "border-industrial complex" to Luisa Izuzquiza.

Illustrations: Rohingya refugee camp in Bangladesh, 2020 (by Rocky Masum, via Wikimedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 2, 2021

This land

Nomadland-van.pngAn aging van drives off down a highway into a fantastical landscape of southwestern mountains and mesquite. In 1977, that could have been me, or any of my folksinging friends as we toured the US, working our way into debt (TM Andy Cohen). In 2020, however, the van is occupied by Fern (Frances McDormand), one of the few fictional characters in the film Nomadland, directed by Chloé Zhao, and based on the book by Jessica Bruder, which itself grew out of her 2014 article for Harper's magazine.

Nomadland captures two competing aspects of American life. First, the middle-class dream of the nice house with the car in the driveway, a chicken in a pot inside, and secure finances. Anyone who rejects this dream must be dangerous. But deep within also lurks the other American dream, of freedom and independence, which in the course of the 20th century moved from hopping freight trains to motor vehicles and hitting the open road.

For many of Nomadland's characters, living on the road begins as a necessary accommodation to calamity but becomes a choice. They are "retirees" who can't afford to retire, who balk at depending on the kindness of relatives, and have carved out a circuit of seasonal jobs. Echoing many of the vandwellers Bruder profiles, Fern tells a teen she used to tutor, "I'm not homeless - just houseless."

Linda May, for example, began working at the age of 12, but discovered at 62 that her social security benefits amounted to $550 a month (the fate that perhaps awaits the people Barbara Ehrenreich profiles in Nickel and Dimed). Others lost their homes in the 2008 crisis. Fern, whose story frames the movie, lost job and home in Empire, Nevada when the gypsum factory abruptly shut down, another casualty of the 2008 financial crisis. Six months later, the zipcode was scrubbed. This history appears as a title at the beginning of the movie. We watch Fern select items and lock a storage unit. It's go time.

Fern's first stop is the giant Amazon warehouse in Fernley, Nevada, where the money is good and a full-service parking space is included. Like thousands of other workampers, she picks stock and packs boxes for the Christmas rush until, come January, it's time to gracefully accept banishment. People advise her: go south, it's warmer. Shivering and scraping snow off the van, Fern soon accepts the inevitable. I don't know how cold she is, but it brought flashbacks to a few of those 1977 nights in my pickup-truck-with-camper-top when I slept in a full set of clothes and a hat while the shampoo solidified. I was 40 years younger than Fern, and it was never going to be my permanent life. On the other hand: no smartphone.

At the Rubber Tramp Rendezvous nearQuartzsite, Arizona, Fern finds her tribe: Swankie, Bob Wells, and the other significant fictional character, Dave (David Strathairn). She traces the annual job circuit: Amazon, camp hosting, beet harvesting in Nebraska, Wall Drug in South Dakota. Old hands teach her skills she needs: changing tires, inventing and building things out of scrap, remodeling her van, keeping on top of rust. She learns what size bucket to buy and that you must be ready to solve your own emergencies. Finally, she learns to say "See you down the road" instead of "Goodbye".

Earlier this year, at Silicon Flatiron's Privacy at the Margins, Tristia Bauman, executive director of the National Homelessness Law Center, explained that many cities have broadly-written camping bans that make even the most minimal outdoor home impossible. Worse, those policies often allow law enforcement to seize property. It may be stored, but often people still don't get it back; the fees to retrieving a towed-away home (that is, van) can easily be out of reach. This was in my mind when Bob talks about fearing the knock on the van that indicates someone in authority wants you gone.

"I've heard it's depressing," a friend said, when I recommended the movie. Viewed one way, absolutely. These aging Baby Boomers never imagined doing the hardest work of their lives in their "golden years", with no health insurance, no fixed abodes, and no prospects. It's not that they failed to achieve the American Dream. It's that they believed in the American Dream and then it broke up with them.

And yet "depressing" is not how I or my companion saw it, because of that *other* American Dream. There's a sense of ownership of both the land and your own life that comes with living on the road in such a spacious and varied country, as Woody Guthrie knew. Both Guthrie in the 1940s and Zhao now unsparingly document the poverty and struggles of the people they found in those wide-open spaces - but they also understand that here a person can breathe and find the time to appreciate the land's strange, secret wonders. Secret, because most of us never have the time to find them. This group does, because when you live nowhere you live everywhere. We get to follow them to some of these places, share their sense of belonging, and admire their astoundingly adaptable spirit. Despite the hardships they unquestionably face, they also find their way to extraordinary moments of joy.

See you down the road.

Illustrations: Fern's van, heading down the road.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.