" /> net.wars: February 2022 Archives

« January 2022 | Main | March 2022 »

February 25, 2022

Irreparable harm

Vladimir_Putin_at_award_ceremonies-with-eteri-_(2018-11-27)_31.jpgThe anti-doping systems in sports have long intrigued me as a highly visible example of a failed security system. The case of Kamila Valieva at the recent Winter Olympics provides yet another example.

I missed the event itself because: I don't watch the Olympics. The corruption in the bidding process, documented by Andrew Jennings in 1992, was the first turn-off. Joan Ryan's 1995 Little Girls in Pretty Boxes, which investigated abuse in in women's gymnastics and figure skating, made the tiny teens in both sports uncomfortable to watch. Then came the death of German luger Nodar Kumaritashvili in a training run at the 2010 Vancouver Winter Olympics. The local organizing committee had been warned that the track was dangerous as designed, and did - nothing. Care for the athletes is really the bottom line.

Anti-doping authorities have long insisted that athletes are responsible for every substance found in their bodies. However, as a minor Valieva is subject to less harsh rules. When the delayed results of a December test emerged, the Russian Anti-Doping Agency determined that she should be allowed to compete. The World Anti-Doping Agency, the Internet Olympic Committee, and the International Skating Union all appealed the decision. Instead, the Court for Arbitration for Sport upheld RUSADA's decision, writing in its final report : "...athletes should not be subject to the risk of serious harm occasioned by anti-doping authorities' failure to function effectively at a high level of performance and in a manner designed to protect the integrity of the operation of the Games" wrote in deciding to allow Valieva to compete. In other words, the lab and the anti-doping authorities should have gotten all this resolved out of the world's sight, before the Games began, and because Valieva was a leading contender for the gold medal, denying her the right to compete could do her "irreparable harm".

The overlooked nuance here appears to be that Valieva had been issued a *provisional* suspension. As a "Protected Person" - that is, a child - she does not have to meet the same threshold of proof that adults do. The CAS judges accepted the possibility that, as her legal team argued, her positive test could have been due to contamination or accidental ingestion, as her grandfather used this medication. If you take the view that further investigation may eventually exonerate her, but too late for this Olympics, they have a point. If you take the strict view that the fight against doping requires hard lines to be drawn, then she should have been sent home.

But. But. But. On her doping control form, Valieva had acknowledged taking two more heart medications that aren't banned: L-carnitine, and hypoxen. Why is a 15-year-old testing positive for *three* heart medications? I don't care that two of them are legal.

Similarly: why is RUSADA involved when it's still suspended following Russia's state-sponsored doping scandal, which still has Russian athletes competing under the flag of the Russian Olympic Committee in a pretense that Russia is being punished?

Skating experts have had a lot to say about Valieva's coaches. We know from gymnastics as well as figure skating that the way women's bodies mature through their teens puts the most difficult - and most exciting - acrobatics out of reach. That reality has led to young female athletes being put on strict diets and doped with puberty blockers to keep them pre-pubescent. In her book, Ryan advocated age restrictions and greater oversight for both gymnastics and figure skating. Reviews complained that her more than 100 interviews with current and former gymnasts did not include the world's major successes, but that's the point: the 0.01% for whom the sport brings stardom are not representative. At Slate, Rita Wenxin Wang describes the same "culture of child abuse" Ryan described 25 years ago, pinpointing in particular Valieva's coach, Eteri Tutberidze, whose work with numerous young winning Russian teens won her Russia's Order of Honour from Vladimir Putin in 2018.

At The Ringer, Michael Baumann reports that Tutbeidze burns through young skaters at a frantic pace; they wow the world for two or three years, and vanish. That could help explain CAS's conviction that this medal shot was irreplaceable..

At the Guardian, former gymnast Sarah Clarke calls out the IOC for its failure to protect Valieva. Clarke was one of the hundreds of victims of sexual predator Larry Nassar and notes that while Nassar has been jailed his many enablers have never been prosecuted and the IOC never acted against any of the organizations (US Gymnastics, USADA) that looked the other way. Also at the Guardian, Sean Ingle calls the incident clear evidence of abuse of a minor. At Open Democracy, Aiden McQuade calls Valieva's treatment "child trafficking" and an indictment of the entire Olympic movement.

Given that minors should not be put in the position Valieva was, there's just one answer: bring in the age restrictions that Ryan advocated in 1995 and that gymnastics and tennis brought in 25 years ago - tennis, after watching a series of high-profile teenaged stars succumb to injuries and burnout. This is a different definition of "harm".

The sports world has long insisted that it should be self-regulating, independent of all governments. The evidence continues to suggest the conflicts of interest run too deep.

Illustrations: Russian women's figure skating coach Eteri Tutberidze, at the 2018 award ceremony with Vladimir Putin (via Wikimedia.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 18, 2022

The search for intelligent life

IPFS-medium-zkcapital.jpegThe mythology goes like this. In the beginning, the Internet was decentralized. Then came money and Web 2.0, and they warped the best dreams of Web 2.0 into corporate giants. Now, web3 is going to restore the status ante?

Initial reaction: why will it be different this time?

Maybe it won't. Does that mean people shouldn't try? Ah. No. No, it does not.

One reason it's so difficult to write about web3 is that under scrutiny it dissolves into a jumble of decentralized web, cryptocurrencies, blockchain, and NFTs, though the Economist has an excellent explanatory podcast. Decentralizing the web I get: ever since Edward Snowden decentralization has been seen as a way to raise the costs of passive surveillance. The question has been: how? Blockchain and bitcoin sound nothing like the web - or a useful answer.

But even if you drop all the crypto stuff and just say "decentralized web to counter surveillance and censorship, it conveys little to the man on the Clapham omnibus. Try to explain, and you rapidly end up in a soup of acronyms that are meaningful only to technologists. In November, on first encountering web3, I suggested there are five hard problems. The first of those, ease of use, is crucial. Most people will always flock to whatever requires least effort; the kind of people who want to build a decentralized Internet are emphatically unusual. The biggest missed financial opportunity of my lifetime will likely have been ignoring the advice to buy some bitcoin in 2009 because it was just too much trouble. Most of today's big Internet companies got that way because whatever they were offering was better - more convenient, saved time, provided better results.

This week, David Rosenthal, developer of core Nvidia technologies, published a widely-discussed dissection of cryptocurrencies and blockchain, which Cory Doctorow followed quickly with a recap/critique. Tl;dr: web3 is already centralized, and blockchain and cryptocurrencies only pay off if their owners can ignore the external costs they impose on the rest of the world. Rosenthal argues that ignoring externalities is inherent in theSilicon Valley-type libertarianism from which they sprang.

Rosenthal also makes an appearance in the Economist podcast to explain that if you ask most people what the problems are with the current state of the Web, they don't talk centralization. They talk about overwhelming amounts of advertising, harassment, scams, ransomware, and expensive bandwidth. In his view, changing the technical infrastructure won't change the underlying economics - scale and network effects - that drive centralization, which, as all of these commentators note, has been the eventual result of every Internet phase since the beginning.

It's especially easy to be suspicious about this because of the venture capital money flooding in seeking returns.

"Get ready for the crash," Tim O'Reilly told CBS News. In a blog posting last December, he suggestshow to find the good stuff in web3: look for the parts that aren't about cashing out and getting rich fast but *are* about solving hard problems that matter in the real world.

This is all helpful in understanding the broader picture, but doesn't answer the question of whether there's presently meat inside web3. Once bitten, twice shy, three times don't be ridiculous.

What gave me pause was discovering that Danny O'Brien has gone to work for the Filecoin Foundation and the Filecoin Foundation for the Distributed Web - aka, "doing something in web3". O'Brien has a 30-year history of finding the interesting places to be. In the UK, he was one-half of the 1990s must-read newsletter NTK, whose slogan was "They stole our revolution. Now we're stealing it back." Filecoin - a project to develop blockchain-based distributed storage, which he describes as "the next generation of something like Bittorrent" - appears to be the next stage of that project. The mention of Bittorrent reminded how technologically dull the last few years have been.

O'Brien's explanation of Filecoin and distributed storage repeatedly evoked prior underused art that only old-timers remember. For example, in 1997 Cambridge security engineer Ross Anderson proposed the Eternity Service, an idea for distributing copies of data around the world so its removal from the Internet would be extremely difficult. There was Ian Clarke's 1999 effort to build such a thing, Freenet, a peer-to-peer platform for distributing data that briefly caused a major moral panic in the UK. Freenet failed to gain much adoption - although it's still alive today - because no one wanted to risk hosting unknown caches of data. Filecoin intends to add financial economic incentives: think a distributed cloud service.

O'Brien's mention of the need to ensure that content remains addressable evokes Ted Nelson's Project Xanadu, a pre-web set of ideas about sharing information. Finally, zero-knowledge proofs make it possible to show a proof that you have run a particular program and gotten back a specific result without revealing the input. The mathematics involved is arcane, but the consequence is far-reaching: you can prove results *and* protect privacy.

If this marriage of old and new research is "web3", suddenly it sounds much more like something that matters. And it's being built, at least partly, by people who remember the lessons of the past well enough not to repeat them. So: cautious signs that some part of "web3" will do something.

Illustrations: Diagram of centralized vs decentralized (IPFS) systems (from zK Capital at Medium).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 11, 2022

Freedom fries

"Someone ratted me out," a friend complained recently. They meant: after a group dinner, one of the participants had notified everyone to say they'd tested positive for covid a day later, and a third person had informed the test and trace authorities and now my friend was getting repeated texts along the lines of "isolate and get tested". Which they found invasive and offensive, and...well, just plain *unreasonable*.

Last night, Boris Johnson casually said in Parliament that he thought we could end all covid-related restrictions in a couple of weeks. Today there's a rumor that the infection survey that has produced the most reliable data on the prevalence and location of covid infections may be discontinued soon. There have been rumors, too, of charging for covid tests.

Fifteen hundred people died of covid in this country in the past week. Officially, there were more than 66,000 new infections yesterday - and that doesn't include all the people who felt like crap and didn't do a test, or did do a test and didn't bother to report the results (because the government's reporting web form demands a lot of information each time that it only needs if you tested positive), or didn't know they were infected. If he follows through. Johnson's announcement would mean that if said dinner happened a month from now, my friend wouldn't be told to isolate. They can get exposed and perhaps infected and mingle as normal in complete ignorance. The tradeoff is the risk for everyone else: how do we decide when it's safe enough to meet? Is the plan to normalize high levels of fatalities?

Brief digression: no one thinks Johnson's announcement is a thought-out policy. Instead, given the daily emergence of new stories about rule-breaking parties at 10 Downing Street during lockdown, his comment is widely seen as an attempt to distract us and quiet fellow Conservatives who might vote to force him out of office. Ironically, a key element in making the party stories so compelling is the hundreds of pictures from CCTV, camera phones, social media, Johnson's official photographer... Teenagers have known for a decade to agree to down cameras at parties, but British government officials are apparently less afraid anything bad will happen to them if they're caught.

At the beginning of the pandemic, we wrote about the inevitable clash between privacy and the needs of public health and epidemiology. Privacy was indeed much discussed then, at the design stage for contact tracing apps, test and trace, and other measures. Democratic countries had to find a balance between the needs of public health and human rights. In the end, Google and Apple wound up largely dictating the terms on which contact tracing apps could operate on their platforms.

To the chagrin of privacy activists, "privacy" has rarely been a good motivator for activism. The arguments are too complicated, though you can get some people excited over "state surveillance". In this pandemic, the big rallying cry has been "freedom", from the media-friendly Freedom Day, July 19, 2021, when Johnson removed that round of covid restrictions, to anti-mask and anti-vaccination protesters, such as the "Freedom Convoy" currently blocking up normally bland, government-filled downtown Ottawa, Ontario, and an increasing number of other locations around he world. Understanding what's going on there is beyond the scope of net.wars.

More pertinent is the diverging meaning of "freedom". As the number of covid prevention measures shrinks, the freedom available to vulnerable people shrinks in tandem. I'm not talking about restrictions like how many people may meet in a bar, but simple measures like masking on public transport, or getting restaurants and bars to information about their ventilation that would make assessing risk easier.

Elsewise, we have many people who seem to define "freedom" to mean "It's my right to pretend the pandemic doesn't exist". Masks, even on other people, then become intolerable reminders that there is a virus out there making trouble. In that scenario, however, self-protection, even for reasonably healthy people who just don't want to get sick, becomes near-impossible. The "personal responsibility" approach doesn't work in a situation where what's most needed is social collaboration.

The people landed with the most risk can do the least about it. As the aftermath of Hurricane Sandy highlighted, the advent of the Internet has opened up a huge divide between the people who have to go to work and the people who can work anywhere. I can Zoom into my friend's group dinner rather than attend in person, but the caterers and waitstaff can't. If "your freedom ends where my nose begins" (Zechariah Chafee Jr, it says hereapplies to physical violence, shouldn't it include infection by virus?

Many human rights activists warned against creating second-class citizens via vaccination passports. The idea was right, but privacy was the wrong lens, because we still view it predominantly as a right for the individual. You want freedom? Instead of placing the burden on each of us, as health psychologist Susan Michie has been advocating for months, make the *places* safer - set ventilation standards, have venues publish their protocols, display CO2 readings, install HEPA air purifiers. Less risk, greater freedom, and you'd get some privacy, too - and maybe fewer of us would be set against each other in standoffs no one knows how to fix.

Illustrations: Trucks protesting in Ottawa, February 2022 (via ΙΣΧΣΝΙΚΑ-888 at Wikimedia, CC-BY-SA-4.0).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 4, 2022

Consent spam

openRTB.pngThis week the system of adtech that constantly shoves banners in our face demanding consent to use tracking cookies was ruled illegal by the Belgian Data Protection Authority, leading 28 EU data protection authorities. The Internet Advertising Bureau, whose Transparency and Consent Framework formed the basis of the complaint that led to the decision, now has two months to redesign its system to bring it into compliance with the General Data Protection Regulation.

The ruling marks a new level of enforcement that could begin to see the law's potential fulfilled.

Ever since May 2018, when GDPR came into force, people have been complaining that so far all we've really gotten from it is bigger! worse! more annoying! cookie banners, while the invasiveness of the online advertising industry has done nothing but increase. In a May 2021 report, for example, Access Now examined the workings of GDPR and concluded that so far the law's potential had yet to be fulfilled and daily violations were going unpunished - and unchanged.

There have been fines, some of them eye-watering, such as Amazon' s 2021 fine of $877 million for its failure to get proper consent for cookies. But even Austrian activist lawyer Max Schrems' repeated European court victories have so far failed to force structural change, despite requiring the US and EU to rethink the basis of allowing data transfers.

To "celebrate" last week's data protection day, Schrems documented the situation: since the first data protection laws were passed,enforcement has been rare. Schrems' NGO, noyb, has plenty of its own experience to drawn on. Of the 51 individual cases noyb has filed in Europe since its founding in 2018, only 15% have been decided wthin a year, none of them pan-European. Four cases filed with the Irish DPA in May 2018, the day after GDPR came into force, have yet to be given a final decision.

Privacy International, which filed seven complaints against adtech companies in 2018, also has an enforcement timeline. Only one, against Experian, resulted in an investigation, and even in that case no action has been taken since Experian's appeal in 2021. A recent study of diet sites showed that they shared the sensitive information they collect with unspecified third parties, PI senior tecnologist Eliot Bendinelli told last week's Privacy Camp. PI's complaint is yet to be enforced, though it has led some companies to change their practices.

Bendinelli was speaking on a panel trying to learn from GDPR's enforcement issues in order to ensure better protection of fundamental rights from the EU's upcoming Digital Services Act. Among the complaints with respect to GDPR: the lack of deadlines to spur action and inconsistencies among the different national authorities.

The complaint at the heart of this week's judgment began in 2018, when Open Rights Group director Jim Killock, UCL researcher Michael Veale, and Irish Council on Civil Liberties senior fellow Johnny Ryan took the UK Information Commissioner's Office to court over the ICO's lack of action regarding real-time bidding, which the ICO itself had found illegal under the UK's Data Protection Act (2018), the UK's post-Brexit GDPR clone. In real-time bidding, your visit to a participating web page launches an instant mini-auction to find the advertiser willing to pay the most to fill the ad space you're about to see. Your value is determined by crunching all the data the site and its external sources have or can get about you.

If all this sounds like it oughtta be illegal under GDPR, well, yes. Enter the IAB's TCF, which extracts your permission via those cookie consent banners. With many of these, dark patterns design make "consent" instant and rejection painfully slow. The Big Tech sites, of course, handle all this by using logins; you agree to the terms and conditions when you create your account and then you helpfully forget how much they learn about you every time you use the site.

In December 2021, the UK's Upper Tribunal refused to require the ICO to reopen the complaint, though it did award Killock and Veal concessions they hope will make the ICO more accountable in future.

And so back to this week's judgment that the IAB's TCF, which is used on 80% of the European Internet, is illegal. The Irish DPA is also investigating Google's similar system, as well as Quantcast's consent management system. On Twitter, Ryan explained the gist: cookie-consent pop-ups don't give publishers adequate user consent, and everyone must delete all the data they've collected.

Ryan and the Open Rights Group also point out that the judgment spikes the UK government's claim that revamping data protection law is necessary to get rid of cookie banners (at the expense of some of the human rights enshrined in the law). Ryan points to DuckDuckGo as an example of the non-invasive alternative: contextual advertising. He also observed that all that "consent spam" makes GDPR into merely "compliance theater".

Meanwhile, other moves are also making their mark. Also this week, Facebook (Meta)'s latest earnings showed that Apple's new privacy controls, which let users opt out of tracking, will cost it $10 billion this year. Apparently 75% of Apple users opt out.

Moral: given the tools and a supportive legal environment, people will choose privacy.

Illustrations: Diagram of OpenRTB, from the Belgian decision.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.