" /> net.wars: November 2021 Archives

« October 2021 | Main | December 2021 »

November 25, 2021

Lawful interception

NSOGroup-database.pngFor at least five years the stories have been coming about the Israeli company NSO Group. For most people, NSO is not a direct threat. For human rights activists, dissidents, lawyers, politicians, journalists, and others targeted by hostile authoritarian states, however, its elite hackers are dangerous. NSO itself says it supplies lawful interception, and only to governments to help catch terrorists.

Now, finally, someone is taking action. Not, as you might reasonably expect, a democratic government defending human rights, but Apple, which is suing the company on the basis that NSO's exploits cost it resources and technical support. Apple has also alerted targets in Thailand, El Salvador, and Uganda.

On Twitter, intelligence analyst Eric Garland picks over the complaint. Among his more scathing quotes: "Defendants are notorious hackers - amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse", "[its] practices threaten the rules-based international order", and "NSO's products...permit attacks, including from sovereign governments that pay hundreds of millions of dollars to target and attack a tiny fraction of users with information of particular interest to NSO's customers".

The hidden hero in this story is the Canadian research group calls NSO's work "despotism as a service".

Citizen Lab began highlighting NSO's "lawful intercept" software in 2016, when analysis it conducted with Lookout Security showed that a suspicious SMS message forwarded by UAE-based Ahmed Mansoor contained links belonging to NSO Group's infrastructure. The links would have led Mansoor to a chain of zero-day exploits that would have turned his iPhone 6 into a comprehensive, remotely operated spying device. As Citizen Lab wrote, "Some governments cannot resist the temptation to use such tools against political opponents, journalists, and human rights defenders." It went on to note the absence of human rights policies and due diligence at spyware companies; the economic incentives all align the wrong way. An Android version was found shortly afterwards.

Among the targets Citizen Lab found in 2017: Mexican scientists working on obesity and soda consumption and Amnesty International researchers, In 2018, Citizen Lab reported that Internet scans found 45 countries where Pegasus appeared to be in operation, at least ten of them working cross-border. In 2018, Citizen Lab found Pegasus on the phone of Canadian resident Omar Abdulaziz, a Saudi dissident linked to murdered journalist Jamal Khashoggi. In September 2021, Citizen Lab discovered NSO was using a zero-click, zero-day vulnerability in the image rendering library used in Apple's iMessage to take over targets' iOS, WatchOS, and MacOS devices. Apple patched 1.65 billion products.

Both Privacy International and the Pegasus project, an joint investigation into the company by media outlets including the Guardian and coordinated by Forbidden Stories, have found dozens more examples.

In July 2021, a leaked database of 50,000 phone numbers believed to belong to people of interest to NSO clients since 2016 included human rights activists, business executives, religious figures, academics, journalists, lawyers, and union and government officials around the world. It was not clear if their devices had been hacked. Shortly afterwards, Rappler reported that NSO spyware can successfully infect even the latest, most secure iPhones.

Citizen Lab began tracking litigation and formal complaints against spyware companies in 2018. In a complaint filed in 2019, WhatsApp and Facebook are arguing that NSO and Q Cyber used their servers to distribute malware; on November 8 the US ninth circuit court of appeals has rejected NSO's claim of sovereign immunity, opening the way to discovery.. Privacy International promptly urged the British government to send a clear message, given that NSO's target was a UK-based lawyer challenging the company over human rights violations in Mexico and Saudi Arabia.

Some further background is to be found at Lawfare, where shortly *before* the suit was announced, security expert Stephanie Pell and law professor David Kaye discuss how to regulate spyware. In 2019, Kaye wrote a report calling for a moratorium on the sale and transfer of spyware and noting that its makers "are not subject to any effective global or national control". Kaye proposes adding human rights-based export rules to the Wassenaar Arrangement export controls for conventional arms and dual-use technologies. Using Wassenaar, on November 3 the US Commerce Department recently blacklisted NSO along with fellow Israeli company Candiru, Russian company Positive Technologies, and Singapore-based Computer Security Initiative Consultancy as national security threats. And there are still more, such as the surveillance system sold to Egypt by France-based Thales subsidiary Dassault and Nexa Technologies.

The story proves the point many have made throughout 30 years of fighting for the right to use strong encryption: while governments and their law enforcement agencies insist they need access to keep us safe: there is no magic hole that only "good guys" can use, and any system created to give special access will always end up being abused. We can't rely on the technology companies to defend human rights; that's not in their business model. Governments need to accept and act on the reality that exceptional access for anyone makes everyone everywhere less safe.

Illustrations: Citizen Lab's 2021 map of the distribution of suspected NSO infections (via Democracy Now.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 19, 2021

Digital god squabble

Fighting_cocks -shree650.jpgOn Wednesday, Amazon customers in the UK woke up to an (in some cases, weirdly empty) email whose news was in the subject: Amazon will cease accepting Visa credit cards (but not debit cards) for payment as of January 19, 2022.

If your first reaction is, "What's the punchline?" I'm with you. What the hell kind of crazy business decision is that?

As Hilary Osborne reports at the Guardian, the email went on to explain that the decision is "due to the high fees Visa charges for processing credit card transactions."

Huh? Like most people, I remained under the impression that it's American Express, not Visa, that charges the highest commissions to merchants. On Twitter, Drew Graham offers a more interesting explanation: taxes. It's a *Brexit* thing. The UK's departure from the EU means that Amazon's habit of accepting payments via its no-tax Luxembourg subsidiary, means that UK shoppers' remittances are now cross-border payments subject to interchange fees. Both Visa and Mastercard, raised these earlier this year - now that EU regulation capping such fees no longer applies. Amazon *could* move its financial arrangements to the UK - but then (the theory continues) it would be hit with taxes. What's one of the biggest, most highly market-capped companies in the world supposed to do when mean, old Visa and national governments want to be paid?

Why Visa but not Mastercard? As several others pointed out, Amazon promotes a branded Mastercard in the UK and also has a deal with American Express. And so, only Visa credit cards take the hit. I find it all supremely weird: Amazon, which has made its name by espousing customer service to the max, is now going to make it less convenient for its UK customers to shop there? Does Amazon think that anyone who pays it with a Visa card probably *also* has a Mastercard? Is it hoping that its customers will rise up in anger and demand that Visa cut it a deal? Or rise up in protest against government taxation that pays for our schools, hospitals, and government corruption? Is it hoping that Visa will be persuaded by the share price drop the announcement occasioned (the day of the announcement, Visa dropped 6.7%)? Or is, it as seems more likely, we don't matter *at all* and this is one of those no-you're-the-chicken contests in which two bullies pretend they won't budge, leaving their customers to wait it out, annoyed, until they finally settle because less of something is better than all of nothing?

This is not a good look for a company trying to argue it's not a monopoly, nor a good look for a company that makes its money through usury.

The question being asked here is perennial, and more commonly found in the broadcasting and telecommunications industries: who owns the audience? This is part of what network neutrality is about. Periodically, TV channels disappear from US cable TV packages because of fights over who should pay more or less to access the audience (and who brings that audience). So here: do you buy from Amazon because you can pay with your Visa card, or do you have a Visa card because it lets you buy from Amazon (and thousands of other retailers)?

In past cases, technology giants have often pressed their users into service - see for example, Uber vs Transport for London. In this case, though, many users have alternatives available, either other credit cards (Mastercard, American Express, and so on) or debit cards (don't; in the UK, you're better protected against online fraud with a credit card). We also still have other suppliers, though they take time to locate and effort to set up new accounts.

According to Business Insider, the UK is Amazon's third-largest market, and represents one-tenth the sales of the US. At the Washington Post, Bloomberg opinion writer Paul J. Davies says industry data suggests that Visa credit cards represent only 7% of all card-based purchases in the UK. Extrapolated to Amazon's $26.5 billion 2020 UK net sales, that's a mere snip of $1.8 billion in sales. It's a reasonable bet that most people will simply choose an alternative method of payment - and, as Davies points out, new technology is offering consumers more and more alternatives that are faster and cheaper than Mastercard's and Visa's legacy networks. Calling Amazon's move "passive-aggressive", Davies adds that although Britain is hogging the headlines, users in Australia and Singapore are facing a 0.5% surcharge for using Visa cards there.

The whole thing is so many kinds of wrong. For the last several years, Amazon has been accused of using its data access to squeeze the small merchants that use its Marketplace platform, while . Now, both Amazon and Visa are so big that each thinks it can squeeze the other. What do we do if either turns out to be right?

At Telecom, Scott Bicheno correctly calls hogwash on Visa's plaint that it hates to see restrictions on consumer choice. "What we have here is an e-commerce near monopolist locking horns with a payment processing near-monopolist....we can but watch impotently as the digital gods squabble in the heavens over our hard-earned cash."

Unless we start reining in some of these companies, this is our future: fewer and fewer bigger and bigger companies fighting over an increasingly helpless us.

Illustrations: Cocks fighting (via shree650 at Wikimedia.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 12, 2021

Third wave

512px-Web_2.0_Map.svg.pngIt seems like only yesterday that we were hearing that Web 2.0 was the new operating system of the Internet. Pause to look up. It was 2008, in the short window between the founding of today's social media giants (2004-2006) and their smartphone-accelerated explosion (2010).

This week a random tweet led me to discover Web3. As Aaron Mak explains at Slate, "Web3" is an idea for running a next-generation Internet on public blockchains in the interests of decentralization (which net.wars has long advocated). To date, the aspect getting the most attention is decentralized finance (DeFi, or, per Mary Branscombe, deforestation finance), a plan for bypassing banks and governments by conducting financial transactions on the blockchain.

At Freecode, Nader Dabit goes into more of the technical underpinnings. At Fabric Ventures (Medium), Max Mersch and Richard Muirhead explain its importance. Web3 will bring a "borderless and frictionless" native payment layer (upending mediator businesses like Paypal and Square), bring the "token economy" to support new businesses (upending venture capitalists), and tie individual identity to wallets (bypassing authentication services like OAuth, email plus password, and technology giant logins), thereby enabling multiple identities, among other things. Also interesting is the Cloudflare blog, where Thibault Meunier states that as a peer-to-peer system Web3 will use cryptographic identifiers and allow users to selectively share their personal data at their discretion. Some of this - chiefly the robustness of avoiding central points of failure - is a return to the Internet's original design goals.

Standards-setter W3C is working on at least one aspect - cryptographically verifiable Decentralized Identifiers, and it's running into opposition, from Google, Apple, and Mozilla, whose browsers control 87% of the market.

Let's review a little history.

The 20th century Internet was sorta, kinda decentralized, but not as much as people like to think. The technical and practical difficulties of running your own server at home fueled the growth of portals and web farms to do the heavy lifting. Web design went from plain text (see for example, Live Journal and Blogspot (now owned by Google). You can argue about how exactly it was that a lot of blogs died off circa 2010, but I'd blame Twitter, writers found it easier to craft a sentence or two and skip writing the hundreds of words that make a blog post. Tim O'Reilly and Clay Shirky described the new era as interactive, and moving control "up the stack" from web browsers and servers to the services they enabled. Data, O'Reilly predicted, was the key enabler, and the "long tail" of niche sites and markets would be the winner. He was right about data, and largely wrong about the long tail. He was also right about this: "Network effects from user contributions are the key to market dominance in the Web 2.0 era." Nearly 15 years later, today's web feels like a landscape of walled cities encroaching on all the public pathways leading between them.

Point Network (Medium) has a slightly different version of this history; they call Web 1.0 the "read-only web"; Web 2.0 the "server/cloud-based social Web", and Web3 the "decentralized web".

The pattern here is that every phase began with a "Cambrian" explosion of small sites and businesses and ended with a consolidated and centralized ecosystem of large businesses that have eaten or killed everyone else. The largest may now be so big that they can overwhelm further development to ensure their future dominance; at least, that's one way of looking at Mark Zuckerberg's metaverse plan.

So the most logical outcome from Web3 is not the pendulum swing back to decentralization that we may hope, but a new iteration of the existing pattern, which is at least partly the result of network effects. The developing plans will have lots of enemies, not least governments, who are alert to anything that enables mass tax evasion. But the bigger issue is the difficulty of becoming a creator. TikTok is kicking ass, according to Chris Stokel-Walker, because it makes it extremely easy for users to edit and enhance their videos.

I spy five hard problems. One: simplicity and ease of use. If it's too hard, inconvenient, or expensive for people to participate as equals, they will turn to centralized mediators. Two: interoperability and interconnection. Right now, anyone wishing to escape the centralization of social media can set up a Discord or Mastodon server, yet these remain decidedly minority pastimes because you can't message from them to your friends on services like Facebook, WhatsApp, Snapchat, or TikTok. A decentralized web in which it's hard to reach your friends is dead on arrival. Three: financial incentives. It doesn't matter if it's venture capitalists or hundreds of thousands of investors each putting up $10, they want returns. As a rule of thumb, decentralized ecosystems benefit all of society; centralized ones benefit oligarchs - so investment flows to centralized systems. Four: sustainability. Five: how do we escape the power law of network effects?

Gloomy prognostications aside, I hope Web3 changes everything, because in terms of its design goals, Web 2.0 has been a bust.

Illustrations: Tag cloud from 2007 of Web 2.0 themes (Markus Angermeier and Luca Cremonini, via Wikimedia.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 5, 2021

The vanishing Post Office (part II)

Kew-postoffice-2021.JPGBack in 2014, a big red van rolled up outside the post office around the corner, packed it up, and drove it away. After months of uncertainty, that local post office (or, more correctly, *sub* post office) was reinstalled in a centrally located newsagent in Kew village.

Peace has mostly ensued.

Over the years, however, the subpostmaster in charge of it has become visibly and increasingly frustrated as its income continued to drop. Several years ago, he began talking about selling up, if only he could find a buyer. He was closed for some months early in the pandemic, and, although he did reopen, it was with shorter hours. Now, I hear he'll be gone come New Year's, and it will all be the new buyer's problem. I don't know what the buyer will put in its place, but it sounds like it won't be a post office. It may not even be a newsagent, in which case the village's only surviving place to buy a newspaper will be the shop in the station, down from three just a few years ago.

Now, if you want to look at this little story as a pure question of efficiency and available service, you will probably point out that there is a perfectly good, larger, and fuller-service post office barely a mile away in Richmond, reachable by foot, bike, or frequent bus. (You can drive, but you can't park.) However, the main point is that 30 years ago Kew had a full-fledged Post Office in its own solid building (which has long since been remodeled into a pizza restaurant) and now it won't have one at all. And while Kew will survive as a community, the same is not true for many other places that are less favored. In April 2019, the National Federation of SubPostmasters predicted that 22% of post offices around the UK would close or downsize over the next 12 months; our retiring guy is one dot in this expanding nationwide pattern.

The even larger point is that the loss of our post office isn't due to a carefully thought-out plan for reorganization or changed ideas about what communities need in order to remain worthy of the name, but the result of terminal frustration for the subpostmaster. It is alienation and attrition.

Some other statistics from that 2019 survey. The NFSP found that 76% of subpostmasters were earning less than minimum wage per hour from their post office work; 61% reported their income had dropped; and 19% needed an outside job for themselves or their spouse/partner in order to survive. Can't-wait-to-retire showed me the survey, which is currently being rerun.

All of that is without the recent scandal in which hundreds of subpostmasters were prosecuted for fraud based on the output of buggy software; 39 convictions were quashed.

No wonder they're quitting.

It's easy to blame the Internet and email, but it's not that simple. Yes, the Internet cut deeply into personal correspondence, but so did government decisions such as the drive to switch to direct electronic benefits payments - still ongoing - and the digitisation of services like passport and car registration renewals that local post offices used to provide. In addition, since 2006 the postal market has been opened to competition, the Royal Mail was privatized and, in 2013, floated on the stock exchange while the nation's post offices were segregated into the subsidiary Post Office Limited. Competition has enabled cheap, convenient services to flourish, but has also creamed off the most profitable parts of package delivery.

Ultimately, the problem is that today's communities were built around services like banks and post offices that at one time were community hubs but are now outposts of national or even international businesses. In this version of globalization, local communities hollow out because the social infrastructure that underpins them vanishes or loses its local face. It's the difference between living in a real place and picking a convenientish bedroom you can afford.

Some time ago, the Scottish government began studying the country's towns and came up with three main types: independent, dependent, and interdependent. An independent town has enough services that residents don't need to go elsewhere for daily needs such as jobs, doctors and dentists, retail shopping, and public sector services. A dependent town's residents can't function without traveling elsewhere to meet their basic needs. An interdependent town is somewhere in between. It's not all about population or location: St Andrews, Fife, population 16,870, is an interdependent town; the remote northern town of Thurso, population 7,933, is independent (it has to be!); and Houston, west of Glasgow in Renfrewshire, population 6,396, is interdependent to dependent.

As I understand it, the idea of looking at towns this way is to work out how to ensure that as many locations as possible remain viable and help boost those that are struggling. Maybe study will show that post offices, like many churches, don't matter any more and what communities need in today's world is something else - broadband-supplied virtual reality hubs, or communal kitchens. But as all the traditional community hubs disappear or are severely cut back - post offices, libraries, youth clubs, leisure centers - we need that kind of study. It's really not enough to just say, "Oh, there's another one down the road a piece - and there's an app!"

Illustrations: The soon-to-be-gone post office sign.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.