Main

October 20, 2022

The laws they left behind

dailystar-lettuce-celebrates-Ffg3wfmXEAI1ZLX-370.jpegIn the spring of 2020, as country after country instituted lockdowns, mandated contact tracing, and banned foreign travelers, many, including Britain, hastily passed laws enabling the state to take such actions. Even in the strange airlessness of the time, it was obvious that someday there would have to be a reckoning and a reevaluation of all that new legislation. Emergency powers should not be allowed to outlive the emergency. I spent many of those months helping Privacy International track those new laws across the world.

Here in 2022, although Western countries believe the acute emergency phase of the pandemic is past, the reality is that covid is still killing thousands of people a week across the world, and there is no guarantee we're safe from new variants with vaccine escape. Nonetheless, the UK and US at least appear to accept this situation as if it were the same old "normal". Except: there's a European war, inflation, strikes, a cost of living crisis, energy shortages, and a load of workplace monitoring and other privacy invasions that would have been heavily resisted in previous times. (And, in the UK, a government that has lost its collective mind; as I type no one dares move the news cameras away from the doors of Number 10 Downing Street in case the lettuce wins.)

Laws last longer than pandemics, as the human rights lawyer Adam Wagner writes in his new book, Emergency State: How We Lost Our Freedoms in the Pandemic and Why It Matters. For the last couple of years, Wagner has been a constant presence in my Twitter feed, alongside numerous scientists and health experts posting and examining the latest new research. Wagner studies a different pathology: the gaps between what the laws actually said and what was merely guidance. and between overactive police enforcement and people's reasonable beliefs of what the laws should be.

In Emergency State, Wagner begins by outlining six characteristics of the power of emergency-empowered state: mighty, concentrated, ignorant, corrupt, self-reinforcing, and, crucially, we want it to happen. As a comparison, Wagner notes the surveillance laws and technologies rapidly adopted after 9/11. Much of the rest of the book investigates a seventh characteristic: these emergency-expanded states are hard to reverse. In an example that's frequently come up here, see Britain's World War II ID card, which took until 1952 to remove, and even then it took Harry Wilcock to win in court after refusing to show his papers on demand.

Most of us remember the shock and sudden silence of the first lockdown. Wagner remembers something most of us either didn't know or forgot: when Boris Johnson announced the lockdown and listed the few exceptional circumstances under which we were allowed to leave home, there was as yet no law in place on which law enforcement could rely. That only came days later. The emergency to justify this was genuine: dying people were filling NHS hospital beds. And yet: the government response overturned the basis of Britain's laws, which traditionally presume that everything is permitted unless it's specifically forbidden. Suddenly, the opposite - everything is forbidden unless explicitly permitted - was the foundation of daily life. And it happened with no debate.

Wagner then works methodically through Britain's Emergency State, beginning by noting that the ethos of Boris Johnson's government, continuing the conservatives' direction of travel, coincidentally was already disdainful of Parliamentary scrutiny (see also: prorogation of Parliament) and ready to weaken both the human rights act and the judiciary. As the pandemic wore on, Parliamentary attention to successive waves of incoming laws did not improve; sometimes, the laws had already changed by the time they reached the chamber. In two years, Parliament failed to amend any of them. Meanwhile, Wagner notes, behind closed doors government members ignored the laws they made.

The press dubbed March 18, 2022 Freedom Day, to signify the withdrawal of all restrictions. And yet: if scientists' worst fears come true, we may need them again. Many covid interventions - masks, ventilation, social distancing, contact tracing - are centuries old, because they work. The novelty here was the comprehensive lockdowns and widespread business closures, which Wagner suggests may have come about because the first country to suffer and therefore to react was China, where this approach was more acceptable to its authoritarian government. Would things have gone differently had the virus surfaced in a democratic country? We will never know. Either way, the effects of the cruelest restrictions - the separation among families and friends, the isolation imposed on the elderly and dying - cannot be undone.

In Britain's case, Wagner points to flaws in the Public Health Act (1984) that made it too easy for a months-old prime minister with a distaste for formalities to bypass democratic scrutiny. He suggests four remedies: urgently amend the act to include safeguards; review all prosecutions and fines under the various covid laws; codify stronger human rights, either in a written constitution or a bill of rights; and place human rights at the heart of emergency decision making. I'd add: elect leaders who will transparently explain which scientific advice they have and haven't followed and why, and who will plan ahead. The Emergency State may be in abeyance, but current UK legislation in progress seeks to undermine our rights regardless.


Illustrations: The Daily Star's QE2 lettuce declaring victory as 44-day prime minister Liz Truss resigns.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

October 7, 2022

Recycle

recycle.jpegBad ideas never die.

In particular, bad ideas in Internet policy never die. Partly, it's a newcomer problem. In the 1990s, one manifestation of this was that every newly-connected media outlet would soon run the story warning readers not to open an email with a particular subject line - for example, Join the Crew - because it would instantly infect your computer. These were virus hoaxes. At the time, emails were all plain text, and infection on opening an email was a technical impossibility. (Would that it still were.) This did end because the technology changed.

Still with us, though, are repeated calls to end online anonymity. It doesn't matter who it was this week, but there was a professorial tweet: social media should require proof of identity. This despite decades of experience and research that show that often the worst online behavior comes from people operating under their own well-known, real-world identity, and that many people who use anonymity really need it. And I do mean decades: it's 30 years since Lee Sproull and Sara Kiesler published their study of human behavior on corporate mailing lists.

This week, Konstantinos Komaitis, a senior director at the Internet Society, and 28 other Internet experts and academics sent a letter to the European Commission urging it to abandon possibly imminent proposals to require content providers such as Google and Facebook to pay "infrastructure fees" to telecommunications companies. The letter warns, as you'd expect, that bringing in such feeds upends the network neutrality rules in place in many parts of the world, including the EU, where they became law in the 2015 Open Internet Regulation.

Among prior attempts, Komaitis highlights similar proposals from 2012, but he could have as easily pointed to 2005, when the then CEO of AT&T, Ed Whitacre, said he was tired of big Internet sites using "my pipes" "for free". At the time, network neutrality was being hotly disputed.

The Internet community has long distrusted telcos. First, because the pioneers still remember their hostility to the nascent Internet and, as they will remind you at any mention of the International Telecommunications Union, because during the telcos' decades of monopoly were also decades of stagnation. A small sample of the workarounds and rule-breaking Internet founders had to adopt in Britain alone was presented at an event in 2013 that featured notable contributors Peter Kirstein, Roger Scantlebury, and Vint Cerf.

Of course, we all know what's happened since then: scrappy little Internet startups became Big Tech, and now everyone wants a piece of their wealth - governments, through taxation and telcos through changing the entire business model.

Until the EU's proposals surfaced last year, it was possible to think that this particular bad idea had finally died of old age. AT&T has changed CEOs a couple of times, and for a while in there it was owner of Time-Warner, which has its own streaming products. The fundamental issue is that the Internet infrastructure has grown up as a sort-of cooperative, in which everyone pays for their own connections and freely exchanges data with peers. In the world the telcos - and the postal services - live in, senders pay for carriage and intermediate carriers get a slice ("settlement"). Small wonder the telcos want to see that world return. (They shouldn't have been so dismissive at the beginning.)

EU telcos have been tilting at this particular wind turbine for a long time; in 2012, the European Telecommunications Network Operators Association (ETNO) called for settlement as part of a larger proposal to turn Internet governance over to the International Telecommunications Union. A contemporaneous 2012 presentation by analyst Falk von Bornstaedt argued that "sending party network pays" is the necessary future in order to provide quality-of-service guarantees.

The current EU call for this change is backed by Duetsche Telekom, Orange, Telefonica, and 13 other telcos. They have a new excuse: the energy crisis and plans for combating climate change mean they need Big Tech to share the costs of rolling out 5G and fiber optic cabling. More than half of global network traffic, they argue, is attributable to just six companies: Google, Facebook/Meta, Netflix, Apple, Amazon, and Microsoft.

It is certainly true that the all-you-can-eat model of Internet connection encourages some wastefulness such as ubiquitous Facebook trackers or constantly-connected subscription office software. Moving to "the metaverse", as Meta has $70 billion worth of hope that you will, will make this exponentially worse.

On the other hand, consider the truly undesirable consequences of changing the business model. The companies paying the telcos extra for carriage will expect in return to have their traffic prioritized. That in turn will disadvantage their competitors who don't have either that financial burden or that privileged access. Soon, what's left of the open Internet would be even more of an oligopoly, particularly with respect to high-bandwidth applications like video or virtual worlds, where network lag is the enemy of tolerable quality.

In a column (PDF), lays out the issues quite clearly and warns: 1) we may not have the tools to understand the consequences of such a change; and 2) we might not be able to unwind it if we regret it later, particularly if these companies continue to merge into even bigger and more predatory giants.

Tl;dr: Please don't do this.

Illustrations: Recycling symbol.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 22, 2022

Parting gifts

nw-Sunak-Truss-ITV-2022.pngAll national constitutions are written to a threat model that is clearly visible if you compare what they say to how they are put into practice. Ireland, for example, has the same right to freedom of religion embedded in its constitution as the US bill of rights does. Both were reactions to English abuse, yet they chose different remedies. The nascent US's threat model was a power-abusing king, and that focus coupled freedom of religion with a bar on the establishment of a state religion. Although the Founding Fathers were themselves Protestants and likely imagined a US filled with people in their likeness, their threat model was not other beliefs or non-belief but the creation of a supreme superpower derived from merging state and church. In Ireland, for decades, "freedom of religion" meant "freedom to be Catholic". Campaigners for the separation of church and state in 1980s Ireland, when I lived there, advocated fortifying the constitutional guarantee with laws that would make it true in practice for everyone from atheists to evangelical Christians.

England, famously, has no written constitution to scrutinize for such basic principles. Instead, its present Parliamentary system has survived for centuries under a "gentlemen's agreement" - a term of trust that in our modern era transliterates to "the good chaps rule of government". Many feel Boris Johnson has exposed the limitations of this approach. Yet it's not clear that a written constitution would have prevented this: a significant lesson of Donald Trump's US presidency is how many of the systems protecting American democracy rely on "unwritten norms" - the "gentlemen's agreement" under yet another name.

It turns out that tinkering with even an unwritten constitution is tricky. One such attempt took place in 2011, with the passage of the Fixed-term Parliaments Act. Without the act, a general election must be held at least once every five years, but may be called earlier if the prime minister advises the monarch to do so; they may also be called at any time following a vote of no confidence in the government. Because past prime ministers were felt to have abused their prerogative by timing elections for their political benefit, the act removed it in favor of a set five-year interval unless a no-confidence vote found a two-thirds super-majority. There were general elections in 2010 and 2015 (the first under the act). The next should have been in 2020. Instead...

No one counted on the 2016 vote to leave the EU or David Cameron's next-day resignation. In 2017, Theresa May, trying to negotiate a deal with an increasingly divided Parliament and thinking an election would win her a more workable majority and a mandate, got the necessary super-majority to call a snap election. Her reward was a hung Parliament; she spent the rest of her time in office hamstrung by having to depend on the good will of Northern Ireland's Democratic Unionist Party to get anything done. Under the act, the next election should have been 2022. Instead...

In 2019, a Conservative party leadership contest replaced May with Boris Johnson, who, after several failed attempts blocked by opposition MPs determined to stop the most reckless Brexit possibilities, won the necessary two-thirds majority and called a snap election, winning a majority of 80 seats. The next election should be in 2024. Instead...

They repealed the act in March 2022. As we were. Now, Johnson is going, leaving both party and country in disarray. An election in 2023 would be no surprise.

Watching the FTPA in action led me to this conclusion: British democracy is like a live frog. When you pin down one bit of it, as the FTPA did, it throws the rest into distortion and dysfunction. The obvious corollary is that American democracy is a *dead* frog that is being constantly dissected to understand how it works. The disadvantage to a written constitution is that some parts will always age badly. The advantage is clarity of expectations. Yet both systems have enabled someone who does not care about norms to leave behind a generation's worth of continuing damage.

All this is a long preamble to saying that last year's concerns about the direction of the UK's computers-freedom-privacy travel have not abated. In this last week before Parliament rose for the summer, while the contest and the heat saturated the news, Johnson's government introduced the Data Protection and Digital Information bill, which will undermine the rights granted by 25 years of data protection law. The widely disliked Online Safety bill was postponed until September. The final two leadership candidates are, to varying degrees, determined to expunge EU law, revamp the Human Rights act, and withdraw from the European Convention on Human Rights. In addition, lawyer Gina Miller warns, the Northern Ireland Protocol bill expands executive power by giving ministers the Henry VIII power to make changes without Parliamentary consent: "This government of Brexiteers are eroding our sovereignty, our constitution, and our ability to hold the government to account."

The British convention is that "government" is collective: the government *are*. Trump wanted to be a king; Johnson wishes to be a president. The coming months will require us to ensure that his replacement knows their place.


Illustrations: Final leadership candidates Rishi Sunak and Liz Truss in debate on ITV.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 15, 2022

Online harms

boris-johnson-on-his-bike-European-Cycling-Federation-370.jpgAn unexpected bonus of the gradual-then-sudden disappearance of Boris Johnson's government, followed by his own resignation, is that the Online Safety bill is being delayed until after Parliament's September return with a new prime minister and, presumably, cabinet.

This is a bill almost no one likes - child safety campaigners think it doesn't go far enough; digital and human rights campaigners - Big Brother Watch, Article 19, Electronic Frontier Foundation, Open Rights Group, Liberty, a coalition of 16 organizations (PDF) - because it threatens freedom of expression and privacy while failing to tackle genuine harms such as the platforms' business model; and technical and legal folks because it's largely unworkable.

The DCMS Parliamentary committee sees it as wrongly conceived. The he UK Independent Reviewer of Terrorism Legislation, Jonathan Hall QC, says it's muzzled and confused. Index on Censorship calls it fundamentally broken, and The Economist says it should be scrapped. The minister whose job it has been to defend it, Nadine Dorries (C-Mid Bedfordshire), remains in place at the Department for Culture, Media, and Sport, but her insistence that resigning-in-disgrace Johnson was brought down by a coup probably won't do her any favors in the incoming everything-that-goes-wrong-was-Johnson's-fault era.

In Wednesday's Parliamentary debate on the bill, the most interesting speaker was Kirsty Blackman (SNP-Aberdeen North), whose Internet usage began 30 years ago, when she was younger than her children are now. Among passionate pleas that her children should be protected from some of the high-risk encounters she experienced, was: "Every person, nearly, that I have encountered talking about this bill who's had any say over it, who continues to have any say, doesn't understand how children actually use the Internet." She called this the bill's biggest failing. "They don't understand the massive benefits of the Internet to children."

This point has long been stressed by academic researchers Sonia Livingstone and Andy Phippen, both of whom actually do talk to children. "If the only horse in town is the Online Safety bill, nothing's going to change," Phippen said at last week's Gikii, noting that Dorries' recent cringeworthy TikTok "rap" promoting the bill focused on platform liability. "The liability can't be only on one stakeholder." His suggestion: a multi-pronged harm reduction approach to online safety.

UK politicians have publicly wished to make "Britain the safest place in the world to be online" all the way back to Tony Blair's 1997-2007 government. It's a meaningless phrase. Online safety - however you define "safety" - is like public health; you need it everywhere to have it anywhere.

Along those lines, "Where were the regulators?" Paul Krugman asked in the New York Times this week, as the cryptocurrency crash continues to flow. The cryptocurrency market, which is now down to $1 trillion from its peak of $3 trillion, is recapitulating all the reasons why we regulate the financial sector. Given the ongoing collapses, it may yet fully vaporize. Krugman's take: "It evolved into a sort of postmodern pyramid scheme". The crash, he suggests, may provide the last, best opportunity to regulate it.

The wild rise of "crypto" - and the now-defunct Theranos - was partly fueled by high-trust individuals who boosted the apparent trustworthiness of dubious claims. The same, we learned this week was true of Uber 2014-2017, Based on the Uber files,124,000 documents provided by whistleblower Mark MacGann, a lobbyist for Uber 2014-2016, the Guardian exposes the falsity of Uber's claims that its gig economy jobs were good for drivers.

The most startling story - which transport industry expert Hubert Horan had already published in 2019 - is the news that the company paid academic economists six-figure sums to produce reports it could use to lobby governments to change the laws it disliked. Other things we knew about - for example, Greyball, the company's technology denying regulators and police rides so they couldn't document Uber's regulatory violations and Uber staff's abuse of customer data - are now shown to have been more widely used than we knew. Further appalling behavior, such as that of former CEO Travis Kalanick, who was ousted in 2017, has been thoroughly documented in the 2019 book, Super Pumped, by Mike Isaac, and the 2022 TV series based on it, Super Pumped.

But those scandals - and Thursday/s revelation that 559 passengers are suing the company for failing to protect them from rape and assault by drivers - aren't why Horan described Uber as a regulatory failure in 2019. For years, he has been indefatigably charting Uber's eternal unprofitability. In his latest, he notes that Uber has lost over $20 billion since 2015 while cutting driver compensation by 40%. The company's share price today is less than half its 2019 IPO price of $45 - and a third of its 2021 peak of $60. The "misleading investors" kind of regulatory failure.

So, returning to the Online Safety bill, if you undermine existing rights and increase the large platforms' power by devising requirements that small sites can't meet *and* do nothing to rein in the platforms' underlying business model...the regulatory failure is built in. This pause is a chance to rethink.

Illustrations: Boris Johnson on his bike (European Cyclists Federation via Wikimedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

June 10, 2022

Update needed

In public discussions or Internet governance, only two organizations feature much: the Internet Corporation for Assigned Names and Numbers, founded in 1998, and the Internet Governance Forum, set up in 2005. The former performs the crucial technical role of ensuring that the domain name system that allow humans to enter a word-like Internet address and computers to translate and route it to a numbered device continues to function correctly. The second...well, it hosts interesting conferences on Internet governance.

Neither is much known to average users, who would probably guess the Internet is run by one or more of the big technology companies. Yet they're the best-known of a clutch of engineering-led organizations that set standards and make decisions that affect all of us. In 2011, the Economist described the Internet as shambolically governed (yet concluded that multistakeholder "chaos" is preferable to the alternative of government control).

In a report for the Tony Blair Institute, journalist and longstanding ICANN critic Kieren McCarthy considers that much of Internet governance as currently practiced needs modernization. This is not about the application-layer debates such as content moderation and privacy that occupy the minds of rights activists and governments. Instead, McCarthy is considering the organizations that devised and manage the technical underpinnings that most people ignore. These things matter; the fact that any computer can join the Internet and set up a service without asking anyone's permission or that a website posted in 1995 is remains readable is due to the efforts of organizations like the Internet Engineering Task Force, the Internet Architecture Board, the Internet Society, the World Wide Web Consortium (W3C), and so on. And those are just part of the constellation of governance organizations, well-known compared to the Regional Internet Registries or the tiny group of root server operators.

As unknown as these organizations are to most people (even W3C is vastly less famous than its founder, Tim Berners-Lee), they still have decisive power over the Internet's development. When, shortly after February's Russian invasion, a Ukrainian minister asked ICANN to block Internet traffic to and from Russia. ICANN, prioritizing the openness, interconnectedness, and unity of the global network, correctly said no. But note: ICANN, whose last ties to the US government were severed in 2016, made its decision without consulting either governments or a United Nations committee.

McCarthy's main points: these legacy organizations do not coordinate their efforts; they lack strategy beyond maintaining and evolving the network as it stands; they are internally disorganized; and they are increasingly resistant to new ideas and new participants. They are "essential to maintaining a global, interoperable Internet" - yet McCarthy finds a growing list of increasingly contentious topics and emerging technologies that escape the current ecosystem: censorship, content moderation, AI, web3 and blockchain, privacy and data protection, If these organizations don't rise to those occasions, governments will seek to fill the gap, most likely creating a more fragmented and less functional network. Even now this happens in small ways: four years after the EU's GDPR came into force many US media sites still block European readers rather than find a compliant way to serve us.

From the beginning, ensuring that the technical organizations remain narrowly focused has been seen as essential. See for example the critics who monitored ICANN's development during its first decade, suspicious that it might stray into enforcing government-mandated censorship.

The guiding principles of new governments are always based on a threat model. The writers of the US Constitution, for example, feared the installation of a king and takeover by a foreign country (England). Internet organizations' threat model also has two prongs: first, fragmentation), and second, takeover by governments, specifically the ">International Telecommunication Union, the United Nations agency that manages worldwide telecommunications and which regards itself as the Internet's natural governor. Internet pioneers still believe there could be no worse fate, citing decades of pre-Internet stagnation in the fully-controlled telephone networks.

The ITU has come sort-of-close several times: in 1997 ($), when widespread opposition led instead to ICANN's creation, in the early 2000s, when the World Summit on the Information Society instead created the IGF, and in 2012, when a meeting to update the ITU's regulations led many, including the Trade Union Congress, to fear a coup, Currently, concern that governments will carve things up surrounds negotiations over cybersecurity,

The approach that created today's multistakeholder organizations is, however, just one of four that University of Southampton professors Wendy Hall and Kieron O'Hara examine in their 2021 book, The Four Internets and find are being contested. Our legacy version they dub the "open Internet", and connect it with San Francisco and libertarian ideology. The other three: the "bourgeois Brussels" Internet that the EU is trying to regulate into being with laws like the Digital Services Act, the AI Act, and the Digital Market Act; the commercial ("DC") Internet; and the "paternalistic" Internet of countries like China and Russia, who want to ringfence what their citizens can access. Any of them, singly or jointly, could lead to the long-feared "splinternet".

McCarthy concludes that the threat now is that Internet governance as practiced to date will fail through stagnation. His proposal is to create a new oversight body which he compares to a root server that provides coordination and authoritative information. Left for another time: who? And how?


Illustrations:

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 25, 2022

Dangerous corner

War_damages_in_Mariupol,_12_March_2022_(01).jpgIf there is one thing the Western world has near-universally agreed in the last month, it's that in the Russian invasion of Ukraine, the Ukrainians are the injured party. The good guys.

If there's one thing that privacy advocates and much of the public agree on, it's that Clearview AI, which has amassed a database of (it claims) 10 billion facial images by scraping publicly accessible social media without the subjects' consent and sells access to it to myriad law enforcement organizations, is one of the world's creepiest companies. This assessment is exacerbated by the fact that the company and its CEO refuse to see anything wrong about their unconsented repurposing of other people's photos; it's out there for the scraping, innit?

Last week, Reuters reported that Clearview AI was offering Ukraine free access to its technology. Clearview's suggested uses: vetting people at checkpoints; debunking misinformation on social media; reuniting separated family members; and identifying the dead. Clearview's CEO, Hoan Ton-That, told Reuters that the company has 2 billion images of Russians scraped from Russian Facebook clone Vkonakte.

This week, it's widely reported that Ukraine is accepting the offer. At Forbes, Tom Brewster reports that Ukraine is using the technology to identify the dead.

Clearview AI has been controversial ever since January 2020, when Kashmir Hill reported its existence in the New York Times, calling it "the secretive company that might end privacy as we know it". Social media sites LinkedIn, Twitter, and YouTube all promptly sent cease-and-desist notices. A month later, Kim Lyons reported at The Verge that its 2,200 customers included the FBI, Interpol, the US Department of Justice, Immigration and Customs Enforcement, a UAE sovereign wealth fund, the Royal Canadian Mounted Police, and college campus police departments.

In May 2021, Privacy International filed complaints in five countries. In response, Canada, Australia, the UK, France, and Italy have all found Clearview to be in breach of data protection laws and ordered it to delete all the photos of people that it has collected in their territories. Sweden, Belgium, and Canada have declared law enforcement use of Clearview's technology to be illegal.

Ukraine is its first known use in a war zone. In a scathing blog posting, Privacy International says, "...the use of Clearview's database by authorities is a considerable expansion of the realm of surveillance, with very real potential for abuse."

Brewster cites critics, who lay out familiar privacy issues. Misidentification in a war zone could lead to death if a live soldier's nationality is wrongly assessed (especially common when the person is non-white) and unnecessary heartbreak for dead soldiers' families. Facial recognition can't distinguish civilians and combatants. In addition, the use of facial recognition by the "good guys" in a war zone might legitimize the technology. This last seems to me unlikely; we all distinguish the difference between what's acceptable in peace time versus an extreme context. This issue here is *company*, not the technology, as PI accurately pinpoints: "...it seems no human tragedy is off-limits to surveillance companies looking to sanitize their image."

Jack McDonald, a senior lecturer in war studies at Kings College London who researches the relationship between ethics, law, technology, and war, sees the situation differently.

Some of the fears Brewster cites, for example, are far-fetched. "They're probably not going to be executing people at checkpoints." If facial recognition finds a match in those situations, they'll more likely make an arrest and do a search. "If that helps them to do this, there's a very good case for it, because Russia does appear to be flooding the country with saboteurs." Cases of misidentification will be important, he agrees, but consider the scale of harm in the conflict itself.

McDonald notes, however, that the use of biometrics to identify refugees is an entirely different matter and poses huge problems. "They're two different contexts, even though they're happening in the same space."

That leaves the use Ukraine appears to be most interested in: identifying dead bodies. This, McDonald explains, represents a profound change from the established norms, which include social and institutional structures and has typically been closely guarded. Even though the standard of certainty is much lower, facial recognition offers the possibility of being able to do identification at scale. In both cases, the people making the identification typically have to rely on photographs taken elsewhere in other contexts, along with dental records and, if all else fails, public postings.

The reality of social media is already changing the norms. In this first month of the war, Twitter users posting pictures of captured Russian soldiers are typically reminded that it is technically against the Geneva Convention to do so. The extensive documentation - video clips, images, first-person reports - that is being posted from the conflict zones on services like TikTok and Twitter is a second front in its own right. In the information war, using facial recognition to identify the dead is strategic.

This is particularly true because of censorship in Russia, where independent media have almost entirely shut down and citizens have only very limited access to foreign news. Dead bodies are among the only incontrovertible sources of information that can break through the official denials. The risk that inaccurate identification could fuel Russian propaganda remains, however.

Clearview remains an awful idea. But if I thought it would help save my country from being destroyed, would I care?


Illustrations: War damage in Mariupol, Ukraine (Ministry of Internal Affairs of Ukraine, via Wikimedia.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 11, 2022

The rhetoric meets the road

Thumbnail image for Bitcoin_Digital_Currency_Logo.pngOn February 28, at the same time as he called for blocking Russia's Internet connections, Ukrainian minister of digital transformation Mykhailo Fedorov called for cryptocurrency exchanges to block the addresses of Russian users as well as addresses officially tied to Russia and Belarus. Fedorov was not the only one: European Central Bank president Christine Lagarde called for regulations to stop cryptocurrencies from being used to bypass the economic sanctions being jointly applied against Russia by numerous countries, as has Estonian prime minister Kaja Kallas.

Their concern echoes the rhetoric that formed cryptocurrencies' origin story. Bitcoin's founding paper begins by saying that the system's main benefit is eliminating the need for financial institutions or trusted third parties because the blockchain replaces trust with cryptography and transparency. Eliminating governments' ability to interfere in financial transactions was definitely part of the plan. I can't help thinking that Satoshi's threat model was governments taken singly, not dozens of them acting in concert. Also, this was before Sarah Meiklejohn showed that bitcoin addresses are not anonymous.

The notion that cryptoccurrencies can build an independent global financial system outside of government regulation is even more overblown than 1999s claims that governments would not be able to control the Internet. Information can achieve an effect simply by transmitting from one individual to another. Money can't, at least not at current levels of non-adoption; if you want your bitcoin stash to be of use to buy stuff you have to connect it to state-backed currencies. Even stablecoins won't buy me groceries at the local shop. And that's the point where government regulation steps in - as, for example, this week, when the UK's Financial Conduct Authority ordered the shutdown of all 81 of the UK's bitcoin ATMs because they need to be registered and comply with anti-money-laundering regulations.

The responses to the above developments have exposed the extent to which the original bitcoin/blockchain design has been thwarted by centralization. As we've said before, any time something is complicated there's a business model for a third-party intermediary to make it simple. And so we have cryptocurrency exchanges like Coinbase, which make buying and transferring cryptocurrencies easy but far more controllable for governments. And indeed: a few days after sanctions were imposed, Coinbase had blocked 25,000 cryptocurrency addresses linked to Russian people or entities.

With the Moscow stock exchange closed for two weeks and counting, shares in Russian companies plummeting to zero on international exchanges, and the ruble collapsing, the motivations for individuals to use cryptocurrencies are inarguable. But an entire trillion-dollar economy?

Says Dave Birch, author of The Currency Cold War, "Cryptocurrency people think cryptocurrencies are more important than they actually are."

Changpeng Zhao, the founder of Binance, which in 2021 was investigated for money laundering by the US and ordered to cease operations in the UK, quickly refused to sanction Russians, arguing that cryptocurrencies are too small for Russian needs. Zhao estimated the value of all cryptocurrencies at less than 0.3% of global net worth - plus, it's too traceable to be useful for illicit activities. Coin Telegraph reports that Russians are estimated to hold more than $200 billion in cryptocurrencies as of February 2022; the country is Binance's second-biggest market after Turkey.

Many experts agree with Zhao. At last week's State of the Net conference, Bill Rockwood, the executive director of the Future Forum caucus in the US House of Representatives, argued that the unalterability of the blockchain creates truth an authoritarian state can't hide, making it unsuitable for a country trying to stealthily evade international sanctions. At the Atlantic Council, senior fellow JP Schnapper-Casteras agrees, pointing out that Russian authorities have considered either banning or regulating cryptocurrencies for the precise reason that they cannot be easily centrally controlled. In any case, Schnapper-Casteras adds, US-based cryptocurrency exchanges must legally comply with all US law, including sanctions, and law enforcement skills at tracing transactions on public blockchains have improved greatly, as the recent Bitfinex arrests showed. Plus, only two cryptocurrencies are big enough to help, and purchases of the necessary size would lead to unaffordable price spikes. Like many other countries, Russia intends to develop its own central bank digital currency - but that will take years.

In a Twitter thread, the Bitcoin Association's head of policy, Jake Chervinsky, explains all that in more detail, and also points out that in the years Russian president Vladimir Putin has spent building up his war chest, cryptocurrencies formed no part of the plan, as the New York Times has reported..

The more obvious use is for individual Russians to buy cryptocurrencies (using their own systems and hardware wallets, avoiding the exchanges) as a way of hedging against further collapse in the ruble. Bloomberg, however, finds that this isn't really happening much either. As of March 3, blockchain data was showing that Russian purchases have actually halved since February and is less than a fifth of what it was at its peak in May 2021. Also, we're talking millions, not the billions the war is costing Russia every day.

The more important cryptocurrency threat we should be considering, Reuters reports, is cyber attacks on cryptocurrency exchanges. If you have a bunch of cryptocurrency reposing in an online software wallet...buyer beware.


Illustrations: Bitcoin logo.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 4, 2022

Sovereign stack

UA-sunflowers.jpgBut first, a note: RIP Cliff Stanford, who in 1993 founded the first Internet Service Provider to offer access to consumers in the UK, died this week. Stanford's Demon Internet was my first ISP, and I well remember having to visit their office so they could personally debug my connection, which required users to precisely configure a bit of code designed for packet radio (imagine getting that sort of service now!). Simon Rockman has a far better-informed obit than I could ever write.

***

On Monday, four days after Russia invaded Ukraine, the Ukrainian minister for digital transformation, Mykhailo Fedorov, sent a letter (PDF) to the Internet Corporation for Assigned Names and Numbers and asked it to shut down Russian country code domains such as .ru, .рф, and .su. Quick background: ICANN manages the Internet's domain name system, the infrastructure that turns the human-readable name for a website or email address that you type in into the routing numbers computers actually use to get your communications to where you want them to go. Fedorov also asked ICANN to shut down the DNS root servers located in Russia, and plans a separate letter to request the revocation of all numbered Internet addresses in use by Russian members of RIPE-NCC, the registry that allocates Internet numbers in Europe and West Asia.

Shorn of the alphabet soup, what Fedorov is asking ICANN to do is sanction Russia by using technical means to block both incoming (we can't get to their domains) and outgoing (they can't get to ours) Internet access, on the basis that Russia uses the Internet to spread propaganda, disinformation, hate speech and the promotion of violence.

ICANN's refusal (PDF) came quickly. For numerous reasons, ICANN is right to refuse, as the Internet Society, Access Now, and others have all said.

Internet old-timers would say that ICANN's job is management, not governance. This is a long-running argument going all the way back to 1998, when ICANN was created to take over from the previous management, the University of Southern California computer scientist Jon Postel. Among other things, Postel set up much of the domain name system, selecting among submitted proposals to run registries for both international top-level domains (.com and .net, for example), and country code domains (such as .uk and .ru). Especially in its early years, digital rights groups watched ICANN with distrust, concerned that it would stray into censorship at the behest of one or another government instead of focusing on its actual job, ensuring the stability and security of the network's operation.

For much of its history ICANN was accountable to the US National Telecommunications and Information Administration, part of the Department of Commerce. It became formally independent as a multistakeholder organization in 2016, after much wrangling over how to construct the new model.

This history matters because the alternative to ICANN was transitioning its functions to the International Telecommunications Union, an agency of the United Nations, a solution the Internet community generally opposed, then and now. Just a couple of weeks ago, Russia and China began a joint push towards greater state control, which they intended to present this week to the ITU's World Telecommunication Standardization Assembly. Their goal is to redesign the Internet to make it more amenable to government control, exactly the outcome everyone from Internet pioneers to modern human rights activists seeks to avoid.

So, now. Shutting down the DNS at the request of one country would put ICANN exactly where it shouldn't be: making value judgments about who should have access.

More to the specific situation, shutting off Russian access would be counterproductive. The state shut down the last remaining opposition TV outlet on Thursday, along with the last independent radio station. Many of the remaining independent journalists are leaving the country. Recognizing this, the BBC is turning its short-wave radio service back on. But other than that. the Internet is the only remaining possibility most Russians have of accessing independent news sources - and Russia's censorship bureau is already threatening to block Wikipedia if it doesn't cover the Ukraine invasion to its satisfaction.

In fact, Russia has long been working towards a totally-controlled national network that can function independently of the rest of the Internet, like the one China already has. As The Economist writes, China is way ahead; it has 25 years of investment in its Great Firewall, and owns its entire national "stack". That is, it has domestic companies that make chips, write software, and provide services. Russia is far more dependent on foreign companies to provide many of the pieces necessary to fill out the "sovereign stack" it mandated in 2019 legislation. In July 2021, Russia tested disconnecting its nascent "Runet" from the Internet, though little is known about the results. It is

There are other, more appropriate channels for achieving Fedorov's goal. The most obvious are the usual social media suspects and their ability to delete fake accounts and bots and label or remove misinformation. Facebook, Google, and Twitter all moved quickly to block Russian state media from running ads on their platforms or, in Facebook's case, monetizing content. Since then, Google has paused all ad sales in Russia. The economic sanctions enacted by many countries and the crash in the ruble should shut down Russians' access to most Western ecommerce. Many countries are kicking Russia's state-media channels off

This war is a week old. It will end - sometime. It will not pay in the long term (assuming we have one) to lock Russian citizens, many of whom oppose the war, into a state media-controlled echo chamber. Out best hope is to stay connected and find ways to remediate the damage, as painful as that is.


Illustrations: Sunflowers under a blue sky (by Inna Radetskaya at Wikimedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 11, 2022

Freedom fries

"Someone ratted me out," a friend complained recently. They meant: after a group dinner, one of the participants had notified everyone to say they'd tested positive for covid a day later, and a third person had informed the test and trace authorities and now my friend was getting repeated texts along the lines of "isolate and get tested". Which they found invasive and offensive, and...well, just plain *unreasonable*.

Last night, Boris Johnson casually said in Parliament that he thought we could end all covid-related restrictions in a couple of weeks. Today there's a rumor that the infection survey that has produced the most reliable data on the prevalence and location of covid infections may be discontinued soon. There have been rumors, too, of charging for covid tests.

Fifteen hundred people died of covid in this country in the past week. Officially, there were more than 66,000 new infections yesterday - and that doesn't include all the people who felt like crap and didn't do a test, or did do a test and didn't bother to report the results (because the government's reporting web form demands a lot of information each time that it only needs if you tested positive), or didn't know they were infected. If he follows through. Johnson's announcement would mean that if said dinner happened a month from now, my friend wouldn't be told to isolate. They can get exposed and perhaps infected and mingle as normal in complete ignorance. The tradeoff is the risk for everyone else: how do we decide when it's safe enough to meet? Is the plan to normalize high levels of fatalities?

Brief digression: no one thinks Johnson's announcement is a thought-out policy. Instead, given the daily emergence of new stories about rule-breaking parties at 10 Downing Street during lockdown, his comment is widely seen as an attempt to distract us and quiet fellow Conservatives who might vote to force him out of office. Ironically, a key element in making the party stories so compelling is the hundreds of pictures from CCTV, camera phones, social media, Johnson's official photographer... Teenagers have known for a decade to agree to down cameras at parties, but British government officials are apparently less afraid anything bad will happen to them if they're caught.

At the beginning of the pandemic, we wrote about the inevitable clash between privacy and the needs of public health and epidemiology. Privacy was indeed much discussed then, at the design stage for contact tracing apps, test and trace, and other measures. Democratic countries had to find a balance between the needs of public health and human rights. In the end, Google and Apple wound up largely dictating the terms on which contact tracing apps could operate on their platforms.

To the chagrin of privacy activists, "privacy" has rarely been a good motivator for activism. The arguments are too complicated, though you can get some people excited over "state surveillance". In this pandemic, the big rallying cry has been "freedom", from the media-friendly Freedom Day, July 19, 2021, when Johnson removed that round of covid restrictions, to anti-mask and anti-vaccination protesters, such as the "Freedom Convoy" currently blocking up normally bland, government-filled downtown Ottawa, Ontario, and an increasing number of other locations around he world. Understanding what's going on there is beyond the scope of net.wars.

More pertinent is the diverging meaning of "freedom". As the number of covid prevention measures shrinks, the freedom available to vulnerable people shrinks in tandem. I'm not talking about restrictions like how many people may meet in a bar, but simple measures like masking on public transport, or getting restaurants and bars to information about their ventilation that would make assessing risk easier.

Elsewise, we have many people who seem to define "freedom" to mean "It's my right to pretend the pandemic doesn't exist". Masks, even on other people, then become intolerable reminders that there is a virus out there making trouble. In that scenario, however, self-protection, even for reasonably healthy people who just don't want to get sick, becomes near-impossible. The "personal responsibility" approach doesn't work in a situation where what's most needed is social collaboration.

The people landed with the most risk can do the least about it. As the aftermath of Hurricane Sandy highlighted, the advent of the Internet has opened up a huge divide between the people who have to go to work and the people who can work anywhere. I can Zoom into my friend's group dinner rather than attend in person, but the caterers and waitstaff can't. If "your freedom ends where my nose begins" (Zechariah Chafee Jr, it says hereapplies to physical violence, shouldn't it include infection by virus?

Many human rights activists warned against creating second-class citizens via vaccination passports. The idea was right, but privacy was the wrong lens, because we still view it predominantly as a right for the individual. You want freedom? Instead of placing the burden on each of us, as health psychologist Susan Michie has been advocating for months, make the *places* safer - set ventilation standards, have venues publish their protocols, display CO2 readings, install HEPA air purifiers. Less risk, greater freedom, and you'd get some privacy, too - and maybe fewer of us would be set against each other in standoffs no one knows how to fix.


Illustrations: Trucks protesting in Ottawa, February 2022 (via ΙΣΧΣΝΙΚΑ-888 at Wikimedia, CC-BY-SA-4.0).


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

September 10, 2021

Globalizing Britain

Chatsworth_Cascade_and_House_-_geograph.org.uk_-_2191570.jpgBrexit really starts now. It was easy to forget, during the dramas that accompanied the passage of the Withdrawal Agreement and the disruption of the pandemic, that the really serious question had still not been answered: given full control, what would Britain do with it? What is a reshaped "independent global Britain" going to be when it grows up? Now is when we find out, as this government, which has a large enough majority to do almost anything it wants, pursues the policies it announced in the Queen's Speech last May.

Some of the agenda is depressingly cribbed from the current US Republican playbook. First and most obvious in this group is the Elections bill. The most contentious change is requiring voter ID at polling stations (even though there was a total of one conviction for voter fraud in 2019, the year of the last general election). What those in other countries may not realize is how many eligible voters in Britain lack any form of photo ID. The Guardian that 11 million people - a fifth of eligible voters - have neither driver's license nor passport. Naturally they are disproportionately from black and Asian backgrounds, older and disabled, and/or poor. The expected general effect, especially coupled with the additional proposal to remove the 15-year cap on voting while expatriate, is to put the thumb on the electoral scale to favor the Conservatives.

More nettishly, the government is gearing up for another attack on encryption, pulling out all the same old arguments. As Gareth Corfield explains at The Register, the current target is Facebook, which intends to roll out end-to-end encryption for messaging and other services, mixed with some copied FBI going dark rhetoric.

This is also the moment when the Online Safety bill (previously online harms). The push against encryption, which includes funding technical development is part of that because the bill makes service providers responsible for illegal content users post - and also, as Heather Burns points out at the Open Rights Group, legal but harmful content. Burns also details the extensive scope of the bill's age verification plans.

These moves are not new or unexpected. Slightly more so was the announcement that the UK will review data protection law with an eye to diverging from the EU; it opened the consultation today. This is, as many have pointed out before dangerous for UK businesses that rely on data transfers to the EU for survival. The EU's decision a few months ago to grant the UK an adequacy decision - that is, the EU's acceptance of the UK's data protection laws as providing equivalent protection - will last for four years. It seems unlikely the EU will revisit it before then, but even before divergence Ian Brown and Douwe Korff have argued that the UK's data protection framework should be ruled inadequate. It *sounds* great when they say it will mean getting rid of the incessant cookie pop-ups, but at risk is privacy protections that have taken years to build. The consultation document wants to promise everything: "even better data protection regime" and "unlocking the power of data" appear in the same paragraph, and the new regime will also both be "pro-growth and innovation-friendly" and "maintain high data protection standards".

Recent moves have not made it easier to trust this government with respect to personal data- first the postponed-for-now medical data fiasco and second this week's revelation that the government is increasingly using our data and hiring third-party marketing firms to target ads and develop personalized campaigns to manipulate the country's behavior. This "influence government" is the work of the ten-year-old Behavioural Insights Team - the "nudge unit", whose thinking is summed up in its behavioral economy report.

Then there's the Police, Crime, Sentencing, and Courts bill currently making its way through Parliament. This one has been the subject of street protests across the UK because of provisions that permit police and Home Secretary Priti Patel to impose various limits on protests.

Patel's Home Office also features in another area of contention, the Nationality and Borders bill. This bill would make criminal offenses out of arriving in the UK without permission a criminal offense and helping an asylum seeker enter the UK. The latter raises many questions, and the Law Society lists many legal issues that need clarification. Accompanying this is this week's proposal to turn back migrant boats, which breaks maritime law.

A few more entertainments lurk, for one, the plan to review of network neutrality announced by Ofcom, the communications regulator. At this stage, it's unclear what dangers lurk, but it's another thing to watch, along with the ongoing consultation on digital identity.

More expected, no less alarming, this government also has an ongoing independent review of the 1998 Human Rights Act, which Conservatives such as former prime minister Theresa May have long wanted to scrap.

Human rights activists in this country aren't going to get much rest between now and (probably) 2024, when the next general election is due. Or maybe ever, looking at this list. This is the latest step in a long march, and it reminds that underneath Britain's democracy lies its ancient feudalism.


Illustrations: Derbyshire stately home Chatsworth (via Trevor Rickards at Wikimedia.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 23, 2021

Internet fragmentation as a service

Screenshot from 2021-07-23 11-48-13.png"You spend most of your day telling a robot that you're not a robot. Think about that for two minutes and tell me you don't want to walk into the ocean," the comedian John Mulaney said in his 2018 comedy special, Kid Gorgeous. He was talking about captchas.

I was reminded of this during a recent panel at the US Internet Governance Forum hosted by Mike Nelson. Nelson's challenge to his panelists: imagine alternative approaches to governments' policy goals that won't damage the Internet. They talked about unintended consequences (and the exploitation thereof) of laws passed with good intentions, governments' demands for access to data, ransomware, content blocking, multiplying regional rulebooks, technical standards and interoperability, transparency, and rising geopolitical tensions, which cyberspace policy expert Melissa Hathaway suggested should be thought about by playing a mash-up of the games Risk and Settlers of Catan.The main topic: is the Internet at risk of Internet fragmentation?

So much depends on what you mean by "fragmentation". No one mentioned the physical damage achievable by ten backhoes. Nor the domain name system that allows humans and computers to find each other; "splitting the root" (that is, the heart of the DNS) used to dominate such discussions. Nor captchas, but the reason Mulaney sprang to mind was that every day (in every way) captchas frustrate access. Saying that makes me privileged; in countries where Facebook is zero-rated but the rest of the Internet costs money people can't afford on their data plans, the Internet is as cloven as it can possibly be.

Along those lines, Steve DelBianco raised the idea of splintering-by-local-law, the most obvious example being the demand in many countries for data localization. DelBianco, however, cited Illinois' Biometric Information Privacy Act (2008), which has been used to sue platforms on behalf of unnamed users for automatically tagging their photos online. Result: autotagging is not available to Illinois users on the major platforms, and neither is the Google Nest and Amazon Ring doorbells' facility for recognizing and admitting friends and family. See also GDPR, noted above, which three and a half years after taking force still has US media sites blocking access by insisting that our European visitors are important to us.

You could also say that the social Internet is splintering along ideological lines as the extreme right continue to build their own media and channels. In traditional media, this was Roger Ailes' strategy. Online, the medium designed to connect people doesn't care who it connects or for what purpose. Commercial social media engagement algorithms have exacerbated this, as many current books make plain.

Nelson, whose Internet policy experience goes back to the Clinton administration, suggested that policy change is generally driven by a big event: 9/11, for example, which led promptly to the passage of the PATRIOT Act (US) and the Anti-Terrorism, Crime, and Security Act (UK), or the Colonial Pipeline hack that has made ransomware an urgent mainstream concern. So, he asked: what kind of short, sharp shock would cause the Internet to fracture? If you see data protection law as a vector, the 2013 Snowden revelations were that sort of event; a year earlier, GDPR looked like fading away.

You may be thinking, as I was, that we're literally soaking in global catastrophes: the COVID-19 pandemic, and climate change. Both are slow-burning issues, unlike the high-profile drivers of legislative panic Nelson was looking for, but both generate dozens of interim shocks.

I'm always amazed so little is said about climate change and the future of the Internet; the IT industry's emissions just keep growing. China's ban on cryptocurrency mining, which it attributes to environmental concerns, may be the first of many such limits on the use of computing power. Disruptions to electricity supplies - just yesterday, the UK's National Grid warned there may be blackouts this winter - don't "break" the Internet, but they do make access precarious.

So far, the pandemic's effect has mostly been to exacerbate ideological splits and accelerate efforts to curb the spread of misinformation via social media. It's also led to increased censorship in some places; early on, China banned virus-related keywords on WeChat, and this week the Indian authorities raided a newspaper that criticized the government's pandemic response. In addition, the exposure and exacerbation of social inequalities brought by the pandemic may, David Bray suggested in the panel, be contributing to the increase in cybercrime, as "failed states" struggle to rescue their economies. This week's revelations of the database of numbers of interest to NSO Group clients since 2016 doesn't fragment the Internet as a global communications system, but it might in the sense that some people may not be able to afford the risk of being on it.

This is where Mulaney comes in. Today, robots gatekeep web pages. Three trends seem likely to expand their role: online, age verification and online safety laws; covid passports, which are beginning to determine access to physical-world events; and the Internet of Things, which is bridging what's left of the divide between cyberspace and the real world. In the Internet subsumed into everything of our future, "splitting the Internet" may no longer be meaningful as the purely virtual construct Nelson's panel was considering. In the cyber-physical world world, Internet fragmentation must also be hybrid.


Illustrations: The IGF-USA panel in action.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 9, 2021

The border-industrial complex*

Rohingya_Refugee_Camp_26_(sep_2020).jpgMost people do not realize how few rights they have at the border of any country.

I thought I did know: not much. EFF has campaigned for years against unwarranted US border searches of mobile phones, where "border" legally extends 100 miles into the country. If you think, well, it's a big country, it turns out that two-thirds of the US population lives within that 100 miles.

No one ever knows what the border of their own country is like for non-citizens. This is one reason it's easy for countries to make their borders hostile: non-citizens have no vote and the people who do have a vote assume hostile immigration guards only exist in the countries they visit. British people have no idea what it's like to grapple with the Home Office, just as most Americans have no experience of ICE. Datafication, however, seems likely to eventually make the surveillance aspect of modern border passage universal. At Papers, Please, Edward Hasbrouck charts the transformation of travel from right to privilege.

In the UK, the Open Rights Group and the3million have jointly taken the government to court over provisions in the post-Brexit GDPR-enacting Data Protection Act (2018) that exempted the Home Office from subject access rights. The Home Office invoked the exemption in more than 70% of the 19,305 data access requests made to its office in 2020, while losing 75% of the appeals against its rulings. In May, ORG and the3million won on appeal.

This week's announced Nationality and Borders Bill proposes to make it harder for refugees to enter the country and, according to analyses by the Refugee Council and Statewatch, make many of them - and anyone who assists them - into criminals.

Refugees have long had to verify their identity in the UK by providing biometrics. On top of that, the cash support they're given comes in the form of prepaid "Aspen" cards, which means the Home Office can closely monitor both their spending and their location, and cut off assistance at will, as Privacy International finds. Scotland-based Positive Action calls the results "bureaucratic slow violence".

That's the stuff I knew. I learned a lot more at this week's workshop run by Security Flows, which studies how datafication is transforming borders. The short version: refugees are extensively dataveilled by both the national authorities making life-changing decisions about them and the aid agencies supposed to be helping them, like the UN High Commissioner for Refugees (UNHCR). Recently, Human Rights Watch reported that UNHCR had broken its own policy guidelines by passing data to Myanmar that had been submitted by more than 830,000 ethnic Rohingya refugees who registered in Bangladeshi camps for the "smart" ID cards necessary to access aid and essential services.

In a 2020 study of the flow of iris scans submitted by Syrian refugees in Jordan, Aalborg associate professor Martin Lemberg-Pedersen found that private companies are increasingly involved in providing humanitarian agencies with expertise, funding, and new ideas - but that those partnerships risk turning their work into an experimental lab. He also finds that UN agencies' legal immunity coupled with the absence of common standards for data protection among NGOs and states in the global South leave gaps he dubs "loopholes of externalization" that allow the technology companies to evade accountability.

At the 2020 Computers, Privacy, and Data Protection conference a small group huddled to brainstorm about researching the "creepy" AI-related technologies the EU was funding. Border security represents a rare opportunity, invisible to most people and justified by "national security". Home Secretary Priti Patel's proposal to penalize the use of illegal routes to the UK is an example, making desperate people into criminals. People like many of the parents I knew growing up in 1960s New York.

The EU's immigration agencies are particularly obscure. I had encoutnered Warsaw-based Frontex, the European Border and Coast Guard Agency which manages operational control of the Schengen Area, but not of EU-LISA, which since 2012 has managed the relevant large-scale IT systems SIS II, VIS, EURODAC, and ETIAS (like the US's ESTA). Unappetizing alphabet soup whose errors few know how to challenge.

The behind-the-scenes the workshop described sees the largest suppliers of ICT, biometrics, aerospace, and defense provide consultants who help define work plans and formulate calls to which their companies respond. The list of vendors appearing in Javier Sánchez-Monedero's 2018 paper for the Data Justice Lab, begins to trace those vendors, a mix of well-known and unknown. A forthcoming follow-up focuses on the economics and lobbying behind all these databases.

In the recent paper on financing border wars, Mark Akkerman analyzes the economic interests behind border security expansion, and observes "Migration will be one of the defining human rights issues of the 21st century." We know it will increase, increasingly driven by climate change; the fires that engulfed the Canadian village of Lytton, BC on July 1 made 1,000 people homeless, and that's just the beginning.

It's easy to ignore the surveillance and control directed at refugees in the belief that they are not us. But take the UK's push to create a hostile environment by pushing border checks into schools, workplaces, and health services as your guide, and it's obvious: their surveillance will be your surveillance.

*Credit the phrase "border-industrial complex" to Luisa Izuzquiza.

Illustrations: Rohingya refugee camp in Bangladesh, 2020 (by Rocky Masum, via Wikimedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

May 7, 2021

Decision not decision

Screenshot from 2021-01-07 13-17-20.pngIt is the best of decisions, it is the worst of decisions.

For some, this week's decision by Facebook's Oversight Board in the matter of "the former guy" Donald J. Trump is a deliberate PR attempt at distraction. For many, it's a stalling tactic. For a few, it is a first, experimental stab at calling the company to account.

It can be all these things at once.

But first, some error correction. Nothing the Facebook Oversight Board does or doesn't do tells us anything much about governing the Internet. Although there are countries where zero-rating deals with telcos make Facebook effectively the only online access most people have, Facebook is not the Internet and it's not the web. Facebook is a commercial company's walled garden that is reached over the Internet and via both the web and apps that bypass the web entirely. Governing Facebook is about how we regulate and govern commercial companies that use the Internet to achieve global reach. Like Trump, Facebook has no exact peer, so it is difficult to generalize from decisions about either to reach wider principles of content moderation.

It's also important to recognize that Trump used/uses different social media sites in different ways. Facebook was important to Trump for organizing campaigns and advertising, as well as getting his various messages amplified and spread by supporters. But there's little doubt that personally he'd rather have Twitter back; its public nature and instant response made it his id-to-fingers direct connection to the media. Twitter fed him the world's attention. Those were the postings that had everyone waking up in the middle of the night panicked in case he had abruptly declared war on North Korea. After his ban, the service was full of tweets expressing relief at the silence.

The board's decision has several parts. First, it says the company was right to suspend Trump's account. However, it goes on to say, the company erred in applying an "indeterminate and standardless penalty of indefinite suspension". It goes on to tell Facebook to develop "clear, necessary, and proportionate policies that promote public safety and freedom of expression". The board's charter requires Facebook to make an initial response within 30 days, and the decision itself orders Facebook to review the case to "determine and justify a proportionate response that is consistent with the rules that are applied to other users of its platform". It appears that the board is at least trying not to let itself be used as a shield.

At the New York Times, Kara Swisher calls the non-decision kind of perfect. At the Washington Post, Margaret Sullivan calls the board a high-priced fig leaf. At Lawfare, Evelyn Douek believes the decision shows promise but deplores the board's reluctance to constrain Facebook, On Wednesday's episode of Ben Wittes's and Kate Klonick's In Lieu of Fun, panelists speculated what indicators would show the board was achieving legitimacy. Carole Cadwalladr, who broke the Cambridge Analytica story in 2016, calls Facebook, simply, cancer and views the oversight board as a "dangerous distraction".

When the board first began issuing decisions, Jeremy Lewin commented that the only way the board - "a dangerous sham" - could show independence was to reverse Facebook's decisions, which in all cases, that would mean restoring deleted posts since the board has no role in evaluating decisions to retain posts. It turns out that's not true. In the Trump decision, the board found a third way: calling out Facebook for refusing to answer its questions, failing to establish and follow clear procedures, and punting on its responsibilities.

However, despite the decision's legalish language, the Oversight Board is not a court, and Facebook's management is not a government. For both good and bad: as Orin Kerr reminds Facebook can't fine, jail, or kill its users; as many others will note, as a commercial company its goals are profits and happy shareholders, not fairness, transparency, or a commitment to uphold democracy. If it adopts any of those latter goals, it's because the company has calculated that it will cost more not to. Therefore, *every* bit of governance it attempts is a PR exercise. In pushing the ultimate decision back to Facebook and demanding that the company write and publish clear rules the board is trying to make itself more than that. We will know soon whether it has any hope of success.

But even if the board succeeds in pushing Facebook into clarifying its approach to this case, "success" will be constrained. Here's the board's mission: "The purpose of the board is to protect free expression by making principled, independent decisions about important pieces of content and by issuing policy advisory opinions on Facebook's content policies." Nothing there permits the board to raise its own cases, examine structural defects, or query the company's business model. There is also no option for the board to survey Trump's case and the January 6 Capitol invasion and place it in the context of evidence on Facebook's use to incite violence in other countries - Myanmar, Sri Landa, Kindia, Indonesia, Mexico, Germany, and Ethiopia. In other words, the board can consider individual cases when it is assigned them, but not the patterns of behavior that Facebook facilitates and are in greatest need of disruption. That will take governments and governance.


Illustrations: The January 6 invasion of the US Capitol.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

April 30, 2021

The tonsils of the Internet

Screenshot from 2021-04-30 13-02-46.pngLast week the US Supreme Court decided the ten-year-old Google v. Oracle copyright case. Unlike anyone in Jarndyce v. Jarndyce, which bankrupted all concerned, Google will benefit financially, and in other ways so will the rest of us.

Essentially, the case revolved around whether Google violated Oracle's copyright by copying about 11,500 lines of the software code (out of millions) that makes up the Java platform, part of the application programming interface. Google claimed fair use. Oracle disagreed.

Tangentially: Oracle owns Java because in 2010 it bought its developer, Sun Microsystems, which open-sourced the software in 2006. Google bought Android in 2005; it, too, is open source. If the antitrust authorities had blocked the Oracle acquisition, which they did consider, there would have been no case.

The history of disputes over copying and interoperability case goes back to the 1996 case Lotus v. Borland, in which Borland successfully argued that copying the way Lotus organized its menus was copying function, not expression. By opening the way for software programs to copy functional elements (like menus and shortcut keys), the Borland case was hugely important. It paved the way for industry-wide interface standards and thereby improved overall usability and made it easier for users to switch from one program to another if they wanted to. This decision, similarly, should enable innovation in the wider market for apps and services.

Also last week, the US Congress conducted both the latest in the series of antitrust hearings and interrogated Lina Khan, who has been nominated for a position at the Federal Trade Commission. Biden's decision to appoint her, as well as Tim Wu to the National Economic Council, has been taken as a sign of increasing seriousness about reining in Big Tech.

The antitrust hearing focused on the tollbooths known as app stores; in his opening testimony, Mark Cooper, director of research at the Consumer Federations of America, noted that the practices described by the chair, Senator Amy Klobuchar (D-MN) were all illegal in the Microsoft case, which was decided in 1998. A few minutes later, Horacio Gutierrez, Spotify's head of global affairs and chief legal officer, noted that "even" Microsoft never demanded a 30% commission from software developers to run on its platform".

Watching this brought home the extent to which the mobile web, with its culture of walled gardens and network operator control, has overwhelmed the open web we Old Net Curmudgeons are so nostalgic about. "They have taken the Internet and moved it into the app stores", Jared Sine told the committee, and that's exactly right. Opening the Internet back up requires opening up the app stores. Otherwise, the mobile web will be little different than CompuServe, circa 1991.

BuzzFeed technology reporter Ryan Mac posted on Twitter the anonymous account of a just-quit Accenture employee's account of their two and a half years as a content analyst for Facebook. The main points: the work is a constant stream of trauma; there are insufficient breaks and mental health support; the NDAs they are forced to sign block them from turning to family and friends for help; and they need the chance to move around to other jobs for longer periods of respite. "We are the tonsils of the Internet," they wrote. Medically, we now know that the tonsils that doctors used to cheerfully remove play an important role in immune system response. Human moderation is essential if you want online spaces to be tolerably civil; machines simply aren't good enough, and likely never will be, and abuse appears to be endemic in online spaces above a certain size. But just as the exhausted health workers who have helped so many people survive this pandemic should be viewed as a rare and precious resource instead of interchangeable parts whose distress the anti-lockdown, no-mask crowd are willing to overlook, the janitors of the worst and most unpleasant parts of the Internet need to be treated with appropriate care.

The power differential, the geographic spread, their arms-length subcontractor status, and the technology companies' apparent lack of interest combine to make that difficult. Exhibit B: Protocol reports that contract workers in Google's data centers are required to leave the company for six months every two years and reapply for their jobs, apparently just so they won't gain the rights of permanent employees.

In hopes of change, many were watching the Bessemer, Alabama Amazon warehouse workers' vote on unionizing. Now, the results are in: 1,798 to 738 against. You would think that one thing that could potentially help these underpaid, traumatized content moderators - as well as the drivers, warehouse workers, and others who are kept at second-class arm's length from the technology companies who so diligently ensure they don't become full employees - is a union. Because of the potential impact on the industry at large, many were watching closely, both the organizating efforts and Amazon's drive to oppose them.

Nonetheless, this isn't over. Moves toward unionizing have been growing for years in pockets all over the technology industry, and eventually it will be inescapable. We're used to thinking about technology companies' power in terms of industry consolidating and software licensing; workers are the ones who most directly feel the effects.


Illustrations: The chancellor (Ian Richardson), announcing the end of Jarndyce and Jarndyce in the BBC's 2005 adaptation of Bleak House.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

April 2, 2021

Medical apartheid

swiss-cheese-virus-defence.jpgEver since 1952, when Clarence Willcock took the British government to court to force the end of wartime identity cards, UK governments have repeatedly tried to bring them back, always claiming they would solve the most recent public crisis. The last effort ended in 2010 after a five-year battle. This backdrop is a key factor in the distrust that's greeting government proposals for "vaccination passports" (previously immunity passports). Yesterday, the Guardian reported that British prime minister Boris Johnson backs certificates that show whether you've been vaccinated, have had covid and recovered, or had a test. An interim report will be published on Monday; trials later this month will see attendees to football matches required to produce proof of negative lateral flow tests 24 hours before the game and on entry.

Simultaneously, England chief medical officer Chris Whitty told the Royal Society of Medicine that most experts think covid will become like the flu, a seasonal disease that must be perennially managed.

Whitty's statement is crucial because it means we cannot assume that the forthcoming proposal will be temporary. A deeply flawed measure in a crisis is dangerous; one that persists indefinitely is even more so. Particularly when, as this morning, culture secretary Oliver Dowden tries to apply spin: "This is not about a vaccine passport, this is about looking at ways of proving that you are covid secure." Rebranding as "covid certificates" changes nothing.

Privacy advocates and human rights NGOs saw this coming. In December, Privacy International warned that a data grab in the guise of immunity passports will undermine trust and confidence while they're most needed. "Until everyone has access to an effective vaccine, any system requiring a passport for entry or service will be unfair." We are a long, long way from that universal access and likely to remain so; today's vaccines will have to be updated, perhaps as soon as September. There is substantial, but not enough, parliamentary opposition.

A grassroots Labour discussion Wednesday night showed this will become yet another highly polarized debate. Opponents and proponents combine issues of freedom, safety, medical efficacy, and public health in unpredictable ways. Many wanted safety - "You have no civil liberties if you are dead," one person said; others foresaw segregation, discrimination, and exclusion; still others cited British norms in opposing making compulsory either vaccinations or carrying any sort of "papers" (including phone apps).

Aside from some specific use cases - international travel, a narrow range of jobs - vaccination passports in daily life are a bad idea medically, logistically, economically, ethically, and functionally. Proponents' concerns can be met in better - and fairer - ways.

The Independent SAGE advisory group, especially Susan Michie, has warned repeatedly that vaccination passports are not a good solution for solution life. The added pressure to accept vaccination will increase distrust, she has repeatedly said, particularly among victims of structural racism.

Instead of trying to identify which people are safe, she argues that the government should be guiding employers, businesses, schools, shops, and entertainment venues to make their premises safer - see for example the CDC's advice on ventilation and list of tools. Doing so would not only help prevent the spread of covid and keep *everyone* safe but also help prevent the spread of flu and other pathogens. Vaccination passports won't do any of that. "It again puts the burden on individuals instead of spaces," she said last night in the Labour discussion. More important, high-risk individuals and those who can't be vaccinated will be better protected by safer spaces than by documentation.

In the same discussion, Big Brother Watch's Silkie Carlo predicted that it won't make sense to have vaccination passports and then use them in only a few places. "It will be a huge infrastructure with checkpoints everywhere," she predicted, calling it "one of the civil liberties threats of all time" and "medical apartheid" and imagining two segregated lines of entry to every venue. While her vision is dramatic, parts of it don't go far enough: imagine when this all merges with systems already in place to bar access to "bad people". Carlo may sound unduly paranoid, but it's also true that for decades successive British governments at every decision point have chosen the surveillance path.

We have good reason to be suspicious of this government's motives. Throughout the last year, Johnson has been looking for a magic bullet that will fix everything. First it was contact tracing apps (failed through irrelevance), then test and trace (failing in the absence of "and isolate and support"), now vaccinations. Other than vaccinations, which have gone well because the rollout was given to the NHS, these failed high-tech approaches have handed vast sums of public money to private contractors. If by "vaccination certificates" the government means the cards the NHS gives fully-vaccinated individuals listing the shots they've had, the dates, and the manufacturer and lot number, well fine. Those are useful for those rare situations where proof is really needed and for our own information in case of future issues, it's simple, and not particularly expensive. If the government means a biometric database system that, as Michie says, individualizes the risk while relieving venues of responsibility, just no.

Illustrations: The Swiss Cheese Respiratory Virus Defence, created by virologist Ian McKay.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 19, 2021

Dystopian non-fiction

Screenshot from 2021-03-18 12-51-27.pngHow dumb do you have to be to spend decades watching movies and reading books about science fiction dystopias with perfect surveillance and then go on and build one anyway?

*This* dumb, apparently, because that what Shalini Kantayya discovers in her documentary Coded Bias, which premiered at the 2020 Sundance Film Festival. I had missed it until European Digital Rights (EDRi) arranged a streaming this week.

The movie deserves the attention paid to The Social Dilemma. Consider the cast Kantayya has assembled: "math babe" Cathy O'Neil, data journalism professor Meredith Broussard, sociologist Zeynep Tufekci, Big Brother Watch executive director Silkie Carlo, human rights lawyer Ravi Naik, Virginia Eubanks, futurist Amy Webb, and "code poet" Joy Buolamwini, who is the film's main protagonist and provides its storyline, such as it is. This film wastes no time on technology industry mea non-culpas, opting instead to hear from people who together have written a year's worth of reading on how modern AI disassembles people into piles of data.

The movie is framed by Buoalmwini's journey, which begins in her office at MIT. At nine, she saw a presentation on TV from MIT's Media Lab, and, entranced by Cynthia Breazeal's Kismet robot, she instantly decided: she was going to be a robotics engineer and she was going to MIT.

At her eventual arrival, she says, she imagined that coding was detached from the world - until she started building the Aspire Mirror and had to get a facial detection system working. At that point, she discovered that none of the computer vision tracking worked very well...until she put on a white mask. She started examining the datasets used to train the facial algorithms and found that every system she tried showed the same results: top marks for light-skinned men, inferior results for everyone else, especially the "highly melanated".

Teaming up with Deborah Raji, in 2018 Buolamwini published a study (PDF) of racial and gender bias in Amazon's Rekognition system, then being trialed with law enforcement. The company's response leads to a cameo, in which Buolamwini chats with Timnit Gebru about the methods technology companies use to discredit critics. Poignantly, today's viewers know that Gebru, then still at Google was only months away from becoming the target of exactly that behavior, fired over her own critical research on the state of AI.

Buolamwini's work leads Kantayya into an exploration of both algorithmic bias generally, and the uncontrolled spread of facial recognition in particular. For the first, Kantayya surveys scoring in recruitment, mortgage lending, and health care, and visits the history of discrimination in South Africa. Useful background is provided by O'Neil, whose Weapons of Math Destruction is a must-read on opaque scoring, and Broussard, whose Artificial Unintelligence deplores the math-based narrow conception of "intelligence" that began at Dartmouth in 1956, an arrogance she discusses with Kantayya on YouTube.

For the second, a US unit visits Brooklyn's Atlantic Plaza Towers complex, where the facial recognition access control system issues warnings for tiny infractions. A London unit films the Oxford Circus pilot of live facial recognition that led Carlo, with Naik's assistance, to issue a legal challenge in 2018. Here again the known future intervenes: after the pandemic stopped such deployments, BBW ended the challenge and shifted to campaigning for a legislative ban.

Inevitably, HAL appears to remind us of what evil computers look like, along with a red "I'm an algorithm" blob with a British female voice that tries to sound chilling.

But HAL's goals were straightforward: it wanted its humans dead. The motives behind today's algorithms are opaque. Amy Webb, whose book The Big Nine profiles the nine companies - six American, three Chinese - who are driving today's AI, highlights the comparison with China, where the government transparently tells citizens that social credit is always watching and bad behavior will attract penalties for your friends and family as well as for you personally. In the US, by contrast, everyone is being scored all the time by both government and corporations, but no one is remotely transparent about it.

For Buolamwini, the movie ends in triumph. She founds the Algorithmic Justice League and testifies in Congress, where she is quizzed by Alexandria Ocasio-Cortez(D-NY) and Jamie Raskin (D-MD), who looks shocked to learn that Facebook has patented a system for recognizing and scoring individuals in retail stores. Then she watches as facial recognition is banned in San Francisco, Somerville, Massachusetts, and Oakland, and the electronic system is removed from the Brooklyn apartment block - for now.

Earlier, however, Eubanks, author of Automating Inequality, issued a warning that seems prescient now, when the coronavirus has exposed all our inequities and social fractures. When people cite William Gibson's "The future is already here - it's just not evenly distributed", she says, they typically mean that new tools spread from rich to poor. "But what I've found is the absolute reverse, which is that the most punitive, most invasive, most surveillance-focused tools that we have, they go into poor and working communities first." Then they get ported out, if they work, to those of us with higher expectations that we have rights. By then, it may be too late to fight back.

See this movie!


Illustrations: Joy Buolamwini, in Coded Bias.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 5, 2021

Voter suppression in action

Thumbnail image for bush-gore-hanging-chad-florida.jpgThe clowder of legislation to restrict voting access that's popping up across the US is casting the last 20 years of debate over online voting in a new light.

For anyone who, like me, has never spent more than a few minutes casting their vote, the scenes from the 2020 US election were astounding. In response to a photo of a six-*hour* line of waiting voters, someone on Twitter observed, "That is democracy in action." Almost immediately a riposte: "That is voter suppression in action."

I had no idea of the tactics of voter suppression until the 2008 Computers, Freedom, and Privacy conference, when Lillie Coney led a panel on updates to deceptive election practices. Among those Coney and Tova Wang listed were robocalls advising Democrats and Republicans to vote on different days (one the real election day, one not) or saying that the polling location had changed and letters sent to Latino names threatening deportation if they voted illegally. Crude tactics, but effective, especially among new voters. Coney and Wang imagined these shifting to much better-targeted email and phony websites. It was too soon for anyone to spot two-year-old Facebook as the eventual vector.

By 2020, voter suppression was much more blatant. Republicans planted fake drop boxes in California; Texas selectively closed polling places, especially those in central locations easily accessed by public transport; and everywhere Donald Trump insisted that mail-in ballots meant fraud. Nonetheless, even Fox News admitted that the 2020 election was the most secure in US history and there's no evidence of fraud in any jurisdiction. The ability to audit and recount, not just read a number off an electronic counter, is crucial to being able to say this.

It now appears that this election was just a warm-up. The Brennan Center is currently tracking 253 bills that restrict voting access in 43 states, and 704 bills with provisions to expand it in a different set of 43 states. Sometimes both approaches coexist in the same bill. Outside the scope of legislation, later this year congressional districts will be redrawn based on the 2020 census, another process that can be gamed. At the federal level, Democrats are pushing the passage of H.R.1, the For the People Act, to reform many aspects of the US electoral system including financing, districting, and ethics. One section of the bill provides grants to update voting systems, creates security requirements for private companies that sell voting machines and election equipment, and requires those companies to report cybersecurity incidents. Citizens for Ethics supplies the sources of the ideas enshrined in the act. For even more, see Democracy Docket, whose founder, Marc Elias, has been fighting the legal cases with a remarkable record of success. Ensuring fairness is not specifically about Republicans; historically both parties have gamed the system to hang onto power when they've had the chance.

Ever since 1999, when Bill Clinton asked the National Science Foundation to look into online voting, the stated reasons have always *sounded* reasonable - basically, to increase turnout by improving convenience. In the UK, this argument was taken up by the now-defunct organization Webroots Democracy, which argued that it could improve access for younger people used to doing everything on their phones, and would especially grant better access for groups such as visually impaired people who are not well provided for under the present system. These problems still need to be solved.

The reasons against adopting online voting haven't changed since 2000, when Rebecca Mercuri first outlined the security problems. In the UK very little has changed since 2007, when a couple of pilots led the Electoral Commission to advise against pursuing the idea for sound reasons. Tl;dr: computer scientists prefer pencils.

In 2016, to celebrate its second anniversary, Webroots founder Areeq Chowdhury said national adoption in the UK was achievable by the "next general election", then expected in 2020. He had some reason to believe this; in 2015 then Speaker of the House John Bercow suggested online voting should be used for the 2020 election. But, oh, timing! Chowdhury could have no idea that a month after that Webroots meeting the UK was going to vote (using paper and pencils) to leave the EU. In the resulting change in the political climate, two general elections have passed, in 2017 and 2019, both conducted using pencils and paper. So will May's delayed London mayoral election. The government's 2019 plan tobring in mandatory photographic voter ID by 2023 will diminish, not increase, access.

In the US, only 55.7% of eligible voters participated in the 2016 election, and the turnout for congressional primaries can be as low as 11%. Again, time changed everything: between 2000 and 2016 it seemed as though turnout would go on dropping. Then came 2020. Loving or hating incumbent Donald Trump broke records: 66.3% of eligible voters cast ballots, the highest percentage since 1900. That result bears out what many have said: turnout depends on voters believing that their vote matters.

The aggregate picture suggests that the appeal of online voting may have been to encourage the kinds of voters politicians wanted at a time when it was mostly younger, affluent, and educated people who had smartphones and Internet access. Follow the self-interest.


Illustrations: Officials recount a ballot in the narrow Bush-Gore 2000 election.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 26, 2021

The convenience

Houston-HV-FINAL-Mobile-Van-2.jpgA couple of days ago, MSNBC broadcast a segment featuring a mobile vaccination effort in which a truck equipped with a couple of medical personnel and a suitably stored supply of vaccines and other medical equipment, was shown driving around to various neighborhoods, parking in front of people's homes, where the personnel would knock on doors. There was a very brief clip of a woman identified as reluctant. "What made you decide to take the vaccine after all?" the interviewer asked (more or less). "The convenience," she said, from behind her mask.

Wow.

It's always been - or should have been - obvious that all vaccine hesitancy is not equal. Some people are just going to be born rebels, refusing to do *anything* an authority tells them to do, no matter how well-attested the instruction is or how much risk accompanies ignoring it. Some have adopted resistance as a performative or tribal identity. Some may be deeply committed through serious, if flawed, assessment of the vaccine itself. Some have serious historical and cultural reasons to be distrustful. Others have medical contraindications. Some may actually even be suicidal. But some - and they may even be the majority - could go either way, depending on circumstances. As a friend commented after I told them the story, imagine a single mother with three kids, one or more jobs, and a long daily to-do list. Vaccination may be far, far down the list in terms of urgency.

Even knowing all this, seeing the woman state it so baldly was breathtaking because we've gotten used to assuming that anyone opposing vaccination does so out of deeply-held and angry commitment. The nudge people would probably be less surprised. For those of us who spend time promoting skepticism, the incident was also a good reminder of the value of engaging with people's real concerns.

It also reminds that when people's decisions seem inexplicable "the convenience" is often an important part of their reasoning. It's certainly part of why a lot of security breaches happen. Most people's job is not in security but in payroll or design or manufacturing, and their need to get their actual jobs done takes precedence. Faced with a dilemma, they will do the quickest and easiest thing, and those who design attacks know and exploit this very human tendency. The smart security person will, as Angela Sasse has been saying for 20 years, design security policies so they're the easiest path to follow.

The friction they add has been a significant reason why privacy tools have often failed to command any significant market share: they require exceptional effort, first because of the necessity of locating, installing, and learning to use them and second because so often they bring with them the price of non-conformance. Ever try getting your friends to shift from WhatsApp to Signal? Until the recent WhatsApp panic, it was impossible because of the difficulty they could foresee of getting all their other contacts - the school and church groups, the tennis club, the neighbors - to move as well. No one wants to have to remember which service to use for each contact.

One or another version of this problem has hindered the adoption of privacy tools for nearly 30 years, beginning in 1991 when Phil Zimmermann invented PGP in an effort to give PC users access to strong encryption. For most people, PGP was - and, sadly, still is, too difficult to install and too much of a nuisance to use. The result was that hardly anyone used encrypted communications until it became invisibly built into messaging services like WhatsApp and Signal.

The move away from universally interoperable email risks becoming a real problem in splintering communications, if my personal experience is any guide. A friend recently demanded to know why I didn't have an iPhone; she was annoyed that she couldn't send me messages on her preferred app. "Because I have an Android," I said. "What's that?" she asked. For her, Android users are incomprehensibly antisocial (and for new-hot-kid-in-town Clubhouse we are not worthy.)

On a wider canvas, that issue of convenience is most of the answer to how we began with a cooperative decentralized Internet and are now contending with an Internet dominated for most people by centralized walled gardens. At every stage from the first web sites, when someone wanting to host a website had to do everything themselves, to today's social media new companies succeeded by solving the frustrations of the previous generation. People want to chat with their friends, see photos, listen to music, and build businesses; anything like a technical barrier that makes any of that harder is an opportunity for someone to insert themselves as an intermediary or, as TikTok is doing now, to innovate. The same network effects that helped Facebook, Apple, and Google to grow to their present side make it difficult to counter their dominance by seeding alternatives.

It did not have to come out this way; ISPs (and, later, others) could have chosen to provide tools and services to make it easy for us to own our own communities. For anyone trying to do that now it's a hard, hard sell. Those of us who want to see the Internet redecentralize will have to create the equivalent of a mobile vaccination van.


Illustrations: Houston Vaccines' mobile unit.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

January 22, 2021

In the balance

Thumbnail image for 800px-Netherlands-4589_-_Lady_of_Justice_&_William_of_Orange_Coat-o-Arms_(12171086413).jpgAs the year gets going, two conflicts look like setting precedents for Internet regulation: Australia's push to require platforms to pay license fees for linking to their articles; and Facebook's pending decision whether to make former president Donald Trump's ban permanent, as Twitter already has.

Facebook has referred Trump's case to its new Oversight Board and asked it to make policy recommendations for political leaders. The Board says it will consider whether Trump's content violated Facebook community standards and "values", and whether its removal respected human rights standards. It expects to report within 90 days; the decision will be binding on Facebook.

On Twitter, Kate Klonick, an assistant professor at St. John's University of Law, who has been following the Oversight Board's creation and development in detail, says the important aspect is not the inevitably polarizing decision itself, but the creation of what she hopes will be a "transparent global process to adjudicate these human rights issues of speech". In a Yale Law Journal articledocumenting the board's history so far, she suggests that it could set a precedent for collaborative governance of private platforms.

Or - and this seems more likely - it could become the place where Facebook dumps the controversial cases where making its own decision gains the company nothing. Trump is arguably one of these. No matter how much money Trump's presidential campaign (which seems unlikely to have any future) netted the company, it surely must be a drop in the ocean of its overall revenues. With antitrust suits pending and a politically controversial decision, why *wouldn't* Facebook want to hand it off? Would the company do the same in a case where the company's business model was at stake, though? If it does and the decision goes against Facebook's immediate business interests, will shareholders sue?

Those questions won't be answered for some years. Meanwhile, this initial case will be a milestone in Internet history, as Klonick says. If the board does not create durable principles that can be applied across other countries and political systems, it will have failed. The larger question, however, which is the circulation of deliberate lies and misinformation, is more complex.

For that, letters sent this week by US Congress members Anna Eshoo (D-CA) and Tom Malinowski (D-NJ) may be more germane: they have asked the CEOs of Facebook, Google, YouTube, and Twitter to alter their algorithms to stop promoting conspiracy theories at scale. Facebook has been able to ignore previous complaints it was inciting violence in markets less essential to its bottom line and of less personal significance.

The Australian case is smaller, and kind of a rerun, but still interesting. We noted in September that the Australian government had announced the draft News Media Bargaining Code, a law requiring Google and Facebook (to start with) to negotiate license fees for displaying snippets of news articles. By including YouTube, user postings, and search engine results, Australia hoped to ensure the companies could not avoid the law by shutting down, which was what happened in 2014 when Spain enacted a similar law that caught only Google News. Early reports indicated that its withdrawal resulted in a dramatic loss of traffic to publishers' sites.

However, by 2015, Spain's Association of Newspaper Editor was saying members were reporting just a 12% loss of traffic, and a 2019 assessment argues that in fact the closure (which persists) made little long-term difference to publishers. If this is true, it's unarguably better for publishers not to be dependent on a third-party company to send them traffic out of the goodness of their hearts. The more likely underlying reality, however, is that people have learned to use generic search engines and social media to find news stories - in which case the Australian law could still be damaging to publishers' revenues.

It is, as journalist Michael West points out, exceptionally difficult to tease out what portion of Google's or Facebook's revenues are attributable to news content. West argues that a better solution to those companies' rise is regulating their power and taxing them appropriately; neither Google nor Facebook is in the business of reporting the news and are not in direct competition with the traditional publishers - the biggest of which, in Australia, are owned by Rupert Murdoch and so filled with climate change denial that Murdoch's own son left the company because of it.

In December, Google and Facebook won a compromise that will allow Google to include in the negotiations the value it brings in the form of traffic; limit the data it has to share with publishers; and lower the requirement for platforms to share algorithm changes with the publishers. Prediction: the publishers aren't going to wind up getting much out of this.

For the rest of us, though, the notion that users could be stopped from sharing news links (as Facebook is threatening) should be alarming; open, royalty-free linking, as web inventor Tim Berners-Lee told Bloomberg above, is the fundamental characteristic of the web. We take the web so much for granted now that it's easy to forget that the biggest decision Berners-Lee made, with the backing of his employers at CERN, was to make it open instead of proprietary. The Australian law is the latest attempt to modify that decision. I wish I could say it will never catch on.

Illustrations: Justitia outside the Delft Town Hall, the Netherlands (via Dennis Jarvis at Wikimedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

January 15, 2021

One thousand

net.wars-the-book.gifIn many ways, this 1,000th net.wars column is much like the first (the count is somewhat artificial, since net.wars began as a 1998 book, then presaged by four years of news analysis pieces for the Daily Telegraph, and another book in 2001...and a lot of my other writing also fits under "computers, freedom, and privacy"; *however*). That November 2001 column was sparked by former Home Office minister Jack Straw's smug assertion that after 9/11 those of us who had defended access to strong cryptography must be feeling "naive". Here, just over a week after the Capitol invasion, three long-running issues are pertinent: censorship; security and the intelligence failures that enabled the attack; and human rights when demands for increased surveillance capabilities surface, as they surely will.

Censorship first. The US First Amendment only applies to US governments (a point that apparently requires repeating). Under US law, private companies can impose their own terms of service. Most people expected Twitter would suspend Donald Trump's account approximately one second after he ceased being a world leader. Trump's incitement of the invasion moved that up, and led Facebook, including its subsidiaries Instagram and WhatsApp, Snapchat, and, a week after the others, YouTube to follow suit. Less noticeably, a Salesforce-owned email marketing company ceased distributing emails from the Republican National Committee.

None of these social media sites is a "public square", especially outside the US, where they've often ignored local concerns. They are effectively shopping malls, and ejecting Trump is the same as throwing out any other troll. Trump's special status kept him active when many others were unjustly banned, but ultimately the most we can demand from these services is clearly stated rules, fairly and impartially enforced. This is a tough proposition, especially when you are dependent on social media-driven engagement.

Last week's insurrection was planned on numerous openly accessible sites, many of which are still live. After Twitter suspended 70,000 accounts linked to QAnon, numerous Republicans complaining they had lost followers seemed to be heading to Parler, a relatively new and rising alt-right Twitterish site backed by Rebekah Mercer, among others. Moving elsewhere is an obvious outcome of these bans, but in this crisis short-term disruption may be helpful. The cost will be longer-term adoption of channels that are harder to monitor.

By January 9 Apple was removing Parler from the App Store, to be followed quickly by Android (albeit less comprehensively, since Android allows side-loading). Amazon then kicked Parler off its host, Amazon Web Services. It is unknown when, if ever, the site will return.

Parler promptly sued Amazon claiming an antitrust violation. AWS retaliated with a crisp brief that detailed examples of the kinds of comments the site felt it was under no obligation to host and noted previous warnings.

Whether or not you think Parler should be squashed - stipulating that the imminent inauguration requires an emergency response - three large Silicon Valley platforms have combined to destroy a social media company. This is, as Jillian C. York, Corynne McSherry, and Danny O'Brien write at EFF, a more serious issue. The "free speech stack", they write, requires the cooperation of numerous layers of service providers and other companies. Twitter's decision to ban one - or 70,000 - accounts has limited impact; companies lower down the stack can ban whole populations. If you were disturbed in 2010, when, shortly after the diplomatic cables release, Paypal effectively defunded Wikleaks after Amazon booted it off its servers, then you should be disturbed now. These decisions are made at obscure layers of the Internet where we have little influence. As the Internet continues to centralize, we do not want just these few oligarchs making these globally significant decisions.

Security. Previous attacks - 9/11 in particular - led to profound damage to the sense of ownership with which people regard their cities. In the UK, the early 1990s saw the ease of walking into an office building vanish, replaced by demands for identification and appointments. The same happened in New York and some other US cities after 9/11. Meanwhile, CCTV monitoring proliferated. Within a year of 9/11, the US passed the PATRIOT Act, and the UK had put in place a series of expansions to surveillance powers.

Currently, residents report that Washington, DC is filled with troops and fences. Clearly, it can't stay that way permanently. But DC is highly unlikely to return to the openness of just ten days ago. There will be profound and permanent changes, starting with decreased access to government buildings. This will be Trump's most visible legacy.

Which leads to human rights. Among the videos of insurrectionists shocked to discover that the laws do apply to them were several in which prospective airline passengers discovered they'd been placed preemptively on the controversial no-fly list. Many others who congregated at the Capitol were on a (separate) terrorism watch list. If the post-9/11 period is any guide, the fact that the security agencies failed to connect any of the dots available to them into actionable intelligence will be elided in favor of insisting that they need more surveillance powers. Just remember: eventually, those powers will be used to surveil all the wrong people.


Illustrations: net.wars, the book at the beginning.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

January 7, 2021

The most dangerous game

Screenshot from 2021-01-07 13-17-20.pngThe chaos is the point.

Among all the things to note about Wednesday's four-hour occupation of the US Capitol Building - the astoundingly ineffective blue line of police, the attacks on journalists, the haphazard mix of US, Trump, Confederate, and Nazi costumes and flags, the chilling in a hotel lobby - is this: no one seemed very clear about the plan. In accounts and images, once inside, some of the mob snap pictures, go oh, look! emails!, and grab mementos like dangerous and destructive tourists. Let's not glorify them and their fantasies of heroism; they are vandals, they are criminals, they are incipient felons, they are thugs. They are certainly not patriots.

One reason, of course, is that their leader, having urged them to storm the Capitol, went home to his protective Secret Service and the warmth of watching the wreckage on TV inside one of the most secure buildings on the planet. Trump is notoriously petty and vengeful against anyone who has crossed him. Why wouldn't he push the grievance-filled conspiracy theorists whose anger he harnessed for personal gain to destroy the country that dared to reject him? The festering anger that Trump's street-bully smarts (and those of his detonator, Roger Stone) correctly spotted as a political opportunity was perfectly poised for Trump's favorite chaos creation game: "Let's you and him fight".

"We love you," and "You are very special," Trump told the rioters to close out the video clip he issued to tell them to go home, as if this were a Hollywood movie and with a bit of sprinkled praise his special effects crew could cage the Kraken until he next wanted it.

The someday child studying this period in history class will marvel at our willful blindness to white violence openly fomented while applying maximum deterrence to Black Lives Matter.

Our greatest ire should be reserved for the cynically exploitative, opportunistic Trump and supporting senators Josh Hawley (R-MO) and Ted Cruz (R-TX), whom George F. Will says will permanently wear a scarlet "S" for "seditionist" and Trump's many other politicians and enablers who consciously lied, a list to which Marcy Wheeler adds senator Tommy Tuberville (R-AL). It's fashionable to despise former Trump fixer-lawyer Michael Cohen, but we should listen to him; his book, Disloyal, is an addict's fourth and fifth steps (moral inventory and admitting wrongs) that unflinchingly lays bare his collaboration in Trump's bullying exploitation.

The invasion perversely hastened Biden/Harris's final anointing; Republicans dropped most challenges in the interests of Constitutional honor (read: survival). Mitch McConnell (R-KY), who as Senate Majority Leader has personally made governance impossible, sounded like a man abruptly defibrillated into sanity, and Senator Lindsey Graham's (R-SC) careening wait-for-his-laugh "That's it! I'm done!" speech led some on Twitter to surmise he was drunk. Only Hawley (R-MO), earlier seen fist-pumping the rioters-in-waiting, seemed undeterred.

High-level Trump administration members - those who can afford health insurance are fleeing. Apparently we have finally found the line they won't cross, though it may not be the violence but the prospect of having to vote on invoking the 25th Amendment.

An under-discussed aspect of the gap between politics - Beltway or Westminster - and life as ordinary people know it is that for many politicians and media, making proposterous claims they don't really believe is a game. Playing exhibitionist contrarian for provocation is a staple of British journalism. Boris Johnson famously wrote pre-referendum columns arguing both Leave and Remain before choosing pro-Leave's personal opportunities. They appear to care little for the consequences, measured in covid deaths, food bank use, deportations, and shattered lives.

All these posturers score against each other from comfortable berths and comfortably assume they are beyond repercussions. It's the same dynamic as the one at work among the advocates of letting the virus rip through the population at large, as if infection is for the little people and our desperately overstressed, traumatized health care workers are replaceable parts rather than a precious resource.

Perhaps the most extraordinary aspect is that this entire thing was planned out in the open. There was no need to backdoor encryption. They had merch; Trump repeatedly tweeted his intentions; planning was on public forums. In September, the Department of Homeland Security warned that white supremacy is the "most lethal threat" to the US. On Tuesday, Bellingcat warned that a dangerous meld of numerous right-wing constituencies was setting out for DC. Talia Lavin's 2020 book, Culture Warlords, thoroughly documented the online hate growing into real-world violence.

Wednesday also saw myriad mostly peaceful statehouse protests: Texas, Utah, Michigan, California, Oregon, Arizona, Arkansas, Kansas, Wisconsin, Nevada (with a second protest in Las Vegas), Florida, and Georgia. Pause to remember Wednesday's opener: Democrats Jon Ossoff and Raphael Warnock won Georgia's Senate seats.

Trump has 12 more days. Twitter and Facebook, which CNN reporter Donie Sullivan calls complicit, have locked Trump's accounts; Shopify has closed his shops. The far-right forums are considering the results while the FBI makes arrests and Biden builds his administration.

The someday child will know the next part faster than we will.


Illustrations: Screenshot of Wednesday's riot in progress.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 6, 2020

Crypto in review

Caspar_Bowden-IMG_8994-2013-rama.jpgBy my count, this is net.wars number 990; the first one appeared on November 2, 2001. If you added in its predecessors - net.wars-the-book, and its sequel From Anarchy to Power, as well as the more direct precursors, the news analysis pieces I wrote for the Daily Telegraph between 1997 and early 2001, you'd get a different number I don't know how to calculate. Therefore: this is net.wars #990, and the run-up to 1,000 seems a good moment to review some durable themes of the last 20 years via what we wrote at the time.

net.wars #1 has, sadly, barely aged; it could almost be published today unchanged. It was a ticked-off response to former Home Secretary Jack Straw, who weeks after the 9/11 attacks told Britain's radio audience that the people who had opposed key escrow were now realizing they'd been naive. We were not! The issue Straw was talking about was the use of strong cryptography, and "key escrow" was the rejected plan to require each individual to deposit a copy of their cryptographic key with a trusted third party. "Trusted", on its surface meant someone *we* trusted to guard our privacy; in subtext it meant someone the government trusted to disclose the key when ordered to do so - the digital equivalent of being required to leave a copy of the key to your house with the local police in case they wanted to investigate you. The last half of the 1990s saw an extended public debate that concluded with key escrow being dropped for the final version of the Regulation of Investigatory Powers Act (2000) in favor of requiring individuals to produce cleartext when law enforcement require it. A 2014 piece for IEEE Security & Privacy explains RIPA and its successors and the communications surveillance framework they've created.

With RIPA's passage, a lot of us thought the matter was settled. We were so, so wrong. It did go quiet for a decade. Surveillance-related public controversy appeared to shift, first to data retention and then to ID cards, which were proposed soon after the 2005 attacks on London's tube and finally canned in 2010 when the incoming coalition government found a note from the previous chancellor, "There's no money".

As the world discovered in 2013, when Edward Snowden dropped his revelations of government spying, the security services had taken the crypto debate into their own hands, undermining standards and making backroom access deals. The Internet community reacted quickly with first advice and then with technical remediation.

In a sense, though, the joke was on us. For many netheads, crypto was a cause in the 1990s; the standard advice was that we should all encrypt all our email so the important stuff wouldn't stand out. To make that a reality, however, crypto software had to be frictionless to use - and the developers of the day were never interested enough in usability to make it so. In 2011, after I was asked to write an instruction manual for installing PGP (or GPG), the lack of usability was maddening enough for me to write: "There are so many details you can get wrong to mess the whole thing up that if this stuff were a form of contraception desperate parents would be giving babies away on street corners."

The only really successful crypto at that point were backend protocols like SSL (used to secure ecommerce transactions over the web), TLS (secures communications), and HTTPS (secures web connections) and the encryption built into mobile phone standards. Much has changed since, most notably Facebook's and Apple's decision to protect user messages and data, at a stroke turning crypto on for billions of users. The result, as Ross Anderson predicted in 2018, was to change the focus of governments' demand for access to hacking devices rather than cracking individual messages.

The arguments have not changed in all those years; they were helpfully collated by a group of senior security experts in 2015 in the report Keys Under Doormats (PDF). Encryption is mathematics; you cannot create a hole that only "good guys" can use. Everyone wants uncrackable encryption for themselves - but to be able to penetrate everyone else's. That scenario is no more possible than the suggestion some of Donald Trump's team are making that the same votes that are electing Republican senators and Congresspeople are not legally valid when applied to the presidency.

Nonetheless, we've heard repeated calls from law enforcement for breakable encryption: in 2015, 2017, and, most recently, six weeks ago. In between, while complaining that communications were going dark, in 2016 the FBI tried to force Apple to crack its own phones to enable an investigation. When the FBI found someone to crack it to order, Apple turned on end-to-end encryption.

I no longer believe that this dispute can be settled. Because it is built on logic proofs, mathematics will always be hard, non-negotiable, and unyielding, and because of their culture and responsibilities security services and law enforcement will always want more access. For individuals, before you adopt security precautions, think through your threat model and remember that most attacks will target the endpoints, where cleartext is inevitable. For nations, remember whatever holes you poke in others' security will be driven through in your own.


Illustrations: The late Caspar Bowden (1961-2015), who did so much to improve and explain surveillance policy in general and crypto policy in particular (via rama at Wikmedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

September 11, 2020

Autofail

sfo-fires-hasbrouck.jpegA new complaint surfaced on Twitter this week. Anthony Ryan may have captured it best: "In San Francisco everyone is trying unsuccessfully to capture the hellish pall that we're waking up to this morning but our phone cameras desperately want everything to be normal." california-fires-sffdpio.jpegIn other words: as in these pictures, the wildfires have turned the Bay Area sky dark orange ("like dusk on Mars," says one friend), but people attempting to capture it on their phone cameras are finding that the automated white balance correction algorithms recalibrate the color to wash out the orange in favor of grey daylight.

At least that's something the computer is actually doing, even if it's counter-productive. Also this week, the Guardian ran an editorial that it boasted had been "entirely" written by OpenAI's language generator, GPT-3. Here's what they mean by "written" and "entirely": the AI was given a word length, a theme, and the introduction, from which it produced eight unique essays, which the Guardian editors chopped up and pieced together into a single essay, which they then edited in the usual way, cutting lines and rearranging paragraphs as they saw fit. Trust me, human writers don't get to submit eight versions of anything; we'd be fired when the first one failed. But even if we did, editing, as any professional writer will tell you, is the most important part of writing anything. As I commented on Twitter, the whole thing sounds like a celebrity airily claiming she's written her new book herself, with "just some help with the organizing". I'd advise that celebrity (name withheld) to have a fire extinguisher ready for when her ghostwriter reads that and thinks of all the weeks they spent desperately rearranging giant piles of rambling tape transcripts into a (hopefully) compelling story.

The Twitter discussion of this little foray into "AI" briefly touched on copyright. It seems to me hard to argue that the AI is the author given the editors' recombination of its eight separately-generated pieces (which likely took longer than if one of them had simply written the piece). Perhaps you could say - if you're willing to overlook the humans who created, coded, and trained the AI - that the AI is the author of the eight pieces that became raw material for the essay. As things are, however, it seems clear that the Guardian is the copyright owner, just as it would be if the piece had been wholly staff-written (by humans).

Meanwhile, the fallout from Max Schrems' latest win continues to develop. The Irish Data Protection Authority has already issued a preliminary order to suspend data transfers to the US; Facebook is appealing. The Swiss data protection authority has issued a notice that the Swiss-US Privacy Shield is also void. During a September 3 hearing before the European Parliament Committee on Civil Liberties, Justice, and Home Affairs, MEP Sophie in't Veld said that by bringing the issue to the courts Schrems is doing the job data protection authorities should be doing themselves. All agreed that a workable - but this time "Schrems-proof" - solution must be found to the fundamental problem, which Gwendolyn Delbos-Corfield summed up as "how to make trade with a country that has decided to put mass surveillance as a rule in part of its business world". In't Veld appeared to sum up the entire group's feelings when she said, "There must be no Schrems III."

Of course we all knew that the UK was going to get caught in the middle between being able to trade with the EU, which requires a compatible data protection regime (either the continuation of the EU's GDPR or a regime that is ruled equal), and the US, which wants data to be free-flowing and which has been trying to use trade agreements to undermine the spread of data protection laws around the world (latest newcomer: Brazil). What I hadn't quite focused on (although it's been known for a while) is that, just like the US surveillance system, the UK's own surveillance regime could disqualify it from the adequacy ruling it needs to allow data to go on flowing. When the UK was an EU member state, this didn't arise as an issue because EU data protection law permits member states to claim exceptions for national security. Now that the UK is out, that exception no longer applies. It was a perk of being in the club.

Finally, the US Senate, not content with blocking literally hundreds of bills passed by the House of Reprsentatives over the last few years, has followed up July's antitrust hearings with the GAFA CEOs with a bill that's apparently intended to answer Republican complaints that conservative voices are being silenced on social media. This is, as Eric Goldman points out in disgust one of several dozen bits of legislation intended to modify various pieces of S230 or scrap it altogether. On Twitter, Tarleton Gillespie analyzes the silliness of this latest entrant into the fray. While modifying S230 is probably not the way to go about it, right now curbing online misinformation seems like a necessary move - especially since Facebook CEO Mark Zuckerberg has stated outright that Facebook won't remove anti-vaccine posts. Even in a pandemic.


Illustrations: The San Francisco sky on Wednesday ("full sun, no clouds, only smoke"), by Edward Hasbrouck; accurate color comparison from the San Francisco Fire Department.


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

August 28, 2020

Through the mousehole

Rodchenkov-Fogel-Icarus.pngIt's been obvious for a long time that if you want to study a thoroughly dysfunctional security system you could hardly do better than doping control in sports. Anti-doping has it all: perverse incentives, wrong assumptions, conflicts of interest, and highly motivated opponents. If you doubt this premise, consider: none of the highest-profile doping cases were caught by the anti-doping system. Lance Armstrong (2010) was outed by a combination of dogged journalistic reporting by David Walsh and admissions by his former teammate Floyd Landis; systemic Russian doping (2014) was uncovered by journalist Hajo Seppelt, who has also broadcast investigations of China, Kenya, Germany, and weightlighting; BALCO (2002) was exposed by a coach who sent samples to the UCLA anti-doping lab; and Willy Voet (1998), soigneur to the Festina cycling team, was busted by French Customs.

I bring this up - again - because two insider tales of the Russian scandal have just been published. The first, The Russian Affair, by David Walsh, tells the story of Vitaly and Yuliya Stepanov, who provided Seppelt with material for The Secrets of Doping: How Russia Makes Its Winners (2014); the second, The Rodchenkov Affair, is a first-person account of the Russian system by Grigory Rodchenkov, from 2006 to 2015 the director of Moscow's testing lab. Together or separately, these books explain the Russian context that helped foster its particular doping culture. They also show an anti-doping system that isn't fit for purpose.

The Russian Affair is as much the story of the Stepanovs' marriage as of contrasting and complementary views of the doping system. Vitaly was an idealistic young recruit at the Russian Anti-Doping Agency; Yuliya Rusanova was an aspiring athlete willing to do anything to escape the desperate unhappiness and poverty of her native area, Kursk. While she lectured him about not understanding "the real world", he continued hopefully writing letters to contacts at the World Anti-Doping Agency describing the violations he was seeing. Yuliya comes to see the exploitation of a system that protects winners but lets others test positive to make the system look functional. Under Vitaly's guidance, she records the revealing conversations that Seppelt's documentary featured. Rodchenkov makes a cameo appearance; the Stepanovs believed he was paid to protect specific athletes from positive tests.

In the vastly more entertaining The Rodchenkov Affair, Rodchenkov denies receiving payment, calling Yuliya a "has-been" he'd never met. Instead, Rodchenkov describes developing new methods of detecting performance-enhancing substances, then finding methods to beat those same tests. If the nearest analogue to the Walsh-described Stepanovs' marriage is George and Kellyanne Conway, Rodchenkov's story is straight out of Philip K. Dick's A Scanner Darkly, in which an undercover narcotics agent is assigned to spy on himself.

Russia has advantages for dopers. For example, its enormous land mass allows athletes to sequenster themselves in training camps so remote they are out of range for testers. More important may be the pervasive sense of resignation that Vitaly Stepanov describes as his boss slashes WADA's 80 English pages of anti-doping protocols to ten in Russian translation because various aspects are "not possible to do in Russia". Rodchenkov, meanwhile, plans the Sochi anti-doping lab that the McLaren report later made famous for swapping positive samples for pre-frozen clean ones through a specially built "mousehole" operated by the FSB.

If you view this whole thing as a security system, it's clear that WADA's threat model was too simple, something like "athletes dope". Even in 1988, when Ben Johnson tested positive at the Seoul Olympics, it was obvious that everyone's interests depended on not catching star athletes. International sports depend on their stars - as do their families, coaches, support staff, event promoters, governments, fans, and even other athletes, who know the star attractions make their own careers possible. Anti-doping agencies must thread their way through this thicket.

In Rodchenkov's description, WADA appears inept, even without its failure to recognize this ecosystem. In one passage, Rodchenkov writes about the double-blind samples the IOC planted from time to time to test the lab: "Those DBs were easily detectable because they contained ridiculous compounds...which were never seen in doping control routine analysis." In another, he says: "[WADA] also assumed that all accredited laboratories were similarly competent, which was not the case. Some WADA-accredited laboratories were just sloppy, and would reach out to other countries' laboratories when they had to process quality control samples to gain re-accreditation."

Flaws are always easy to find once you know they're there. But WADA was founded in 1999. Just six years earlier, the opening of the Stasi records exposed the comprehensive East German system. The possibility of state involvement should have been high on the threat list from the beginning, as should the role of coaches and doctors who guide successive athletes to success.

It's hard to believe this system can be successfully reformed. Incentives to dope will always be with us, just as it would be impossible to eliminate all incentives to break into computer systems. Rodchenkov, who frequently references Orwell's 1984, insists that athletes dope because otherwise their bodies cannot cope with the necessary training, which he contends is more physically damaging than doping. This much is clear: a system that insists on autonomy while failing to fulfill its most basic mission is wrong. Small wonder that Rodchenkov concludes that sport will never be clean.


Illustrations: Grigory Rodchenkov and Bryan Fogel in Fogel's documentary, Icarus.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

August 7, 2020

The big four

vlcsnap-2020-08-06-22h38m37s848.png"Companies aren't bad just because they're big," Mark Zuckerberg told the US Congress ten days ago, though he failed to suggest aspirational counterexamples. Of course, the point isn't *that* a company is big - but *how*.

July 28, 2020 saw Zuckerberg, Jeff Bezos, Tim Cook, and Sundar Pichai lined up to face the House Judiciary committee in a hearing on Online Platforms and Market Power. As so often these days - and as Julia Angwin writes at The Markup, Democrats and Republicans (excepting Kelly Armstrong, R-ND), conducted different hearings. Both were essentially hostile. Democrats plus Armstrong asked investigative journalism-style questions about company practices, citing detailed historical examples: unfair competition, abuse of a dominant position (Apple, Amazon), editorial manipulation (Facebook, Google), past acquisitions, third-party cookies (Google), targeted advertising, content moderation, hate speech, Russian interference in the 2016 election (Facebook), smart speakers as home hubs (Amazon), counterfeit products (Amazon), and so on for five and a half hours. Each of the four, but particularly Cook, spent a fair bit of time waiting through other people's questions. Overall response: this stuff is *hard*; we're doing a *lot*, we have lots of competition, while their questioners fretted at the loss of every second of their limited time. It must be years since any of these guys has been so frequently peremptorily interrupted while waffling: "Yes or no?"

The Markup kept a tally of "I'll get back to you on that": Bezos edged out Zuckerberg by a hair. (Not entirely fair, since Cook had many fewer chances to play.)

At one point, Pramila Jayapal (D-WA) explained to Bezos that the point of the committee's work was to ensure that more companies like these four could be created. (Maybe start by blocking Google from buying Fitbit.) She was particularly impressive asking about multi-sided markets and revenue sharing, and also pushed Zuckerberg to quickly implement the recommendations in its recent civil rights audit (PDF). But will her desired focus be reflected in the final report, or will it get derailed by arguments over political bias?

Aggrieved Republicans pushed hard on their claim that social media stifles conservative voices, perhaps not achieving the effect they hoped. Jim Sensenbrenner (R-WI) asked Zuckerberg why Donald J. Trump Jr's account was suspended (for sharing a bizarre video full of misinformation about the coronavirus). Zuckerberg had to tell him that was Twitter, although Facebook did remove that same video. Greg Steube (R-FL) demanded of Pichai why Google sorted his campaign emails into his parents' spam folder: "This appears to only be happening to conservative Republicans." (The Markup has found this is non-partisan sorting of "marketing" email, and Val Demings (D-FL) noted it happens to her.) Steube also claimed that soon after the hearing was agreed conservative websites had jumped back up out of obscurity in Google's search results. Why was that? While Pichai struggled to answer, someone quipped on Twitter, "This is everyone trying to explain the Internet to their parents."

Jim Jordan (R-OH), whose career aspiration is apparently Court Jester, opened with: "Big Tech is out to get conservatives - that is a not suspicion, not a hunch, it's a fact." He reeled off a list of incidents and dates: the removal of right wing news website Breitbart, donations from Google employees to then-presidential-candidate Hillary Clinton in 2016, and Twitter removing posts from Donald Trump calling for violence against protesters, and claimed he'd been "shadowbanned" when Twitter (still not present) demoted his tweets to make them less visible, adding that he tried to call Twitter CEO Jack Dorsey as "our" witness. Was Google going to tailor its features to help Joe Biden in the upcoming election? "It's against our core values," said Pichai. Jordan pounced: "But you did it in 2016." He had emails.

Matt Gaetz (R-FL) also seemed offended that - as an American company - Google had withdrawn from the Department of Defense's Project Maven and asked Pichai to promise the company would not withdraw from cooperating with law enforcement, accusing the company of "bigoted, anti-police policies". Gaetz was also disturbed by Google's technical center and collaboration on AI in China - a complaint seemingly pioneered by Peter Thiel..

Steube also found time to take a swipe at the EU: "It's no secret that Europe seems to have an agenda of attacking large, successful US tech companies, yet Europe's approach to regulation in general, and antitrust in particular, seems to have been much less successful than America's approach. America is a remarkable nursery for market innovation and entrepreneurship in pursuit of the American Dream." The irony of saying this while investigating the resulting monopoly power appeared lost on him.

In their opening statements, all four CEOs had embraced only-in-America. At last week's gikii, Chris Marsden countered with this list of technology inventions by Europeans: the Linux kernel (Finland); the Opera browser (Norway), Skype (Estonia); the chip maker ARM (UK), the Raspberry Pi (UK); the VLC media player, and an obscure technology called the World Wide Web (UK, working in Switzerland). "Social good," Marsden concluded, "rather than unicorns". Some of those - Skype, ARM, Opera - were certainly sold off to other parts of the world. But all of the big four have benefited from at least one of them.


Illustrations: Jeff Bezos, Mark Zuckerberg, Sundar Pichai, and Tim Cook are sworn in via Webex.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 17, 2020

Flying blind

twitter-bird-flipped.jpgQuick update to last week: the European Court of Justice has ruled in favor of Max Schrems a second time and struck down Privacy Shield, the legal framework that allowed data transfers from the EU to the US (and other third countries); businesses can still use Standard Contractual Clauses, subject to some conditions. TL;DR: Sucks even more to be the UK, caught in the middle between the EU and US demands regarding data flows. On to this week...

This week's Twitter hack is scary. Not, obviously, because it was a hack; by this time we ought to be too used to systems being penetrated by attackers to panic. We know technology is insecure. That's not news.

The big fear should be the unused potential.

Twitter's influence has always been disproportionate to its size. By Big Social Media standards, Twitter is small - a mere snip at 330 million users, barely bigger than Pinterest. TikTok has 800 million, Instagram has 1 billion, YouTube 2 billion, and Facebook 2.5 billion. But Twitter is addictively home to academics, politicians, and entertainers - and journalists, who monitor Twitter constantly for developments to report on. A lot of people feel unable to mention Twitter these days without stressing how much of a sinkhole they think it is (the equivalent of, in decades past, boasting how little TV you watched), but for public information in the West Twitter is a nerve center. We talk a lot about how Facebook got Trump elected, but it was Twitter that got him those acres of free TV and print coverage.

I missed most of the outage. According to Vice, on Wednesday similarly-worded tweets directing followers to send money in the form of bitcoin began appearing in the feeds coming from the high-profile, high-follower accounts belonging to Joe Biden, Elon Musk, Uber, Apple, Bill Gates, and others. Twitter had to shut down a fair bit of the service for a while and block verified users - high-profile public figures that Twitter deems important enough to make sure they're not fakes - from posting. The tweets have been removed, and some people who - presumably trying to follow standard practice in a data breach - tried to change their passwords got locked out - and some people must have sent money, since Vice reported the Bitcoin wallet in question had collected $100,000. But overall not much harm was done.

This time.

Most people, when they think about their social media account or email being hacked, think first of the risk that their messages will be read. This is always a risk, and it's a reason not to post your most sensitive secrets to technology and services you don't control. But the even bigger problem many people overlook is exactly what the attackers did here: spoofed messages that fool friends and contacts - in this case, the wider public - into thinking they're genuine. This is not a new problem; hackers have sought to take advantage of trust relationships to mount attacks ever since Kevin Mitnick dubbed the practice "social engineering" circa 1990.

In his detailed preliminary study of the attack, Brian Krebs suggests the attack likely came from people who've "typically specialized in hijacking social media accounts via SIM swapping". Whoever did it and whatever route they took, it seems clear they gained access to Twitter's admin tools, which enabled them to change the email address associated with accounts and either turn off or capture the two-factor authentication that might alert the actual owners. (And if, like many people, you operate Twitter, email, and 2FA on your phone, you actually don't *have* two factors, you have one single point of failure - your phone. Do not do this if you can avoid it.)

In the process of trying to manage the breach, Eric Geller reports at Politico, Twitter silenced accounts belonging to numerous politicians including US president Donald Trump and the US National Weather Service tornado alerts, among many others that routinely post public information, in some cases for more than 24 hours. You can argue that some of these aren't much of a loss, but the underlying problem is a critical one, in that organizations and individuals of all stripes use Twitter as an official outlet for public information. Forget money: deployed with greater subtlety at the right time, such an attack could change the outcome of elections by announcing false information about polling places (Geller's suggestion), or kill people simply by suppressing critical public safety warnings.

What governments and others don't appear to have realized is that in relying on Twitter as a conduit to the public they are effectively outsourcing their security to it without being in a position to audit or set standards beyond those that apply to any public company. Twitter, on the other hand, should have had more sense: if it created special security arrangements for Trump's account, as the New York Times says it did, why didn't it occur to the company to come up with a workable system for all its accounts? How could it not have noticed the need? The recurring election problems around the world weren't enough of a clue?

Compared to what the attackers *could* have wanted, stealing some money is trivial. Twitter, like others before it, will have to rethink its security to match its impact.


Illustrations:

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 10, 2020

Trading digital rights

The_Story_of_Mankind_-_Mediæval_Trade.pngUntil this week I hadn't fully appreciated the number of ways Brexiting UK is trapped between the conflicting demands of major international powers of the size it imagines itself still to be. On the question of whether to allow Huawei to participate in building the UK's 5G network, the UK is caught between the US and China. On conditions of digital trade - especially data protection - the UK is trapped between the US and the EU with Northern Ireland most likely to feel the effects. This was spelled out on Tuesday in a panel on digital trade and trade agreements convened by the Open Rights Group.

ORG has been tracking the US-UK trade negotiations and their effect on the UK's continued data protection adequacy under the General Data Protection Regulation. As discussed here before, the basic problem with respect to privacy is that outside the state of California, the US has only sector-specific (mainly health, credit scoring, and video rentals) privacy laws, while the EU regards privacy as a fundamental human right, and for 25 years data protection has been an essential part of implementing that right.

In 2018 when the General Data Protection Regulation came into force, it automatically became part of British law. On exiting the EU at the end of January, the UK replaced it with equivalent national legislation. Four months ago, Boris Johnson said the UK intends to develop its own policies. This is risky; according to Oliver Patel and Nathan Lea at UCL, 75% of the UK's data flows are with the EU (PDF). Deviation from GDPR will mean the UK will need the EU to issue an adequacy ruling that the UK's data protection framework is compatible. The UK's data retention and surveillance policies may make obtaining that adequacy decision difficult; as Anna Fielder pointed out in Tuesday's discussion, this didn't arise before because national security measures are the prerogative of EU member states. The alternatives - standard contractual clauses and binding corporate rules - are more expensive to operate, are limited to the organization that uses them, and are being challenged in the European Court of Justice.

So the UK faces a quandary: does it remain compatible with the EU, or choose the dangerous path of deviation in order to please its new best friend, the US? The US, says Public Citizen's Burcu Kilic, wants unimpeded data flows and prohibitions on requirements for data localization and disclosure of source code and algorithms (as proposals for regulating AI might mandate).

It is easy to see these issues purely in terms of national alliances. The bigger issue for Kilic - and for others such as Transatlantic Consumer Dialogue - is the inclusion of these issues in trade agreements at all, a problem we've seen before with intellectual property provisions. Even when the negotiations aren't secret, which they generally are, international agreements are relatively inflexible instruments, changeable only via the kinds of international processes that created them. The result is to severely curtail the ability of national governments and legislatures to make changes - and the ability of civil society to participate. In the past, most notably with respect to intellectual property rights, corporate interests' habit of shopping their desired policies around from country to country until one bit and then using that leverage to push the others to "harmonize" has been called "policy laundering". This is a new and updated version, in which you bypass all that pesky, time-consuming democracy nonsense. Getting your desired policies into a trade agreement gets you two - or more - countries for the price of one.

In the discussion, Javier Ruiz called it "forum shifting" and noted that the latest example is intermediary liability, which is included in the US-Mexico-Canada agreement that replaced NAFTA. This is happening just as countries - including the US - are responding to longstanding problems of abuse on online platforms by considering how to regulate the big online platforms - in the US, the debate is whether and how to amend S230 of the Communications Decency Act, which offers a shield against intermediary liability, in the UK it's the online harms bill and the age-appropriate design code.

Every country matters in this game. Kilic noted that the US is also in the process of negotiating a trade deal with Kenya that will also include digital trade and intellectual property - small in and of itself, but potentially the model for other African deals - and for whatever deal Kenya eventually makes with the UK.

Kilic traces the current plans to the Trans-Pacific Partnership, which included the US during the Obama administration and which attracted public anger over provisions for investor-state dispute settlement. On assuming the presidency, Trump withdrew, leaving the other countries to recreate it as the Comprehensive and Progressive Agreement for Trans-Pacific Partnership, which was formally signed in March 2018. There has been some discussion of the idea that a newly independent Britain could join it, but it's complicated. What the US wanted in TPP, Kilic said, offers a clear guide to what it wants in trade agreements with the UK and everywhere else - and the more countries enter into these agreements, the harder it becomes to protect digital rights. "In trade world, trade always comes first."


Illustrations: Medieval trade routes (from The Story of Mankind, 1921).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

June 26, 2020

Mysticism: curmudgeon

Carole_Cadwalladr_2019.jpg"Not voting, or not for us?" the energetic doorstep canvasser asked when I started closing the door as soon as I saw her last November. "Neither," I said. "I just don't want to have the conversation." She nodded and moved on. That's the only canvasser I've seen in years. Either they have me written down as a pointless curmudgeon or they (like so many others) don't notice my very small street.

One of the open questions of the three years since Carole Cadwalladr broke the Cambridge Analytica story is how much impact data profiling had on the 2016 EU referendum vote and US presidential election. We know that thousands of ads were viewed millions of times and aimed at promoting division and that they were precisely targeted. But did they make the crucial difference?

We'll never really know. For its new report, Who Do They Think We Are?, the Open Rights Group set out to explore a piece of this question by establishing what data the British political parties hold on UK voters and where they get it. This week, Pascal Crowe, who leads the data and democracy project, presented the results to date.

You can still participate via tools to facilitate subject access requests and analyze the results. The report is based on the results of SARs submitted by 496 self-selected people, 344 of whom opted into sharing their results with ORG. The ability to do this derives from changes brought in by the General Data Protection Regulation, which eliminated the fees, shrank the response time to 30 days, removed the "in writing" requirement, and widened the range of information organizations were required to supply.

ORG's main findings from the three parties from which it received significant results:

- Labour has compiled up to 100 pages of data per individual, broken down into over 80 categories from sources including commercial suppliers, the electoral register, data calculated in-house, and the subjects themselves. The data included estimates of how long someone had lived at their address, their income, number of children, and scores on issues such as staying in the EU, supporting the Scottish National Party, and switching to vote for another party. Even though participants submitted identification along with their request, they all were asked again for further documentation. None received a response within the statutory time limit.

- The Lib Dems referred ORG to their privacy policy for details of their sources; the data was predominantly from the electoral rolls and includes fields indicating the estimated number of different families in a home, the likelihood that they favored remaining I the EU, or were a "soft Tory". The LibDems outsource some of their processing to CACI.

- The Conservatives also use the electoral rolls and buy data from Experian, but outsource a lot of profiling to the political consultancy Hanbury Strategy. Their profiles include estimates of how long someone has lived at their current address, number of children, age, employment status, income, educational level, preferred newspaper, and first language. Plus "mysticism", an attempt to guess the individual's religion.

There are three separate issues here. The first is whether the political parties have the legal right to engage in this extensive political profiling. The second is whether voters find the practice acceptable or disquieting. The third is the one we began with: does it work to deliver election results?

Regarding the first, there's no question that these profiles contain personal and sensitive data. ORG is doubtful about the parties' claim that "democratic engagement" provides a legal basis, and recommends three remedies: the Information Commissioner's Office should provide guidance and enforcement; the UK should implement the collective redress provision in GDPR that would allow groups like ORG to represent the interests of an ill-informed public; and the political parties should move to a consent-based opt-in model.

More interesting, ORG found that people simply did not recognize themselves in the profiles the parties collected, which were full of errors - even information as basic as gender and age. Under data protection law, correcting such errors is a fundamental right, but the bigger question is how all this data is helping the parties if it's so badly wrong (and whether we should be more scared if it were accurate). For this reason, Crowe suggested the parties would be better served by returning to the traditional method of knocking on every door, not just the doors of those the parties think already agree with them. The data they collected in such an exercise would be right - and consent would be unambiguous. My canvasser, even after five seconds, knows more about me than a pile of data does.

For the third question, this future was predicted: in 2011, Jeff Chester worried greatly about the potential of profiling to enable political manipulation. Even before that, it was the long-running theme inside the TV series Mad Men that pits advertising as persuasion and emotional engagement (the Don Draper or knocking-on-doors approach) or as a numbers game in you just need media space targeted at exactly the right selection of buyers (the Harry Crane and Facebook/Google approach). Draper, who ruled the TV show's 1960s, has lost ground to the numbers guys ever since, culminating in Facebook, which allows the most precise audience targeting we've ever known. Today, he'd be 94 and struggling to convince 20-somethings addicted to data-wrangling that he still knows how to sell things.


Illustrations: Carole Cadwalladr (via MollyMEP at Wikimedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

June 19, 2020

The science

paddington-2020-06-13.jpgWhat I - and I suspect a lot of other people - would love to have right now is an online calculator into which you could put where you were going, the time of day, the length of time you expect to spend there, and the type of activity and get back out a risk estimate of acquiring coronavirus infection given various mitigations. I write this as the UK government announces that the "threat level" is dropping from "4" to "3", which tells me more or less precisely nothing useful.

Throughout the pandemic, the British government has explained every decision by saying it's led by the science. I'm all for following the advice of scientists - particularly, in our present situation, public health experts, virologists, and epidemiologists - but "the science" implies there's a single received monolithic truth even while failing to identify any particular source for it. Which science? Whose research? Based on what evidence? Funded by whom? How does it fit in with what we were told before?

Boris Johnson's government spent much of the early months avoiding answering those questions, which has led, as the biologist Ian Boyd complains to the characterization of the Scientific Advisory Group for Emergencies (SAGE) as "secretive". As the public trusts this government less and less, showing their work has become increasingly important, especially when those results represent a change of plan.

The last four months have seen two major U-turns in "the science" that's governing our current lives, and a third may be in progress: masks, contact tracing apps, and the two-meter rule. Meanwhile, the pieces that are supposed to be in place for reopening - a robust contact tracing system, for example - aren't.

We'll start with masks. Before this thing started, the received wisdom was that masks protected other people from you, but not you from them. This appears to still be the generally accepted case. But tied in with that was the attitude that wearing masks while ill was something only Asians did; Westerners...well, what? Knew better? Were less considerate? Were made of tougher stuff and didn't care if they got sick? In mid-March, Zeynep Tufecki got a certain amount of stick on Twitter for impassioned plea in the New York Times that public health authorities should promote wearing masks and teach people how to do it properly. "Of course masks work," she wrote, "maybe not perfectly, and not all to the same degree, but they provide some protection."

But we had to go on arguing about it back and forth. There is says Snopes, no real consensus on how effective they are. Nonetheless, it seems logical they ought to help, and both WHO and CDC now recommend them while mayors of crowded cities are increasingly requiring them. In this case, there's no obvious opportunity for profiteering and for most people the inconvenience is modest. The worst you can suspect is that the government is recommending them so we'll feel more confident about resuming normal activity.

Then, for the last four months we've been told to stay two meters from everyone else except fellow household members. During the closures, elves - that is, people who took on the risks of going to work - have been busy painting distancing indicators on underground platforms, sidewalks, and park benches and sticking decals to train windows. They've set up hand sanitizer stations in London's stations, and created new bike lanes and pedestrian areas. Now, the daily news includes a drumbeat of pressure on government to reduce that recommended distance to one meter. Is this science or economics? The BBC has found a study that says that standing one meter apart carries ten times the risk of two meters. But how significant is that?

I'm all for "the science", but there's so much visible vested interest that I want details. What are the tradeoffs? How does the drop in distance change R0, the reproduction number? The WHO recommends one meter - but it assumes that people are wearing masks - which, in London, on public transport they will be but in restaurants they can't be.

Finally, when last seen, the UK's contact tracing app was being trialed on the Isle of Wight and was built in-house using a centralized design despite the best efforts of privacy advocates and digital rights activists to convince NHSx it was a bad idea. Yesterday, this app was officially discarded.

The relevant scientific aspect, however, is how much apps matter. In April, an an Oxford study suggested that 60% of the population would have use the app for it to be effective.

We should have read the study, as MIT Technology Review did this week to find that it actually says contact tracing apps can be helpful at much lower levels of takeup. It is still clear that human tracers with local knowledge are more effective and there are many failings in the tracing system, as the kibitzing scientific group Independent SAGE says, but *some* help is better than no help.

"The science" unfortunately can't offer us what we really want: certainty. Instead, we have many imperfect but complementary tools and must hope they add up to something like enough. The science will only become fully clear much later.


Illustrations: London's Paddington station on June 13.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

June 12, 2020

Getting out the vote

Thumbnail image for bush-gore-hanging-chad-florida.jpg"If voting changed anything, they'd abolish it, the maverick British left-wing politician Ken Livingstone wrote in 1987.

In 2020, the strategy appears to be to lecture people about how they should vote if they want to change things, and then make sure they can't. After this week's denial-of-service attack on Georgia voters and widespread documentation of voter suppression tactics, there should be no more arguments about whether voter suppression is a problem.

Until a 2008 Computers, Freedom, and Privacy tutorial on "e-deceptive campaign practices", organized by Lillie Coney, I had no idea how much effort was put into disenfranchising eligible voters. The tutorial focused on the many ways new technology - the pre-social media Internet - was being adapted to do very old work to suppress the votes of those who might have undesired opinions. The images from the 2018 mid-term elections and from this week in Georgia tell their own story.

In a presentation last week, Rebecca Mercuri noted that there are two types of fraud surrounding elections. Voter fraud, which is efforts by individuals to vote when they are not entitled to do so and is the stuff proponents of voter ID requirements get upset about, is vanishingly rare. Election fraud, where one group or another try to game the election in their favor, is and has been common throughout history, and there are many techniques. Election fraud is the big thing to keep your eye on - and electronic voting is a perfect vector for it. Paper ballots can be reexamined, recounted, and can't easily be altered without trace. Yes, they can be stolen or spoiled, but it's hard to do at scale because the boxes of ballots are big, heavy, and not easily vanished. Scale is, however, what computers were designed for, and just about every computer security expert agrees that computers and general elections do not mix. Even in a small, digitally literate country like Estonia a study found enormous vulnerabilities.

Mercuri, along with longtime security expert Peter Neumann, was offering an update on the technical side of voting. Mercuri is a longstanding expert in this area; in 2000, she defended her PhD thesis, the first serious study of the security problems for online voting, 11 days before Bush v. Gore burst into the headlines. TL;DR: electronic voting can't be secured.

In the 20 years since, the vast preponderance of computer security experts have continued to agree with her. Naturally, people keep trying to find wiggle room, as if some new technology will change the math; besides election systems vendors there are well-meaning folks with worthwhile goals, such as improving access for visually impaired people, ensuring access for a widely scattered membership, such as unions, or motivating younger people.

Even apart from voter suppression tactics, US election systems continue to be a fragmented mess. People keep finding new ways to hack into them; in 2017, Bloomberg reported that Russia hacked into voting systems in 39 US states before the US presidential election and targeted election systems in all 50. Defcon has added a voting machine hacking village, where, in 2018, an 11-year-old hacked into a replica of the Florida state voting website in under ten minutes. In 2019, Defcon hackers were able to buy a bunch of voting machines and election systems on eBay - and cracked every single one for the Washington Post. The only sensible response: use paper.

Mercuri has long advocated for voter-verified paper ballots (including absentee and mail-in ballots) as the official votes that can be recounted or audited as needed. The complexity and size of US elections, however, means electronic counting.

In Congressional testimony, Matt Blaze, a professor at Georgetown University, has made three recommendations (PDF): immediately dump all remaining paperless direct recording electronic voting machines; provide resources, infrastructure, and training to local and state election officials to help them defend their systems against attacks; and conduct risk-limiting audits after every election to detect software failures and attacks. RLAs, which were proposed in a 2012 paper by Mark Lindeman and Philip B. Stark (PDF), involves counting a statistically significant random sampling of ballots and checking the results against the machine. The proposal has a fair amount of support, including from the Electronic Frontier Foundation.

Mercuri has doubts; she argues that election administrators don't understand the math that determines how many ballots to count in these audits, and thinks the method will fail to catch "dispersed fraud" - that is, a few votes changed across many precincts rather than large clumps of votes changed in a few places. She is undeniably right when she says that RLAs are intended to avoid counting the full set of ballots; proponents see that as a *good* thing - faster, cheaper, and just as good. As a result, some states - Michigan, Colorado (PDF) - are beginning to embrace it. My guess is there will be many mistakes in implementation and resulting legal contests until everyone either finds a standard for best practice or decides they're too complicated to make work.

Even more important, however, is whether RLAs can successfully underpin public confidence in election integrity. Without that, we've got nothing.

Illustrations: Hanging chad, during the 2000 Bush versus Gore vote.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

May 29, 2020

Tweeted

sbisson-parrot-49487515926_0c97364f80_o.jpgAnyone who's ever run an online forum has at some point grappled with a prolific poster who deliberately spreads division, takes over every thread of conversation, and aims for outraged attention. When your forum is a few hundred people, one alcohol-soaked obsessive bent on suggesting that anyone arguing with him should have their shoes filled with cement before being dropped into the nearest river is enormously disruptive, but the decision you make about whether to ban, admonish, or delete their postings matters only to you and your forum members. When you are a public company, your forum is several hundred million people, and the poster is a world leader...oy.

Some US Democrats have been calling Donald Trump's outrage this week over having two tweets labeled with a fact-check an attempt to distract us all from the terrible death toll of the pandemic under his watch. While this may be true, it's also true that the tweets Trump is so fiercely defending form part of a sustained effort to spread misinformation that effectively acts as voter suppression for the upcoming November election. In the 12 hours since I wrote this column, Trump has signed an Executive Order to "prevent online censorship", and Twitter has hidden, for "glorifying violence", Trump tweets suggesting shooting protesters in Minneapolis. It's clear this situation will escalate over the coming week. Twitter has a difficult balance to maintain: it's important not to hide the US president's thoughts from the public, but it's equally important to hold the US president to the same standards that apply to everyone else. Of course he feels unfairly picked on.

Rewind to Tuesday. Twitter applied its recently-updated rules regarding election integrity by marking two of Donald Trump's tweets. The tweets claimed that conducting the November presidential election via postal ballots would inevitably mean electoral fraud. Trump, who moved his legal residence to Florida last year, voted by mail in the last election. So did I. Twitter added a small, blue line to the bottom of each tweet: "! Get the facts about mail-in ballots". The link leads to numerous articles debunking Trump's claim. At OneZero, Will Oremus explains Twitter's decision making process. By Wednesday, Trump was threatening to "shut them down" and sign an Executive Order on Thursday.

Thursday morning, a leaked draft of the proposed executive order had been found, and Daphne Keller had color coded it to show which bits matter. In a fact-check of what power Trump actually has for Vox, Shirin Ghaffary quotes a tweet from Lawrence Tribe, who calls Trump's threat "legally illiterate". Unlike Facebook, Twitter doesn't accept political ads that Trump can threaten to withdraw, and unlike Facebook and Google, Twitter is too small for an antitrust action. Plus, Trump is addicted to it. At the Washington Post, Tribe adds that Trump himself *is* violating the First Amendment by continuing to block people who criticize his views, a direct violation of a 2019 court order.

What Trump *can* do - and what he appears to intend to do - is push the FTC and Congress to tinker with Section 230 of the Communications Decency Act (1996), which protects online platforms from liability for third-party postings spreading lies and defamation. S230 is widely credited with having helped create the giant Internet businesses we have today; without liability protection, it's generally believed that everything from web comment boards to big social media platforms will become non-viable.

On Twitter, US Senator Ron Wyden (D-OR), one of S230's authors, explains what the law does and does not do. At the New York Times, Peter Baker and Daisuke Wakabayashi argue, I think correctly, that the person a Trump move to weaken S230 will hurt most is...Trump himself. Last month, the Washington Post put the count of Trump's "false or misleading claims" while in office at 18,000 - and the rate has grown over time. Probably most of them have been published on Twitter.

As the lawyer Carrie A. Goldberg points out on Twitter, there are two very different sets of issues surrounding S230. The victims she represents cannot sue the platforms where they met serial rapists who preyed on them or continue to tolerate the revenge porn their exes have posted. Compare that very real damage to the victimhood conservatives are claiming: that the social media platforms are biased against them and disproportionately censor their posts. Goldberg wants access to justice for the victims she represents, who are genuinely harmed, and warns against altering S230 for purposes such as "to protect the right to spread misinformation, conspiracy theory, and misinformation".

However, while Goldberg's focus on her own clients is understandable, Trump's desire to tweet unimpeded about mail-in ballots or shooting protesters is not trivial. We are going to need to separate the issue of how and whether S230 should be updated from Trump's personal behavior and his clearly escalating war with the social medium that helped raise him from joke to viable presidential candidate. The S230 question and how it's handled in Congress is important. Calling out Trump when he flouts clearly stated rules is important. Trump's attempt to wield his power for a personal grudge is important. Trump versus Twitter, which unfortunately is much easier to write about, is a sideshow.


Illustrations: Drunk parrot in a Putney garden (by Simon Bisson; used by permission).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

May 1, 2020

Appified

china-alihealth.jpegAround 2010, when smartphones took off (Apple's iPhone user base grew from 8 million in 2009 to 100 million in early 2011), "There's an app for that" was a joke widely acknowledged as true. Faced with a pandemic, many countries are looking to develop apps that might offer shortcuts to reaching some variant of "old normal". The UK is no exception, and much of this week has been filled with debate about the nascent contact tracing app being developed by the National Health Service's digital arm, NHSx. The logic is simple: since John Snow investigated cholera in 1854, contact tracing has remained slow, labor-intensive , and dependent on infected individuals' ability to remember all their contacts. With a contagious virus that spreads promiscuously to strangers who happen to share your space for a time, individual memory isn't much help. Surely we can do better. We have technology!

In 2011, Jon Crowcroft and Eiko Yoneki had that same thought. Their Fluphone proved the concept, even helping identify asymptomatic superspreaders through the social graph of contacts developing the illness.

In March, China's Alipay Health got our attention. This all-seeing, all-knowing, data-mining, risk score-outputting app whose green, yellow, and red QR codes are inspected by police at Chinese metro stations, workplaces, and other public areas seeks to control the virus's movements by controlling people's access. The widespread Western reaction, to a first approximation: "Ugh!" We are increasingly likely to end up with something similar, but with very different enforcement and a layer of "democratic voluntary" - *sort* of China, but with plausible deniability.

Or we may not. This is a fluid situation!

This week has been filled with debate about why the UK's National Health Service's digital arm (NHSx) is rolling its own app when Google and Apple are collaborating on a native contact-tracing platform. Italy and Spain have decided to use it; Germany, which was planning to build its own app, pivoted abruptly, and Australia and Singapore (whose open source app, TraceTogether, was finding some international adoption) are switching. France balked, calling Apple "uncooperative".

France wants a centralized system, in which matching exposure notifications is performed on a government-owned central server. That means trusting the government to protect it adequately and not start saying, "Oooh, data, we could do stuff with that!" In a decentralized system, the contact matching us performed on the device itself, with the results released to health officials if the user decides to do so. Apple and Google are refusing to support centralized systems, largely because in many of the countries where iOS and Android phones are sold it poses significant dangers for the population. Essentially, the centralized ones ask you for a lot more trust in your government.

All this led to Parliament's Human Rights Committee, which spent the week holding hearings on the human rights implications of contact tracing apps. (See Michael Veale's and Orla Lynskey's written evidence and oral testimony.) In its report, the committee concluded that the level of data being collected isn't justifiable without clear efficacy and benefits; rights-protecting legislation is needed (helpfully, Lilian Edwards has spearheaded an effort to produce model safeguarding legislation; an independent oversight body is needed along with a Digital Contact Tracing Human Rights Commissioner; the app's efficacy and data security and privacy should be reviewed every 21 days; and the government and health authorities need to embrace transparency. Elsewhere, Marion Oswald writes that trust is essential, and the proposals have yet to earn it.

The specific rights discussion has been accompanied by broader doubts about the extent to which any app can be effective at contact tracing and the other flaws that may arise. As Ross Anderson writes, there remain many questions about practical applications in the real world. In recent blog postings, Crowcroft mulls modern contact tracing apps based on what they learned from Fluphone.

The practical concerns are even greater when you look at Ashkan Soltani's Twitter feed, in which he's turning his honed hacker sensibilities on these apps, making it clear that there are many more ways for these apps to fail than we've yet recognized. The Australian app, for example, may interfere with Bluetooth-connected medical devices such as glucose monitors. Drug interactions matter; if apps are now medical devices, then their interactions must be studied, too. Soltani also raises the possibility of using these apps for voter suppression. The hundreds of millions of downloads necessary to make these apps work means even small flaws will affect large numbers of people.

All of these are reasons why Apple and Google are going to wind up in charge of the technology. Even the UK is now investigating switching. Fixing one platform is a lot easier than debugging hundreds, for example, and interoperability should aid widespread use, especially when international travel resumes, currently irrelevant but still on people's minds. In this case, Apple's and Google's technology, like the Internet itself originally, is a vector for spreading the privacy and human rights values embedded in its design, and countries are changing plans to accept it - one more extraordinary moment among so many.

Illustrations: Alipay Health Code in action (press photo).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

April 24, 2020

Viruswashing

wizard-of-oz-crystal-ball.jpgIndividual humans surprise you in a crisis; the curmudgeon across the street turns into a tireless volunteer; the sycophantic celebrity abruptly becomes a helpfully trenchant critic of their former-friend politicians. Organizations - whether public, as in governments, or private, as in companies - tend to remain in character, carried on by inertia, and claim their latest actions are to combat the crisis. For climate change - "greenwashing". For this pandemic - "viruswashing", as some of the creepiest companies seek to de-creepify themselves in the name of public health.

In the last month, Privacy International's surveillance legislation tracker has illustrated the usual basic crisis principles. One: people will accept things on a temporary basis that they wouldn't accept if they thought they'd be permanent. Two: double that for scared and desperate people. Three: the surveillance measures countries adopt reflect their own laws and culture. Four: someone always has a wish list of surveillance powers in their bottom drawer, ready to push for in a crisis. Five: the longer the crisis goes on the harder it will be to fully roll things back to their pre-crisis state when we can eventually all agree it's ended.

Some governments are taking advantage. Trump, for example, has chosen this moment to suspend immigration. More broadly, the UN Refugee Agency warns that refugee rights are being lost. Of 167 countries that have closed their borders in full or in part, 57 make no exceptions for asylum-seekers.

But governments everywhere are also being wooed by both domestic and international companies. Palantir, for example, is working with the US Centers for Disease Control and Prevention and its international counterparts to track the virus's spread. In the UK, Palantir and an AI start-up are data-mining NHS databases to build a predictive computer model. Largely uknown biometric start-ups are creating digital passports for NHS workers. The most startling is the news that the even-creepier NSO Group, whose government clients have used its software to turn journalists' and activists' phones into spy devices is trying to sell Western governments on its (repurposed) tracking software.

On Twitter, Pat Walshe (@privacymatters) highlights the Covid Credentials Initiative, a collaboration among 60 organizations to create verifiable credential solutions - that is, some sort of immunity certificate that individuals for individuals. Walshe also notes Jai Vijayan's story about Microsoft's proposals: "Your phone will become your digital passport". Walsh's commenters remind that in a fair number of countries SIM registration is essential. The upshot sounds similar to China's Alipay Health app, which scores each phone user and outputs a green, yellow, or red health code - which police check at entrances to areas of the city, public transport, and workplaces before allowing entry. Except: in the West we're talking a system built by private, secretive companies that, as Mike Elgan wrote last year at Fast Company, are building systems in the US that add up functionally to something very like China's much-criticized social credit scheme.

In Britain, where there's talk of "immunity certificates" - deconfinement apps - my model history of ID cards, which became mandatory under the National Registration Act (1939) and which no one decommissioned after World War II ended...until 1952, when Harry Willcock, who had refused to show police his ID card on demand, won in court by arguing that the law had lapsed when the emergency ended and the High Court agreed that the ID cards were now being used in unintended ways. Ever since, someone regularly proposes to bring them back. In the early 2000s it was to eliminate benefit fraud; in 2006 it was crime prevention. Now immunity certificates could be a wedge.

Tracking and tracing are age-old epidemiologists' tools; it's natural that people want to automate them, given the speed and scale of this pandemic. It's just the source: the creepiest companies are seizing the opportunity to de-creepify themselves by pivoting to public health. Eventually, Palantir has to do this if it wants to pay its investors the kind of returns they're used to; the law enforcement and security market is just too small. That said, at the Economist Hal Hodson casts nuance on Palantir's deal with the NHS - for now.

Obviously, we need all the help we can get. Nonetheless, these are not companies that are generally on our side. Letting them turn embed themselves into essential public health infrastructure feels like accepting letting a Mafia family use the proceeds of crime to buy themselves legitimate businesses. Meanwhile, much of the technology is unproven for health purposes and may not be effective, and basing it on apps, as Rachel Coldicutt writes, is a vector for discrimination

The post 9/11 surveillance build-up should have taught us that human rights must be embedded at the beginning because neither the "war on terror" nor the "war on drugs" has a formal ending when powers naturally expire. While this specific pandemic will end, others will come behind it. So: despite the urgency, protecting ourselves against permanent changes is easiest handled now, while the systems for tracking and tracing infections and ensuring public safety are being built. A field hospital can be built in ten days and then dismantled as if it never was; public health infrastructure cannot.


Illustrations: The Wicked Witch of the West and her crystal ball, from The Wizard of Oz (1939).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

April 17, 2020

Anywhere but here

Jacinda_Ardern_at_the_University_of_Auckland_(cropped).jpgThe international comparisons that feature in every chart of infection curves are creating a new habit. Expatriates are unusually prone to this sort of thing anyway, as I've written before, but right now almost everyone appears to have some form of leader envy. Eventually, history will judge, but for now the unquestioned leader on the leader leaderboard is New Zealand prime minister Jacinda Ardern, who this week followed up her decisive and undeniably effective early action by taking a 20% pay cut in solidarity with her country's workers. Also much admired this week - even subtitled! - is Germany's Angela Merkel, whose press conference explaining that small margins in infection rates make huge differences when translated into hospital beds over time, was widely circulated for its honest clarity. Late yesterday New York state governor Andrew Cuomo appeared to have copied it for his own presentation.

Cuomo's daily briefings have become must-see-TV for many of us with less forthcoming leaders; they start with facts, follow with frank interpretation, and end with rambling empathy. Cuomo's rise - which has led many to wonder why he wasn't a presidential candidate - is greeted more cautiously among New York state residents and by those who note the effectiveness of governors Jay Inslee (Washington) and Gavin Newsom (California)). On Sunday's edition of Last Week Tonight, John Oliver said, "I never really liked Andrew Cuomo before this, but I will admit he's doing admirably well, and I can't wait to get to the other side of this when I can go back to being irritated by him again.". He may already have his chance: yesterday evening Cuomo announced he'd signed up McKinsey to plan a strategy for ending the lockdown. Meanwhile, in a tiny unrepresentative sample of local contacts "what world leader do you wish you had in this crisis?", the only British leader mentioned was Scottish first minister Nicola Sturgeon. Only the US federal vacuum can make us feel better about our present government.

***

One unexpected entertainment in this unfolding disaster is the peeks inside people's homes afforded by their appearances on TV or Zoom. I am finally getting to browse at least a small portion of the bookshelves and artwork or admire the ceiling cornices belonging to people I've known for decades but have never had the chance to visit. How TV commentators set themselves up is revealing, too. Adam Schiff appears to unfortunately dress his broadcast corner like a stage set. And one MSNBC commentator sits in an immaculate kitchen, the expanse of whiteness broken only by a pink dishtowel whose movements are fun to chart. Presumably, right before broadcast someone goes through frantically cleaning.

***

This year appears to be the Year of New York. Even before the pandemic, the first Democratic presidential primaries were (however briefly) dominated by three 70-something New Yorkers: Michael Bloomberg, an aristocrat from Manhattan's Upper East Side (even if he was nominally born in Boston), whose campaign ads were expensive but entertaining; Bernie Sanders, whom no amount of Vermont-washing can change from an unmistakable Brooklyn Jew; and Donald Trump, the kid from Queens. In the Washington Post in February - so long ago! - Howard Fineman highlighted this inter-borough dispute and concluded: "The civil way to settle this is to put Trump, Sanders, and Bloomberg on a Broadway park bench and let them argue politics while they feed the pigeons." Two months on, the most visible emerging US leaders in the pandemic are Fauci, Brooklyn-born of Italian descent; Cuomo, Queens-born, also of Italian descent; and Trump.

Fauci was already a familiar name to readers of what a friend calls "plague books". He has been director of the National Institute of Allergy and Infectious Diseases since 1984, and played a crucial role in the AIDS crisis (see Randy Shilts' 1987 book, And the Band Played On) and ebola epidemic (see Laurie Garrett's 1995 title, The Coming Plague), and on and on to today. When he emerged as a member of the White House task force, the natural reaction was, "Of course" and "Thank God". And then: "How old is he, anyway?" He is 79 and looks incredibly fit. Still, one frets. Does he have to be kept standing there mute for two hours? He could be sleeping. He could be working. He could be...well, doing almost anything else, more usefully. We are all incredibly lucky to have him and he should be treated as a precious resource.

***

The loss of things to go to that provoke ideas for things to write about has me scrambling around the Internet looking for virtual stand-ins. For those interested in net.wars-type issues (and why else would you be here?), the Open Rights Group is hosting a weekly discussion group on Fridays at 16:30 London time (that is BST, or GMT+1), and ORG offshoots such as ORG Glasgow are also holding virtual events. I can also recommend the Meetup group London Futurists, which is hosting regular discussions that sound crazier than they actually are. Further afield, I'm sampling events in New York at Data & Society, and in California, at UC Berkeley's Center for Law & Technology. Why not? Anything with live humans trying to think about hard problems, and I'm there. Virtually.


Illustrations: New Zealand prime minister Jacinda Ardern campaigning in 2017 (Brigitte Neuschwander-Kasselordner, via Wikimedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

April 10, 2020

Losers

Morry-Taylor-1996-president-cspan.jpegHere in 2020, the book that has most helped me understand the political circumstances in which the US finds itself is Michael Lewis's 1997 book, Losers: The Road to Everyplace But the White House, originally released in the US as Trail Fever, because apparently the publisher thought that Americans wouldn't buy a book about losers. From Lewis's comments (and from the fact that this book does not appear on his website), it appears Americans didn't respond to the euphemistic replacement either.

We should have, because it explains so much about what happened in 2016 and since. In the book, Lewis follows the losing candidates in the US 1996 presidential election. That year, Bill Clinton was elected to his second term, defeating veteran Republican candidate Bob Dole. The Democratic primaries were pro-forma. The real action for Lewis, who found following the most successful candidates a throw-away-your-press-credentials chore of stenographically rendering vague aphorisms from carefully controlled corrals, was anywhere Morry Taylor happened to be.

Who? you ask, justifiably. To open his description of Taylor, Lewis starts with Taylor's own words: "I'm what you call an empty refrigerator - you open it up and there's nuthin' inside." Taylor was the founder and CEO of Titan Wheel International, a billion-dollar company he built by buying up bankrupted farm wheel companies and building them back up, and he conceived the idea of running for president when an employee suggested it after listening to a typical Taylor rant about idiotic Washington politicians. After thought, "Morry decided that the country finally was ready to elect a president who was a serious businessman. The only question was: Which businessman?" As we now know, the answer came 20 years later, and turned out to be, "The guy who plays one on TV."

By 1996, that businessman wasn't going to be Ross Perot, who had run in 1992 as an independent and tried again in 1996 with his own Reform Party.. Taylor proposed to run as a Republican, the most obscure of the dozen who ran that year. Alongside him, besides Dole, were: the paleoconservative broadcaster Pat Buchanan, former Tennessee governor Lamar Alexander (since 2003 a senator from Tennessee), former diplomat Alan Keyes, Senator Richard Lugar (R-IN), Senator Phil Gramm (R-TX), California Governor Pete Wilson, magazine publisher Steve Forbes, and Congressman Bob Dornan (R-CA). Wilson and Specter withdrew before the primaries, and all but Buchanan and Dole withdrew before the nominating convention. There, Buchanan finally gave up.

Lewis's embrace of Morry Taylor as a journalistic subject is largely due to his perception that the closer a candidate is to winning the less authentic he can afford to be. (See also the superb 1972 movie The Candidate, which captures this perfectly.) Taylor has no expectations, is using his own money, and can say what he likes. The only big-name politician Lewis encounters who feels the same freedom is John McCain, who emerges as a quiet hero. Getting money out of politics, then as now a constant drumbeat, doesn't seem a solution to Lewis: "Even if you take the money out of politics you still have to confront the reason money is so important in the first place: the terror of honest political speech."

The American politics Lewis describes is of a top layer who feign engagement with big issues but actually shy away from them: "There is a great tradition of big political questions...being addressed only by people regarded as crackpots".

Today's Green New Deal was gathered in the margins in 2006 before its 2018 adoption by high-vis Congresswoman Alexandria Ocasio-Cortes (D-NY). Some called her "naive", but it was embraced in this year's Democratic primaries by Senator Bernie Sanders (D-VT). Just a month ago, Sanders, who finally suspended his presidential campaign this week, was being called a communist for pushing Medicare for All - today an essential stopgap to manage the pandemic. Two months ago, Andrew Yang, explaining universal basic income to Joe Rogan, was an impossible dreamer. Today, it's on the table, even if only temporarily. The crisis has moved the Overton window; these things are now *thinkable*, rather than too dangerous to elect.

But Lewis's most startling conclusion is this one, about Buchanan, who sought to reinvent the Republican party in his image: "Maybe the most striking thing about his campaign is that it triumphed, however briefly, in prosperous times. Buchanan was selling anger when there wasn't a great deal to be angry about. You can imagine all sorts of events that could change that: a stock market collapse; a recession; a war in which Americans die wearing U.N. blue; a revolution in Mexico. A medium-sized downturn, and the people at the Buchanan rallies will be not unemployed textile workers but lawyers and doctors. Anger would become respectable. And any man with the capacity to speak to it could go far."

There it is, spelled out, in 1996: anger, waiting to be tapped. And then came the dot-com bust, 9/11, and the 2008 financial crisis.

Three and a half years on from the triumph of anger, the Democratic primaries began with new candidates and new ideas, and are ending with an old candidate wielding a reset button and the built-up outrage of millions of Democrats. Are we ready for this?

Illustrations: Morry Taylor on C-Span in 1996.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 12, 2020

Privacy matters

china-alihealth.jpegSometime last week, Laurie Garrett, the Pulitzer Prize-winning author of The Coming Plague, proposed a thought experiment to her interviewer on MSNBC. She had been describing the lockdown procedures in place in China, and mulling how much more limited actions are available to the US to mitigate the spread. Imagine, she said (or more or less), the police out on the interstate pulling over a truck driver "with his gun rack" and demanding a swab, running a test, and then and there ordering the driver to abandon the truck and putting him in isolation.

Um...even without the gun rack detail...

The 1980s AIDS crisis may have been the first time my generation became aware of the tension between privacy and epidemiology. Understanding what was causing the then-unknown "gay cancer" involved tracing contacts, asking intimate questions, and, once it was better understood, telling patients to contact their former and current sexual partners. At a time when many gay men were still closeted, this often meant painful conversations with wives as well as ex-lovers. (Cue a well-known joke from 1983: "What's the hardest part of having AIDS? Trying to convince your wife you're Haitian.")

The descriptions emerging of how China is working to contain the virus indicate a level of surveillance that - for now - is still unthinkable in the West. In a Huangzhou project, for example, citizens are required to install the Alipay Health Code app on their phones that assigns them a traffic light code based on their recent contacts and movements - which in turn determines which public and private spaces they're allowed to enter. Paul Mozur, who co-wrote that piece for the New York Times with Raymond Zhong and Aaron Krolik, has posted on Twitter video clips of how this works on the ground, while Ryutaro Uchiyama marvels at Singapore's command and open publication of highly detailed data This is a level of control that severely frightened people, even in the West, might accept temporarily or in specific circumstances - we do, after all, accept being data-scanned and physically scanned as part of the price of flying. I have no difficulty imagining we might accept barriers and screening before entering nursing homes or hospital wards, but under what conditions would the citizens of democratic societies accept being stopped randomly on the street and our phones scanned for location and personal contact histories?

The Chinese system has automated just such a system. Quite reasonably, at the Guardian Lily Kuo wonders if the system will be made permanent, essentially hijacking this virus outbreak in order to implement a much deeper system of social control than existed before. Along with all the other risks of this outbreak - deaths, widespread illness, overwhelmed hospitals and medical staff, widespread economic damage, and the mental and emotional stress of isolation, loss, and lockdown - there is a genuine risk that "the new normal" that emerges post-crisis will have vastly more surveillance embedded in it.

Not everyone may think this is bad. On Twitter, Stewart Baker, whose long-held opposition to "warrant-proof" encryption we noted last week, suggested it was time for him to revive his "privacy kills" series. What set him off was a New York Times piece about a Washington-based lab that was not allowed to test swabs they'd collected from flu patients for coronavirus, on the basis that the patients would have to give consent for the change of use. Yes, the constraint sounds stupid and, given the situation, was clearly dangerous. But it would be more reasonable to say that either *this* interpretation or *this* set of rules needs to be changed than to conclude unliterally that "privacy is bad". Making an exemption for epidemics and public health emergencies is a pretty easy fix that doesn't require up-ending all patient confidentiality on a permanent basis. The populations of even the most democratic, individualistic countries are capable of understanding the temporary need for extreme measures in a crisis. Even the famously national ID-shy UK accepted identity papers during wartime (and then rejected them after the war ended (PDF)).

The irony is that lack of privacy kills, too. At The Atlantic, Zeynep Tufecki argues that extreme surveillance and suppression of freedom of expression paradoxically results in what she calls "authoritarian blindness": a system designed to suppress information can't find out what's really going on. At The Bulwark, Robert Tracinski applies Tufecki's analysis to Donald Trump's habit of labeling anything he doesn't like "fake news" and blaming any events he doesn't like on the "deep state" and concludes that this, too, engenders widespread and dangerous distrust. It's just as hard for a government to know what's really happening when the leader doesn't want to know as when the leader doesn't want anyone *else* to know.

At this point in most countries it's early stages, and as both the virus and fear of it spread, people will be willing to consent to any measure that they believe will keep them and their loved ones safe. But, as Access Now agrees, there will come a day when this is past and we begin again to think about other issues. When that day comes, it will be important to remember that privacy is one of the tools needed to protect public health.


Illustrations: Alipay Health Code in action (press photo).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 6, 2020

Transitive rage

cropped-Spies_and_secrets_banner_GCHQ_Bude_dishes.jpgSomething has changed," a privacy campaigner friend commented last fall, observing that it had become noticeably harder to get politicians to understand and accept the reasons why strong encryption is a necessary technology to protect privacy, security, and, more generally, freedom. This particular fight had been going on since the 1990s, but some political balance had shifted. Mathematical reality of course remains the same. Except in Australia.

At the end of January, Bloomberg published a leaked draft of the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT), backed by US Senators Lindsey Graham (R-SC) and Richard Blumenthal (D-CT). In its analysis the Center for Democracy and Technology find the bill authorizes a new government commission, led by the US attorney general, to regulate online speech and, potentially, ban end-to-end encryption. At Lawfare, Stewart Baker, a veteran opponent of strong cryptography, dissents, seeing the bill as combating child exploitation by weakening the legal liability protection afforded by Section 230. Could the attorney general mandate that encryption never qualifies as "best practice"? Yes, even Baker admits, but he still thinks the concerns voiced by CDT and EFF are overblown.

In our real present, our actual attorney general, William Barr believes "warrant-proof encryption" is dangerous. His office is actively campaigning in favor of exactly the outcome CDT and EFF fear.

Last fall, my friend connected the "change" to recent press coverage of the online spread of child abuse imagery. Several - such as Michael H. Keller and Gabriel J.X. Dance's November story - specifically connected encryption to child exploitation, complaining that Internet companies fail to use existing tools, and that Facebook's plans to encrypt Messenger, "the main source of the imagery", will "vastly limit detection".

What has definitely changed is *how* encryption will be weakened. The 1990s idea was key escrow, a scheme under which individuals using encryption software would deposit copies of their private keys with a trusted third party. After years of opposition, the rise of ecommerce and its concomitant need to secure in-transit financial details eventually led the UK government to drop key escrow before the passage of the Regulation of Investigatory Powers Act (2000), which closed that chapter of the crypto debates. RIPA and its current successor, the Investigatory Powers Act (2016), requires individuals to descrypt information or disclose keys to government representatives. There have have been three prosecutions.

In 2013, we learned from Edward Snowden's revelations that the security services had not accepted defeat but had gone dark, deliberately weakening standards. The result: the Internet engineering community began the work of hardening the Internet as much as they could.

In those intervening years, though, outside of a few very limited cases - SSL, used to secure web transactions - very few individuals actually used encryption. Email and messaging remained largely open. The hardening exercise Snowden set off eventually included companies like Facebook, which turned on end-to-end encryption for all of WhatsApp in 2016, overnight turning 1 billion people into crypto users and making real the long-ago dream of the crypto nerds of being lost in the noise. If 1 billion people use messaging and only a few hundred use encryption, the encryption itself is a flag that draws attention. If 1 billion people use encrypted messaging, those few hundred are indistinguishable.

In June 2018, at the 20th birthday of the Foundation for Information Policy Research, Ross Anderson predicted that the battle over encryption would move to device hacking. The reasoning is simple: if they can't read the data in transit because of end-to-end encryption, they will work to access it at the point of consumption, since it will be cleartext at that point. Anderson is likely still to be right - the IPA includes provisions allowing the security services to engage in "bulk equipment interference", which means, less politely, "hacking".

At the same time, however, it seems clear that those governments that are in a position to push back at the technology companies now figure that a backdoor in the few giant services almost everyone uses brings back the good old days when GCHQ could just put in a call to BT. Game the big services, and the weirdos who use Signal and other non-mainstream services will stick out again.

At Stanford's Center for Internet and Society, Riana Pfefferkorn believes the DoJ is opportunistically exploiting the techlash much the way the security services rushed through historically and politically unacceptable surveillance provisions in the first few shocked months after the 9/11 attacks. Pfefferkorn calls it "transitive rage": Congresspeople are already mad at the technology companies for spreading false news, exploiting personal data, and not paying taxes, so encryption is another thing to be mad about - and pass legislation to prevent. The IPA and Australia's Assistance and Access Act are suddenly models. Plus, as UN Special Rapporteur David Keye writes in his book Speech Police: The Global Struggle to Govern the Internet, "Governments see that company power and are jealous of it, as they should be."

Pfefferkorn goes on to point out the inconsistency of allowing transitive rage to dictate banning secure encryption. It protects user privacy, sometimes against the same companies they're mad at. We'll let Alec Muffett have the last word, reminding that tomorrow's children's freedom is also worth protecting.


Illustrations: GCHQ's Bude listening post, at dawn (by wizzlewick at Wikimedia, CC3.0).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

cropped-Spies_and_secrets_banner_GCHQ_Bude_dishes.jpg

February 14, 2020

Pushy algorithms

cyberporn.jpgOne consequence of the last three and a half years of British politics, which saw everything sucked into the Bermuda Triangle of Brexit debates, is that things that appeared to have fallen off the back of the government's agenda are beginning to reemerge like so many sacked government ministers hearing of an impending cabinet reshuffle and hoping for reinstatement.

One such is age verification, which was enshrined in the Digital Economy Act (2017) and last seen being dropped to wait for the online harms bill.

A Westminster Forum seminar on protecting children online shortly before the UK's December 2019 general election, reflected that uncertainty. "At one stage it looked as if we were going to lead the world," Paul Herbert lamented before predicting it would be back "sooner or later".

The expectation for this legislation was set last spring, when the government released the Online Harms white paper. The idea was that a duty of care should be imposed on online platforms, effectively defined as any business-owned website that hosts "user-generated content or user interactions, for example through comments, forums, or video sharing". Clearly they meant to target everyone's current scapegoat, the big social media platforms, but "comments" is broad enough to include any ecommerce site that accepts user reviews. A second difficulty is the variety of harms they're concerned about: radicalization, suicide, self-harm, bullying. They can't all have the same solution even if, like one bereaved father, you blame "pushy algorithms".

The consultation exercise closed in July, and this week the government released its response. The main points:

- There will be plentiful safeguards to protect freedom of expression, including distinguishing between illegal content and content that's legal but harmful; the new rules will also require platforms to publish and transparently enforce their own rules, with mechanisms for redress. Child abuse and exploitation and terrorist speech will have the highest priority for removal.

- The regulator of choice will be Ofcom, the agency that already oversees broadcasting and the telecommunications industry. (Previously, enforcing age verification was going to be pushed to the British Board of Film Classification.)

- The government is still considering what liability may be imposed on senior management of businesses that fall under the scope of the law, which it believes is less than 5% of British businesses.

- Companies are expected to use tools to prevent children from accessing age-inappropriate content "and protect them from other harms" - including "age assurance and age verification technologies". The response adds, "This would achieve our objective of protecting children from online pornography, and would also fulfill the aims of the Digital Economy Act."

There are some obvious problems. The privacy aspects of the mechanisms proposed for age verification remain disturbing. The government's 5% estimate of businesses that will be affected is almost certainly a wild underestimate. (Is a Patreon page with comments the responsibility of the person or business that owns it or Patreon itself?). At the Guardian, Alex Hern explains the impact on businesses. The nastiest tabloid journalism is not within scope.

On Twitter, technology lawyer Neil Brown identifies four fallacies in the white paper: the "Wild West web"; that privately operated computer systems are public spaces; that those operating public spaces owe their users a duty of care; and that the offline world is safe by default. The bigger issue, as a commenter points out, is that the privately operated computer systems UK government seeks to regulate are foreign-owned. The paper suggests enforcement could include punishing company executives personally and ordering UK ISPs to block non-compliant sites.

More interesting and much less discussed is the push for "age-appropriate design" as a method of harm reduction. This approach was proposed by Lorna Woods and Will Perrin in January 2019. At the Westminster eForum, Woods explained, "It is looking at the design of the platforms and the services, not necessarily about ensuring you've got the latest generation of AI that can identify nasty comments and take it down."

It's impossible not to sympathize with her argument that the costs of move fast and break things are imposed on the rest of society. However, when she started talking about doing risk assessments for nascent products and services I could only think she's never been close to software developers, who've known for decades that from the instant software goes out into the hands of users they will use it in ways no one ever imagined. So it's hard to see how it will work, though last year the ICO proposed a code of practice.

The online harms bill also has to be seen in the context of all the rest of the monitoring that is being directed at children in the name of keeping them - and the rest of us - safe. DefendDigital.me has done extensive work to highlight the impact of such programs as Prevent, which requires schools and libraries to monitor children's use of the Internet to watch for signs of radicalization, and the more than 20 databases that collect details of every aspect of children's educational lives. Last month, one of these - the Learning Records Service - was caught granting betting companies access to personal data about 28 million children. DefendDigital.me has called for an Educational Rights Act. This idea could be usefully expanded to include children's online rights more broadly.


Illustrations: Time magazine's 1995 "Cyberporn" cover, which marked the first children-Internet panic.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 29, 2019

Open season

A_Large_Bird_Attacking_a_Stag_LACMA_65.37.315.jpgWith no ado, here's the money quote:

The [US Trade Representative] team is keen to move into the formal phase of negotiations. Ahead of the publication of UK negotiating objectives, there now little that we will be able to achieve in further pre-negotiation engagement. USTR officials noted continued pressure from their political leadership to pursue an FTA [free trade agreement] and a desire to be fully prepared for the launch of negotiations after the end of October. They envisage a high cadence negotiation - with rounds every 6 weeks - but it was interesting that my opposite number thought that there would remain a political and resource commitment to a UK negotiation even if it were thought that the chances of completing negotiations in a Trump first term were low. He felt that being able to point to advanced negotiations with the UK was viewed as having political advantages for the President going in to the 2020 elections. USTR were also clear that the UK-EU situation would be determinative: there would be all to play for in a No Deal situation but UK commitment to the Customs Union and Single Market would make a UK-U.S. FTA a non-starter.

This quote appears on page two of one of the six leaked reports that UK Labour leader Jeremy Corbyn flourished at a press conference this week. The reports summarize the US-UK Trade and Investment Working Group's efforts to negotiate a free trade agreement between the US and post-Brexit Britain (if and when). The quote dates to mid-July 2019; to recap, Boris Johnson became prime minister on July 24 swearing the UK would exit the EU on October 31.

Three key points jump out:

- Donald Trump thinks a deal with Britain will help him win re-election next year. This is not a selling point to most people in Britain.

- The US negotiators condition the agreement on a no-deal Brexit - the most damaging option for the UK and European economies. Despite the last Parliament's efforts, this could still happen because two cliff edges still loom: the revised January 31 exit date, and December 2020, when the transition period is due to end (and which Johnson swears he won't extend). Whose interests is Johnson prioritizing here?

- Wednesday's YouGov model poll predicts that Johnson will win a "comfortable" majority, suggesting that the cliff edge remains a serious threat.

At Open Democracy, Nick Dearden sums up the worst damage. Among other things, it shows the revival of some of the most-disliked provisions in the abandoned Transatlantic Trade Investment Partnership treaty, most notably investor-state dispute resolution (ISDS), which grants corporations the right to sue governments that pass laws they oppose in secret tribunals. As Dearden writes, these documents make clear that "taking back control" means "giving the US control". The Trade Justice Movement's predictions from earlier this year seem accurate enough.

On Twitter, UKTrade Forum co-founder David Henig has posted a thread explaining why adopting a US-first trade policy will be disastrous for British farmers and manufacturers.

Global Justice's analysis highlights both the power imbalance, and the US's demands for free rein. It's also clear that Johnson can say the NHS is not on the table, Trump can say the opposite, and both can be telling some value of truth, because the focus is on pharmaceutical pricing and patent extension. An unscrupulous government filled with short-term profiteers might figure that they'll be gone by the time the costs become clear.

For net.wars, this is all background and outside our area of expertise. The picture is equally alarming for digital rights. In 1999, Simon Davies predicted that data protection would become a trade war between the US and EU. Even a partial reading of these documents suggests that now, 20 years on, may be the moment. Data protection is a hinge, in that you might, at some expense, manage varying food standards for different trading regions, but data regimes want to be unitary. The UK can either align with the EU, GDPR, which enshrines privacy and data protection as human rights, or with the US and its technology giants. This goes double if Max Schrems, whose legal action brought down the Safe Harbor agreement, wins his NOYB case against Privacy Shield. Choose the EU and GDPR, and the US likely walks, as the February 2019 summary of negotiation objectives (PDF) makes plain. That document also is clear that the US wants to bar the UK from mandating local data storage, restricting cross-border data flows, imposing customs duties on digital products, requiring the disclosure of computer code or algorithms, and holding online platforms liable for third-party content. Many of these are opposite to the EU's general direction of travel.

The other hinge issue is the absolute US ban on mentioning climate change. The EU just declared a climate emergency and set out an action list.

The UK cannot hope to play both sides. It's hard to overstress how much worse a position these negotiations seem to offer the UK, which *is* a full EU partner, but which will always be viewed by the US as a lesser entity.

Illustrations: A large bird attacking a stag (Hendrik Hondius, 1610; from LA County Museum of Art, via Wikimedia.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 8, 2019

Burn rate

One of my favorite moments in the 1996 sitcom 3rd Rock from the Sun was when Dick (John Lithgow), the high commander of the aliens' mission to Earth, marveled at humans' ability to live every day as though they didn't know they were going to die. For everyone but Woody Allen and the terminally ill, that denial is useful: it allows us to get up every day and do things like watch silly sitcoms without being overwhelmed by the sense of doom.

In other contexts, the denial of existential limits is less helpful: being aware of the limits of capital reminds to use it wisely. During those 3rd Rock years, I was baffled by the recklessly rapid adoption of the Internet for serious stuff - banking, hospital systems - apparently without recognizing that the Internet was still a somewhat experimental network and lacked the service level agreements and robust engineering provided by the legacy telephone networks. During Silicon Valley's 2007 to 2009 bout of climate change concern it was an exercise in cognitive dissent to watch CEOs explain the green values they were imposing on themselves and their families while simultaneously touting their companies' products and services, which required greater dependence on electronics, power grids, and always-on connections. At an event on nanotechnology in medicine, it was striking that the presenting researchers never mentioned power use. The mounting consciousness of the climate crisis has proceeded in a separate silo from the one in which the "there's an app for that" industries have gone on designing a lifestyle of total technological dependence, apparently on the basis that electrical power is a constant and the Internet is never interrupted. (Tell that to my broadband during those missing six hours last Thursday.)

The last few weeks of California have shown that we need to completely rethink this dependence. At The Verge, Nicole Westman examines the fragility of American hospital systems. Many do have generators, but few have thought-out plans for managing during a black-out. As she writes, hospitals may be overwhelmed by unexpected influxes of patients from nursing homes that never mentioned the hospital was their fallback plan and local residents searching for somewhere to charge their phones. And, Westman notes, electronic patient records bring hard choices: do you spend your limited amount of power on keeping the medicines cold, or do you keep the computer system running?

Right now, with paper records still so recent, staff may be able to dust off their old habits and revert, but ten years hence that won't be true. British Airways' 2018 holiday weekend IT collapse at Heathrow provides a great example of what happens when there is (apparently) no plan and less experience.

At the Atlantic, Alexis Madrigal warns that California's blackouts and wildfires are samples of our future; the toxic "technical debt" of accumulated underinvestment in American infrastructure is being exposed by the abruptly increased weight of climate change. How does it happen that the fifth largest economy in the world has millions of people with no electric power? The answer, Madrigal (and others) writes is the diversion of capital that should have been spent improving the grid and burying power lines to shareholders' dividends. Add higher temperatures, less rainfall, and exceptional drought, and here's your choice: power outages or fires?

Someone like me, with a relatively simple life, a lot of paper records, sufficient resources, and a support network of friends and shopkeepers, can manage. Someone on a zero-hours contract, whose life and work depend on their phone, who can't cook, and doesn't know how to navigate the world of people if they can't check the website to find out why the water is out...can't. In these crises we always hear about the sick and the elderly, but I also worry about the 20-somethings whose lives are predicated on the Internet always being there because it always has been.

A forgotten aspect is the loss of social infrastructure, as Aditya Chakrabortty writes in the Guardian. Everyone notes that since online retail has bitten great chunks off Britain's high streets, stores have closed and hub businesses like banks have departed. Chakrabortty points out that this is only half of the depredation in those towns: the last ten years of Conservative austerity have sliced away social support systems such as youth clubs and libraries. Those social systems are the caulk that gives resilience in times of stress, and they are vanishing.

Both pieces ought to be taken as a serious warning about the many kinds of capital we are burning through, especially when read in conjunction with Derek Thompson's contention that the "millennial lifestyle" is ending. "If you wake up on a Casper mattress, work out with a Peloton before breakfast, Uber to your desk at a WeWork, order DoorDash for lunch, take a Lyft home, and get dinner through Postmates, you've interacted with seven companies that will collectively lose nearly $14 billion this year," he observes. He could have added Netflix, whose 2019 burn rate is $3 billion. And, he continues, WeWork's travails are making venture capitalists and bond markets remember that losing money, long-term, is not a good bet, particularly when interest rates start to rise.

So: climate crisis, brittle systems, and unsustainable lifestyles. We are burning through every kind of capital at pace.

Illustrations: California wildfire, 2008.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

September 6, 2019

Traffic stop

rotated-dead-end.jpgIn a week when Brexit has been at peak chaos generation, it's astonishing how little attention has been paid to what would happen to data flows if the UK exits the EU on October 31 with no agreement in place. At a stroke, the UK would become a "third country" in data protection parlance. Granted, at the instant of withdrawal, under the Withdrawal Act (2018), all EU law is immediately incorporated into UK law - which in turn means that the General Data Protection Regulation, which came into force in 2018, is recreated as a UK law. But as far as I can tell, there still has to be a decision that the UK's data protection regime qualifies under EU law as adequate for data flows to continue unimpeded from the EU27 into the UK.

Which means that at the very least a no-deal Brexit will deliver a lengthy delay while the European Commission makes that decision. Most of the other things people are worrying about since the leaked "Yellowhammer" documents outlining the government's expectations in case of a no-deal exit alerted the country to the likely disruption - food, medicines, Customs and immigration clearance - have widespread impact but are comparatively confined to one or a few sectors. Data is *everything*. Food and medicine supply chains, agriculture, national security, immigration, airline systems...there is hardly an aspect of this country's life that won't be disrupted if data flows can't continue. As DP Network explains it, the process of assessing the adequacy of the UK's data protection regime can't even start until the UK has left - and can take months or even years. During that time, the UK can send data to the EU perfectly well - but transfers the other way will require a different legal framework. The most likely is Standard Contractual Clauses - model clauses that are already approved that can be embedded in contracts with suppliers and partners. I haven't seen any assessment of what kind of progress companies have made in putting these in place.

But this, too, is not assured. These clauses form part of the second case brought to the Court of Justice of the European Union by Max Schrems, the Austrian lawyer whose court action brought down Safe Harbor in 2015. Schrems 2.0, calls into question the legal validity of those SCCs as part of his challenge to Privacy Shield, the EU/US agreement that replaced Safe Harbor in 2016. Schrems himself believes that SCCs can meet the adequacy standard if they are properly enforced, and that they can be used to stop specific illegal transfers. For larger companies with lawyers on call, SCCs may be a reasonable option. It's harder to see how smaller companies will cope. The Information Commissioner's Office has advice. Its guidance on international transfers refers businesses to the European Data Protection Bureau's note on the subject (PDF), which outlines the options.

That's if there's a no-deal crash-out. The Withdrawal Agreement, which Theresa May tried three times to get through Parliament and saw voted down three times, has provisions preserving the status quo - unimpeded data flows - until at least 2020 as part of the transition period. This is the agreement that Boris Johnson is grandstanding about, insisting that the EU must and will make changes and that negotiations are ongoing - which the EU denies. I believe the EU, if only because for the last three years it has consistently done what it said it would do, whereas Boris Johnson...

While the UK of course participated in the massive legislative exercise that led to GDPR, it's worth remembering that a number of the business-oriented ministers of the day were not fans of some of its provisions and wanted it watered down. No matter how Brexit comes out, however, the UK will not get to do this: GDPR, like Richard Stallman's GNU license carries with it like a stowaway the pay-it-forward requirement that future use of the same material must be subject to its rules. The UK can choose: it can be a "vassal state" and "surrender" to ongoing EU enhancements to data protection - OR it can cut itself off entirely from the modern international business world.

It's not clear if any of the data issues have filtered through into the public consciousness, perhaps because stopped data flows, as SA Mathieson writes at The Register, don't sound like much compared to the specter of bare supermarket shelves. Mathieson goes into some detail about the fun businesses are going to have: EU-based travel agencies that can't transfer tourists' data to the hotels they've booked, internal transfers within companies with offices spread across several countries, financial services... If "data is the new oil", then we're talking banning all the tankers. No wonder the EU is reportedly regarding no-deal Brexit as the equivalent of a natural disaster, and accordingly setting aside funds to mitigate the damage.


Illustrations: Dead-end sign.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 12, 2019

Public access

WestWing-Bartlet-campaign-phone.pngIn the fantasy TV show The West Wing, when fictional US president Jed Bartlet wants to make campaign phone calls, he departs the Oval Office for the "residence", a few feet away, to avoid confusing his official and political roles. In reality, even before the show began in 1999, the Internet was altering the boundaries between public and private; the show's end in 2006 coincided with the founding of Twitter, which is arguably completing the job.

The delineation of public and private is at the heart of a case filed in 2017 by seven Twitter users backed by the Knight First Amendment Institute against US president Donald Trump. Their contention: Trump violated the First Amendment by blocking them for responding to his tweets with criticism. That Trump is easily offended, is not news. But, their lawyers argued, because Trump uses his Twitter account in his official capacity as well as for personal and campaign purposes, barring their access to his feed means effectively barring his critics from participating in policy. I liked their case. More important, lawyers liked their case; the plaintiffs cited many instances where Trump or members of his administration had characterized his tweets as official policy..

In May 2018, Trump lost in the Southern District of New York. This week, the US Court of Appeals for the Second Circuit unanimously upheld the lower court. Trump is perfectly free to block people from a personal account where he posts his golf scores as a private individual, but not from an account he uses for public policy announcements, however improvised and off-the-cuff they may be.

At The Volokh Conspiracy, Stuart Benjamin finds an unexplored tension between the government's ability to designate a space as a public forum and the fact that a privately-owned company sets the forum's rules. Here, as Lawrence Lessig showed in 1999, system design is everything. The government's lawyers contended that Twitter's lack of tools for account-holders leaves Trump with the sole option of blocking them. Benjamin's answer is: Trump didn't have to choose Twitter for his forum. True, but what other site would so reward his particular combination of impulsiveness and desperate need for self-promotion? A moderated blog, as Benjamin suggests, would surely have all the life sucked out of it by being ghost-written.

Trump's habit of posting comments that would get almost anyone else suspended or banned has been frequently documented - see for example Cory Scarola at Inverse in November 2016. In 2017, Jack Moore at GQ begged Twitter to delete his account to keep us all safer after a series of tweets in which Trump appeared to threaten North Korea with nuclear war. The site's policy team defended its decision not to delete the tweets on the grounds of "public interest". At the New York Times, Kara Swisher (heralding the piece on Twitter with the neat twist on Sartre, Hell is other tweeters) believes that the ruling will make a full-on Trump ban less likely.

Others have wondered whether the case gives Americans that Twitter has banned for racism and hate speech the right to demand readmission by claiming that they are being denied their First Amendment rights. Trump was already known to be trying to prove that social media sites are systemically biased towards banning far-right voices; those are the people he invited to the White House this week for a summit on social media.

It seems to me, however, that the judges in this case have correctly understood the difference between being banned from a public forum because of your own behavior and being banned because the government doesn't like your kind. The first can and does happen in every public space anywhere; as a privately-owned space, Twitter is free to make such decisions. But when the government decides to ban its critics, that is censorship, and the First Amendment is very clear about it. It's logical enough, therefore, to feel that the court was right.

Female politicians, however, probably already see the downside. Recently, Amnesty International highlighted the quantity and ferocity of abuse they get. No surprise that within a day the case was being cited by a Twitter user suing Alexandria Ocasio-Cortez for blocking him. How this case resolves will be important; we can't make soaking up abuse the price of political office, while the social media platforms are notoriously unresponsive to such complaints.

No one needs an account to read any Twitter user's unprotected tweets. Being banned costs the right to interact,, not the right to read. But because many tweets turn into long threads of public discussion it makes sense that the judges viewed the plaintiffs' loss as significant. One consequence, though, is that the judgment conceptually changes Trump's account from a stream through an indivisible pool into a subcommunity with special rules. Simultaneously, the company says it will obscure - though not delete - tweets from verified accounts belonging to politicians and government officials with more than 100,000 followers that violate its terms and conditions. I like this compromise: yes, we need to know if leaders are lighting matches, but it shouldn't be too easy to pour gasoline on them - and we should be able to talk (non-abusively) back.


Illustrations:The West Wing's Jed Bartlet making phone calls from the residence.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

June 28, 2019

Failure to cooperate

sweat-nottage.jpgIn her 2015 Pulitzer Prize-winning play, Sweat, on display nightly in London's West End until mid-July, Lynn Nottage explores class and racial tensions in the impoverished, post-industrial town of Reading, PA. In scenes alternating between 2000 and 2008, she explores the personal-level effects of twin economic crashes, corporate outsourcing decisions, and tribalism: friends become opposing disputants; small disagreements become violent; and the prize for "winning" shrinks to scraps. Them who has, gets; and from them who have little, it is taken.

Throughout, you wish the characters would recognize their real enemies: the company whose steel tubing factory has employed them for decades, their short-sighted union, and a system that structurally short-changes them. The pain of the workers when they are locked out is that of an unwilling divorce, abruptly imposed.

The play's older characters, who would be in their mid-60s today, are of the age to have been taught that jobs were for life. They were promised pensions and could look forward to wage increases at a steady and predictable pace. None are wealthy, but in 2000 they are financially stable enough to plan vacations, and their children see summer jobs as a viable means of paying for college and climbing into a better future. The future, however, lies in the Spanish-language leaflets the company is distributing to frustrated immigrants the union has refused to admit and who will work for a quarter the price. Come 2008, the local bar is run by one of those immigrants, who of necessity caters to incoming hipsters. Next time you read an angry piece attacking Baby Boomers for wrecking the world, remember that it's a big demographic and only some were the destructors. *Some* Baby Boomers were born wreckage, some achieved it, and some had it thrust upon them.

We leave the characters there in 2008: hopeless, angry, and alienated. Nottage, who has a history of researching working class lives and the loss of heavy industry, does not go on to explore the inner workings of the "digital poorhouse" they're moving into. The phrase comes from Virginia Eubanks' 2018 book, Automating Inequality, which we unfortunately missed reviewing before now. If Nottage had pursued that line, she might have found what Eubanks finds: a punitive, intrusive, judgmental, and hostile benefits system. Those devastated factory workers must surely have done something wrong to deserve their plight.

Eubanks presents three case studies. In the first, struggling Indiana families navigate the state's new automated welfare system, a $1.3 billion, ten-year privatization effort led by IBM. Soon after its 2006 launch, it began sending tens of thousands of families notices of refusal on this Kafkaesque basis: "Failure to cooperate". Indiana eventually canceled IBM's contract, and the two have been suing each other ever since. Not represented in court is, as Eubanks says, the incalculable price paid in the lives of the humans the system spat out.

In the second, "coordinated entry" matches homeless Los Angelenos to available resources in order of vulnerability. The idea was that standardizing the intake process across all possible entryways would help the city reduce waste and become more efficient while reducing the numbers on Skid Row. The result, Eubanks finds, is an unpredictable system that mysteriously helps some and not others, and that ultimately fails to solve the underlying structural problem: there isn't enough affordable housing.

In the third, a Pennsylvania predictive system is intended to identify children at risk of abuse. Such systems are proliferating widely and controversially for varying purposes, and all raise concerns about fairness and transparency: custody decisions (Durham, England), gang membership and gun crime (Chicago and London), and identifying children who might be at risk (British local councils). All these systems gather and retain, perhaps permanently, huge amounts of highly intimate data about each family. The result in Pennsylvania was to deter families from asking for the help they're actually entitled to, lest they become targets to be watched. Some future day, those same records may pop when a hostile neighbor files a minor complaint, or haunt their now-grown children when raising their own children.

All these systems, Eubanks writes, could be designed to optimize access to benefits instead of optimizing for efficiency or detecting fraud. I'm less sanguine. In prior art, Danielle Citron has written about the difficulties of translating human law accurately into programming code, and the essayist Ellen Ullman warned in 1996 that even those with the best intentions eventually surrender to computer system imperatives of improving data quality, linking databases, and cross-checking, the bedrock of surveillance.

Eubanks repeatedly writes that middle class people would never put up with this level of intrusion. They may have no choice. As Sweat highlights, many people's options are shrinking. Refusal is only possible for those who can afford to buy their help, an option increasingly reserved for a privileged few. Poor people, Eubanks is frequently told, are the experimental models for surveillance that will eventually be applied to all of us.

In 2017, Cathy O'Neil argued in Weapons of Math Destruction that algorithmic systems can be designed for fairness. Eubanks' analysis suggests that view is overly optimistic: the underlying morality dates back centuries. Digitization has, however, exacerbated its effects, as Eubanks concludes. County poorhouse inmates at least had the community of shared experience. Its digital successor squashes and separates, leaving each individual to drink alone in that Reading bar.


Illustrations: Sweat's London production poster.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

June 21, 2019

Party games

tory-candidates-2019-06-2.pngTo anyone not born in the UK, and to many who were, the ongoing British Conservative party leadership contest - which doubles as a contest to replace the in-office Prime Minister - is a weird mix of decaying feudalism and pointlessness. On Tuesday, the five then-remaining candidates perched awkwardly on BBC stools and answered questions submitted by the public. This, despite the fact that the public at large has no vote. After a series of elimination rounds in which only Conservative MPs vote, the final two will make their case to the estimated 124,000 members of the Conservative party. The nearest US analogue to this particular contest, which began with 11 candidates, is today's 24-Democrat nomination field - if the final choice were up to a group only modestly larger than the population of Vermont and the person selected were about to take over the presidency.

In one sense, the least democratic part of this is the MPs-only selection of the shortlist. Yet they are doing what the electoral college was supposed to do: represent their constituents' wishes based on their greater and more intimate knowledge of the candidates. Yet if you've seen the transition episode in which Yes, Minister's Jim Hacker is lifted to the top job, instead you imagine these MPs all elbowing each other to further their own interests, making deals, weaponizing that personal knowledge, and discovering their inner killer instincts.

My sense in reading the briefing produced by the House of Commons researchers (PDF) on the history of these contests is that they are gradually becoming more presidential over time, though not more democratic. Until 1965, the new party leader "emerged" from back room discussions. You can see the remnants of this method in that Yes, Minister episode ("Party Games") as senior civil servants mull the right choice. Their criteria: easily manipulated, no "silly notions about running the country", and won't split the party. Hacker finally locks down the job by convincing the press he has blocked an onerous EC plan to standardize Euro sausages and make British sausages illegal.

Europe: a scapegoat then, as now. In Tuesday evening's debate, the four not-Rory Stewart candidates competed on two things: tax cuts, which Stewart correctly pointed out the country can't afford, and which one was more likely to deliver Brexit, which Stewart correctly pointed out cannot be solved by any of their proposals. Meanwhile, weary MPs are speculating how soon the next contest will be, while journalists are mulling which outcome makes the best story and for how long. A YouGov poll this week found Conservative party members will sacrifice almost anything - their party, Scotland, Northern Ireland, for Brexit. Anything except a Labour government.

The reason I said "more presidential" is that slowly but surely over the the last 30 to 40 years the campaigns for party leadership have become more public-facing, personality-driven, and expensive. The library note says that in 2016 the spending limit was £135,000 per candidate. Granted, even this year's limit of £150,000 seems piddling to anyone in the US, but in a three-week contest in which only party members can vote, what on earth do they spend it on? Given the Electoral Commission spending limits for general elections, it's arguable that blanketing the country with hustings for this run-off is a cheater's way of getting ahead on campaigning for the general election that everyone thinks is inevitably coming soon.

Over the same time, government power has been concentrating toward the center, a trend helped by austerity, which has seen cuts of almost 60% to local authority budgets. While I've long deplored the fact that the British system is in effect an elected dictatorship - since a party with a big enough majority in the House of Commons can push through any legislation it likes - allowing a cult of Prime Ministerial personality to take hold in a country with no written constitution to guarantee the separation of powers seems dangerous. The one saving grace used to be that the government's legitimacy could be challenged at any time - and that was greatly watered down with the passage of the Fixed-term Parliaments Act (2011).

The contest for power between Parliament and the Prime Minister has been a notable feature of politics since the 2016 EU referendum. Theresa May's original plan was to give notice of withdrawal to the EU without Parliament's approval. It took activist Gina Miller to bring a legal case to challenge the government's authority to act unilaterally. She won in the High Court of Justice, and then again on appeal in the Supreme Court.

We last discussed Brexit here only three months ago, shortly before the original March 29 deadline. It seems like eternity. The new deadline, October 31, is eighteen weeks away in calendar time, but after you subtract four weeks of campaigning, another to vote, summer holidays, and three weeks of party conferences starting in mid-September, there's barely a handful of days of Parliamentary time. The Conservative party candidates are clearly rearranging the deck chairs on the Titanic. But is it their shrinking party, Brexit, or the country that's the ship?


Illustrations: Tuesday's BBC debate (left to right: Emily Maitlis, Boris Johnson, Jeremy Hunt, Michael Gove, Sajid Javid, Rory Stewart).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 22, 2019

Layer nine

nemeth-osi-9layer-tshirt.jpgIs it possible to regulate the internet without killing it?

Before you can answer that you have to answer this: what constitutes killing the Internet? The Internet Society has a sort of answer, which is a list of what it calls Internet invariants, a useful phrase that is less attackable as "solutionism" by Evgeny Morozov than alternatives that portray the Internet as if it were a force of nature instead of human-designed and human-made.

Few people watching video on their phones on the Underground care about this, but networking specialists view the Internet as a set of layers. I don't know the whole story, but in the 1980s researchers, particularly in Europe, put a lot of work into conceptualizing a seven-layer networking model, Open Systems Interconnection. By 1991, however, a company CEO told me, "I don't know why we need it. TCP/IP is here now. Why can't we just use that?" TCP/IP are the Internet protocols, so that conversation showed the future. However, people still use the concepts OSI built. The bottom, physical layers, are the province of ISPs and telcos. The ones the Internet Society is concerned about are the ones concerning infrastructure and protocols - the middle layers. Layer 7, "Application", is all the things users see - and politicians fight over.

We are at a layer the OSI model failed to recognize, identified by the engineer Evi Nemeth. We - digital and human rights activists, regulators, policy makers, social scientists, net.wars readers - are at layer 9.

So the question we started with might also be phrased, "Is it possible to regulate the application layer while leaving the underlying infrastructure undamaged?" Put like that, it feels like it ought to be. Yet aspects of Internet regulation definitely entangle downwards. Most are surveillance-related, such as the US requirement that ISPs enable interception and data retention. Emerging demands for localized data storage and the General Data Protection Regulation also may penetrate more deeply while raising issues of extraterritorial jurisdiction. GDPR seeds itself into other countries like the stowaway recursive clause of the GNU General Public License for software: both require their application to onward derivatives. Localized data storage demands blocks and firewalls instead of openness.

Twenty years ago, you could make this pitch to policy makers: if you break the openness of the Internet by requiring a license to start an online business, or implementing a firewall, or limiting what people can say and do, you will be excluded form the Internet's economic and social benefits. Since then, China has proved that a national intranet can still fuel big businesses. Meanwhile, the retail sector craters and a new Facebook malfeasance surfaces near-daily, the policy maker might respond that the FAANG- Fab Five pay far less in tax than the companies they've put out of business, employment precarity is increasing, and the FAANGs wield disproportionate power while enabling abusive behavior and the spread of extremism and violence. We had open innovation and this is what it brought us.

To old-timers this is all kinds of confusion. As I said recently on Twitter, it's subsets all the way down: Facebook is a site on the web, and the web is an application that runs on the Internet. They are not equivalents. Here. In countries where Facebook's Free Basics is zero-rated, the two are functionally equivalent.

Somewhere in the midst of a discussion yesterday about all this, it was interesting to consider airline safety. That industry understood very early that safety was crucial to its success. Within 20 years of the Wright Brothers' first flight in 1903, the nascent industry was lobbying the US Congress for regulation; the first airline safety bill passed in 1926. If the airline industry had instead been founded by the sort of libertarians who have dominated large parts of Internet development...well, the old joke about the exchange between General Motors and Bill Gates applies. The computer industry has gotten away with refusing responsibility for 40 years because they do not believe we'll ever stop buying their products, and we let it.

There's a lot to say about the threat of regulatory capture even in two highly regulated industries, medicine and air travel, and maybe we'll say it here one week soon, but the overall point is that outside of the open source community, most stakeholders in today's Internet lack the kind of overarching common goal that continues to lead airlines and airplane manufacturers to collaborate on safety despite also being fierce competitors. The computer industry, by contrast, has spent the last 50 years mocking government for being too slow to keep up with technological change while actively refusing to accept any product liability for software.

In our present context, the "Internet invariants" seem almost quaint. Yet I hope the Internet Society succeeds in protecting the Internet's openness because I don't believe our present situation means that the open Internet has failed. Instead, the toxic combination of neoliberalism, techno-arrogance, and the refusal of responsibility (by many industries - just today, see pharma and oil) has undermined the social compact the open Internet reflected. Regulation is not the enemy. *Badly-conceived* regulation is. So the question of what good regulation looks like is crucial.


Illustrations: Evi Nemeth's adapted OSI model, seen here on a T-shirt historically sold by the Internet Systems Consortium.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

March 15, 2019

Schrödinger's Brexit

Parliament_Clock_Westminster-wikimedia.jpg

"What's it like over there now?" American friends keep asking as the clock ticks down to midnight on March 29. Even American TV seems unusually interested: last week's Full Frontal with Samantha Bee had Amy Hoggart explain in detail; John Oliver made it a centerpiece two weeks ago, and US news outlets are giving it as much attention as if it were a US story. They're even - so cute! - trying to pronounce "Taoiseach". Everyone seems fascinated by the spectacle of the supposedly stoic, intellectual British holding meaningless "meaningful" votes and avoiding making any decisions that could cause anyone to lose face. So this is what it's like to live through a future line in the history books: other countries fret on your behalf while you're trying to get lunch.

In 14 days, Britain will either still be a member of the European or it won't. It will have a deal describing the future relationship or it won't. Ireland will be rediscovering civil war or it won't. In two months, we will be voting in the European Parliamentary elections as if nothing has happened, or we won't. All possible outcomes lead to protests in Parliament Square.

No one expects to be like Venezuela. But no one knows what will happen, either. We were more confident approaching Y2K. At least then you knew that thousands of people had put years of hard work into remediating the most important software that could fail. Here...in January, returning from CPDP and flowing seamlessly via Eurostar from Brussels to London, my exit into St Pancras station held the question: is this the last time this journey will be so simple? Next trip, will there be Customs channels and visa checks? Where will they put them? There's no space.

A lot of the rhetoric both at the time of the 2016 vote and since has been around taking back control and sovereignty. That's not the Britain I remember from the 1970s, when the sense of a country recovering from the loss of its empire was palpable, middle class people had pay-as-you-go electric and gas meters, and the owner of a Glasgow fruit and vegetable shop stared at me when I asked for fresh garlic. In 1974, a British friend visiting an ordinary US town remarked, "You can tell there's a lot more money around in this country." And another, newly expatriate and struggling: "But at least we're eating real meat here." This is the pre-EU Britain I remember.

"I've worked for them, and I know how corrupt they are," a 70-something computer scientist said to me of the EU recently. She would, she said, "man the barriers" if withdrawal did not go through. We got interrupted before I could ask if she thought we were safer in the hands of the Parliament whose incompetence she had also just furiously condemned.

The country remains profoundly in disagreement. There may be as many definitions of "Brexit" as there are Leave voters. But the last three years have brought everyone together on one thing: no matter how they voted, where they're from, which party they support, or where they get their news, everyone thinks the political class has disgraced itself. Casually-met strangers laugh in disbelief at MPs' inability to put country before party or self-interest or say things like "It's sickening". Even Wednesday's hair's width vote taking No Deal off the table is absurd: the clock inexorably ticks toward exiting the EU with nothing unless someone takes positive action, either by revoking Article 50, or by asking for an extension, or by signing a deal. But action can get you killed politically. I've never cared for Theresa May, but she's prime minister because no one else was willing to take this on.

NB for the confused: in the UK "tabling a motion" means to put it up for discussion; in the US it means to drop it.

Quietly, people are making just-in-case preparations. One friend scheduled a doctor's appointment to ensure that he'd have in hand six months' worth of the medications he depends on. Others stockpile EU-sourced food items that may be scarce or massively more expensive. Anyone who can is applying for a passport from an EU country; many friends are scrambling to research their Irish grandparents and assemble documentation. So the people in the best position are the recent descendants of immigrants that would would not now be welcome. It is unfair and ironic, and everyone knows it. A critical underlying issue, Danny Dorling and Sally Tomlinson write in their excellent and eye-opening Rule Britannia: Brexit and the End of Empire is education that stresses the UK's "glorious" imperial past. Within the EU, they write, UK MEPs are most of the extreme right, and the EU may be better off - more moderate, less prone to populism - without the UK, while British people may achieve a better understanding of their undistinguished place in the world. Ouch.

The EU has never seemed irrelevant to digital rights activists. Computers, freedom, and privacy (that is, "net.wars") shows the importance of the EU in our time, when the US refuses to regulate and the Internet is challenging national jurisdiction. International collaboration matters.

Just as I wrote that, Parliament finally voted to take the smallest possible action and ask the EU for a two-month extension. Schrödinger needs a bigger box.

Illustrations: "Big Ben" (Aldaron, via Wikimedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 28, 2019

Systemic infection

Thumbnail image for 2001-hal.png"Can you keep a record of every key someone enters?"

This question brought author and essayist Ellen Ullman up short when she was still working as a software engineer and it was posed to her circa 1996. "Yes, there are ways to do that," she replied after a stunned pause.

In her 1997 book Close to the Machine, Ullman describes the incident as "the first time I saw a system infect its owner". After a little gentle probing, her questioner, the owner of a small insurance agency, explained that now that he had installed a new computer system he could find out what his assistant, who had worked for him for 26 years and had picked up his children from school when they were small, did all day. "The way I look at it," he explained, "I've just spent all this money on a system, and now I get to use it the way I'd like to."

Ullman appeared to have dissuaded this particular business owner on this particular occasion, but she went on to observe that over the years she saw the same pattern repeated many times. Sooner or later, someone always realizes that they systems they have commissioned for benign purposes can be turned to making checks and finding out things they couldn't know before. "There is something...in the formal logic of programs and data, that recreates the world in its own image," she concludes.

I was reminded of this recently when I saw a report at The Register that the US state of New Jersey, along with two dozen others, may soon require any contractor working on a contract worth more than $100,000 to install keylogging software to ensure that they're actually working all the hours - one imagines that eventually, it will be minutes - they bill for. Veteran reporter Thomas Claburn goes on to note that the text of the bill was provided by TransparentBusiness, a maker of remote work management software, itself a trend.

Speaking as a taxpayer, I can see the point of ensuring that governments are getting full value for our money. But speaking as a freelance writer who occasionally has had to work on projects where I'm paid by the hour or day (a situation I've always tried to avoid by agreeing a rate for the whole job), the distrust inherent in such a system seems poisonous. Why are we hiring people we can't trust? Most of us who have taken on the risks of self-employment do so because one of the benefits is autonomy and a certain freedom from bosses. And now we're talking about the kind of intensive monitoring that in the past has been reserved for full-time employees - and that none of them have liked much either.

One of the first sectors that is already fighting its way through this kind of transition is trucking. In 2014, Cornell sociologist Karen Levy published the results of three years of research into the arrival of electronic monitoring into truckers' cabs as a response to safety concerns. For truckers, whose cabs are literally their part-time homes, electronic monitoring is highly intrusive; effectively, the trucking company is installing a camera and other sensors not just in their office but also in their living room and bedroom. Instead of using electronics to try to change unsafe practices, she argues, alter the economic incentives. In particular, she finds that the necessity of making a living at low per-mile rates pushes truckers to squeeze the unavoidable hours of unpaid work - waiting for loading and unloading, for example - into their statutory hours of "rest".

The result sounds like it would be familiar to Uber drivers or modern warehouse workers, even if Amazon never deploys the wristbands it patented in 2016. In an interview published this week, Data & Society Institute researcher Alex Rosenblat outlines the results of a four-year study of ride-hail drivers across the US and Canada. Forget the rhetoric that these drivers are entrepreneurs, she writes; they have a boss, and it's the company's algorithm, which dictates their on-the-job behavior and withholds the data they need to make informed decisions.

If we do nothing, this may be the future of all work. In a discussion last week, University of Leicester associate professor Phoebe Moore located "quantified work" at the intersection of two trends: first, the health-oriented self-quantified movement, and second the succeeding waves of workplace management from industrialization through time and motion study, scientific management, and today's organizational culture, where, as Moore put it, we're supposed to "love our jobs and identify with our employer". The first of these has led to "wellness" programs that, particularly in the US, helped grant employers access to vastly more detailed personal data about their employees than has ever been available to them before.

Quantification, the combination of the two trends, Moore warns at Medium, will alter the workplace's social values by tending to pit workers against each other, race track style. Vendors now claim predictive power for AI: which prospective employees fit which jobs, or when staff may be about to quit or take sick leave. One can, as Moore does, easily imagine that, despite the improvements AI can bring, the AI-quantified workplace, will be intensively worker-hostile. The infection continues to spread.


Illustrations: HAL, from 2001: A Space Odyssey (1968).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 14, 2019

Copywrong

Anti-copyright.svg.pngJust a couple of weeks ago it looked like the EU's proposed reform of the Copyright Directive, last updated in 2001, was going to run out of time. In the last three days, it's revived, and it's heading straight for us. As Joe McNamee, the outgoing director of European Digital Rights (EDRi), said last year, the EU seems bent on regulating Facebook and Google by creating an Internet in which *only* Facebook and Google can operate.

We'll start with copyright. As previously noted, the EU's proposed reforms include two particularly contentious clauses: Article 11, the "link tax", which would require anyone using more than one or two words to link to a news article elsewhere to get a license, and Article 13, the "upload filter", which requires any site older than three years *or* earning more than €10,000,000 a year in revenue to ensure that no user posts anything that violates copyright, and sites that allow user-generated content must make "best efforts" to buy licenses for anything they might post. So even a tiny site - like net.wars, which is 13 years old - that hosted comments would logically be required to license all copyrighted content in the known universe, just in case. In reviewing the situation at TechDirt, Mike Masnick writes, "If this becomes law, I'm not sure Techdirt can continue publishing in the EU." Article 13, he continues, makes hosting comments impossible, and Article 11 makes their own posts untenable. What's left?

Thumbnail image for Thumbnail image for Julia Reda-wg-2016-06-24-cropped.jpgTo these known evils, the German Pirate Party MEP Julia Reda finds that the final text adds two more: limitations on text and data mining that allow rights holders to opt out under most circumstances, and - wouldn't you know it? - the removal of provisions that would have granted authors the right to proportionate remuneration (that is, royalties) instead of continuing to allow all-rights buy-out contracts. Many younger writers, particularly in journalism, now have no idea that as recently as 1990 limited contracts were the norm; the ability to resell and exploit their own past work was one reason the writers of the mid-20th century made much better livings than their counterparts do now. Communia, an association of digital rights organizations, writes that at least this final text can't get any *worse*.

Well, I can hear Brexiteers cry, what do you care? We'll be out soon. No, we won't - at least, we won't be out from under the Copyright Directive. For one thing, the final plenary vote is expected in March or April - before the May European Parliament general election. The good side of this is that UK MEPs will have a vote, and can be lobbied to use that vote wisely; from all accounts the present agreed final text settled differences between France and Germany, against which the UK could provide some balance. The bad side is that the UK, which relies heavily on exports of intellectual property, has rarely shown any signs of favoring either Internet users or creators against the demands of rights holders. The ugly side is that presuming this thing is passed before the UK brexits - assuming that happens - it will be the law of the land until or unless the British Parliament can be persuaded to amend it. And the direction of travel in copyright law for the last 50 years has very much been toward "harmonization".

Plus, the UK never seems to be satisfied with the amount of material its various systems are blocking, as the Open Rights Group documented this week. If the blocks in place weren't enough, Rebecca Hill writes at the Register: under the just-passed Counter-Terrorism and Border Security Act, clicking on a link to information likely to be useful to a person committing or preparing an act of terrorism is committing an offense. It seems to me that could be almost anything - automotive listings on eBay, chemistry textbooks, a *dictionary*.

What's infuriating about the copyright situation in particular is that no one appears to be asking the question that really matters, which is: what is the problem we're trying to solve? If the problem is how the news media will survive, this week's Cairncross Review, intended to study that exact problem, makes some suggestions. Like them or loathe them, they involve oversight and funding; none involve changing copyright law or closing down the Internet.

Similarly, if the problem is market dominance, try anti-competition law. If the problem is the increasing difficulty of making a living as an author or creator, improve their rights under contract law - the very provisions that Reda notes have been removed. And, finally, if the problem is the future of democracy in a world where two companies are responsible for poisoning politics, then delving into campaign finances, voter rights, and systemic social inequality pays dividends. None of the many problems we have with Facebook and Google are actually issues that tightening copyright law solves - nor is their role in spreading anti-science, such as this, just in from Twitter, anti-vaccination ads targeted at pregnant women.

All of those are problems we really do need to work on. Instead, the only problem copyright reform appears to be trying to solve is, "How can we make rights holders happier?" That may be *a* problem, but it's not nearly so much worth solving.


Illustrations: Anti-copyright symbol (via Wikimedia); Julia Reda MEP in 2016.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 16, 2018

Septet

bush-gore-hanging-chad-florida.jpgThis week catches up on some things we've overlooked. Among them, in response to a Twitter comment: two weeks ago, on November 2, net.wars started its 18th unbroken year of Fridays.

Last year, the writer and documentary filmaker Astra Taylor coined the term "fauxtomation" to describe things that are hyped as AI but that actually rely on the low-paid labor of numerous humans. In The Automation Charade she examines the consequences: undervaluing human labor and making it both invisible and insecure. Along these lines, it was fascinating to read that in Kenya, workers drawn from one of the poorest places in the world are paid to draw outlines around every object in an image in order to help train AI systems for self-driving cars. How many of us look at a self-driving car see someone tracing every pixel?

***

Last Friday, Index on Censorship launched Demonising the media: Threats to journalists in Europe, which documents journalists' diminishing safety in western democracies. Italy takes the EU prize, with 83 verified physical assaults, followed by Spain with 38 and France with 36. Overall, the report found 437 verified incidents of arrest or detention and 697 verified incidents of intimidation. It's tempting - as in the White House dispute with CNN's Jim Acosta - to hope for solidarity in response, but it's equally likely that years of politicization have left whole sectors of the press as divided as any bullying politician could wish.

***

We utterly missed the UK Supreme Court's June decision in the dispute pitting ISPs against "luxury" brands including Cartier, Mont Blanc, and International Watch Company. The goods manufacturers wanted to force BT, EE, and the three other original defendants, which jointly provide 90% of Britain's consumer Internet access, to block more than 46,000 websites that were marketing and selling counterfeits. In 2014, the High Court ordered the blocks. In 2016, the Court of Appeal upheld that on the basis that without ISPs no one could access those websites. The final appeal was solely about who pays for these blocks. The Court of Appeal had said: ISPs. The Supreme Court decided instead that under English law innocent bystanders shouldn't pay for solving other people's problems, especially when solving them benefits only those others. This seems a good deal for the rest of us, too: being required to pay may constrain blocking demands to reasonable levels. It's particularly welcome after years of expanded blocking for everything from copyright, hate speech, and libel to data retention and interception that neither we nor ISPs much want in the first place.

***

For the first time the Information Commissioner's Office has used the Computer Misuse Act rather than data protection law in a prosecution. Mustafa Kasim, who worked for Nationwide Accident Repair Services, will serve six months in prison for using former colleagues' logins to access thousands of customer records and spam the owners with nuisance calls. While the case reminds us that the CMA still catches only the small fry, we see the ICO's point.

***

In finally catching up with Douglas Rushkoff's Throwing Rocks at the Google Bus, the section on cashless societies and local currencies reminded us that in the 1960s and 1970s, New Yorkers considered it acceptable to tip with subway tokens, even in the best restaurants. Who now would leave a Metro Card? Currencies may be local or national; cashlessness is global. It may be great for those who don't need to think about how much they spend, but it means all transactions are intermediated, with a percentage skimmed off the top for the middlefolk. The costs of cash have been invisible to us, as Dave Birch says, but it is public infrastructure. Cashlessness privatizes that without any debate about the social benefits or costs. How centralized will this new infrastructure become? What happens to sectors that aren't commercially valuable? When do those commissions start to rise? What power will we have to push back? Even on-the-brink Sweden is reportedly rethinking its approach for just these reasons In a survey, only 25% wanted a fully cashless society.

***

Incredibly, 18 years after chad hung and people disposed in Bush versus Gore, ballots are still being designed in ways that confuse voters, even in Broward County, which should have learned better. The Washington Post tell us that in both New York and Florida ballot designs left people confused (seeing them, we can see why). For UK voters accustomed to a bit of paper with big names and boxes to check with a stubby pencil, it's baffling. Granted, the multiple federal races, state races, local officers, judges, referendums, and propositions in an average US election make ballot design a far more complex problem. There is advice available, from the US Election Assistance Commission, which publishes design best practices, but I'm reliably told it's nonetheless difficult to do well. On Twitter, Dana Chisnell provides a series of links that taken together explain some background. Among them is this one from the Center for Civic Design, which explains why voting in the US is *hard* - and not just because of the ballots.

***

Finally, a word of advice. No matter how cool it sounds, you do not want a solar-powered, radio-controlled watch. Especially not for travel. TMOT.

Illustrations: Chad 2000.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

October 5, 2018

Once disgusted

kavanaugh-disgust.jpg
"I never vote," said the man across the table. I thought I detected a little smugness.

"Why not?" I asked.

His response was not entirely articulate, but I got the gist: democracy is a con, and voting is making yourself its bitch. So yes, a bit smug. He was above all that. And he probably can afford to be: British, highly educated, skilled, securely employed in Germany.

This is one form of the politics of disgust, but not the worst one. There have always been smug people who believed they were too smart for democracy. Because we pay so much attention to billionaires, there seem to be more of them now. Jeff Bezos, celebrating becoming the world's richest man by musing carelessly on Twitter that all he could think of to spend it on was space travel, is an example. People had to remind him on Twitter that he could contribute socially by paying his warehouse workers better and ensuring his company pays its taxes, At least Bezos did respond by giving $2 billion to fund non-profits working against homelessness and create a network of pre-schools in low-income communities.

Personally, the worst aspect of the politics of disgust has been seeing formerly pleasant and reasonable people transform into fulminating repositories of anger. This was visible in the US at the end stages of the 2016 election, when some lifelong Democrats of my acquaintance were unable to bring themselves to "hold their noses" and vote for Hillary Clinton. It's visible in the UK now in conversations about the EU referendum when friends say "Both sides lied." Saying, "But Leave lied *more*" or "But Leave broke the law" makes no dent. Others can't mention Donald Trump or anyone who works for him without appending an extensive array of Godwin's Law expletives. You could see it, too, on the face of Senator Lindsay Graham (R-SC) when he ranted at those trying to do due diligence at the Senate Judiciary Committee hearings for Christine Blasey Ford and Brett Kavanaugh. You could also see it - repeatedly - on the face of Kavanaugh himself, though it's hard to tease out which of his grimaces were disgust and which were temper tantrum.

When it's facts that are in dispute minds can be changed with evidence. When emotion overwhelms facts, emotions can be changed, with more difficulty, with interaction and empathy in a slow march back to reason.

Disgust is different. Once disgusted by something, you do not revisit it. Instead, you recoil at the thought - and you go on recoiling as a permanent response. Being asked to reconsider disgust is being asked to take back a bag of rotting garbage, or open all those containers of moldy food at the back of someone else's refrigerator, or pick up the weeks-old decaying rabbit you just found behind a box in the garage. You do it, you hate it, and you stop thinking about it as quickly as possible. From disgust, there is no way back.

And this is the state of our politics, in the US, in the US, and doubtless increasingly elsewhere, too. It is incredibly damaging.

The late, great journalist Molly Ivins frequently noted that people who think politics is irrelevant to them fail to understand how intimately they can be affected by politicians' decisions. (Or, I would now add, they are deluded by wealth and privilege into believing they do not and have never needed anyone else's help.) Women in the US have grasped this intimate connection faster than most groups because issues of access to contraception and abortion are so directly personal. The US right's inability to live and let not-reproduce unfortunately means that reproductive rights have stolen the country's entire focus. Many people began allocating their vote in presidential elections based on Supreme Court futures in the 1980s; now, this habit is percolating into Senate races. The result is that, as an LA Congressman commented earlier this year, the biggest endemic nationwide issues - particularly poverty - are shut out of consideration.

What's worse is that disgust at politicians is being conflated with a more general historical distrust of government, particularly in the western half of the US. People literally do not know what government does for them, so they believe it doesn't matter. In his new book The Fifth Risk Michael Lewis visits the Departments of Energy, Agriculture, and Commerce to learn what they do and hear the briefings Donald Trump's transition team thought were not worth their time. Lewis finds brilliant, knowledgable people working for mission rather than money to manage nuclear threats, ensure food safety and security, and build the science and data to underpin the nation's economic future. Politicians seize our - and especially the media's - attention because they put on a show. Government proceeds, unnoticed, in the background. As Lewis tells it, today's White House is breaking that all apart, partly through reckless negligence and wilful ignorance, partly through favoritism for commercial interests. Rebuilding will take decades.

This week, as disgust penetrated the politicians themselves at Kavenaugh's Supreme Court nomination hearings, we face the prospect of it spreading to the judiciary. Collaboration and balance are impossible in this destructive atmosphere. As the movie The Candidate asked in 1972, in one of history's top five cinematic endings, "What do we do now?"

Illustrations: Brett Kavanaugh, testifying before the Senate Judiciary Committee.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

June 22, 2018

Humans

virginmary-devil.jpgOne of the problems in writing about privacy over the last nearly 30 years is that it's easy for many people to see it as a trivial concern when you look at what's going on in the world: terrorist attacks, economic crashes, and the rise of extremism. To many, the case for increasing surveillance "for your safety" is a reasonable one.

I've never believed the claim that people - young or old - don't care about their privacy. People do care about their privacy, but, as previously noted, it's complicated. The biggest area of agreement is money: hardly anyone publishes the details of their finances unless forced. But beyond that, people have different values about what is private, and who should know it. For some women, saying openly they've had abortions is an essential political statement to normalize a procedure and a choice that is under threat. For others, it's too personal to disclose.

The factors involved vary: personality, past experience, how we've been treated, circumstances. It is easy for those of us who were born into economic prosperity and have lived in sectors of society where the governments in our lifetimes have treated us benignly to underestimate the network externalities of the decisions we make.

In February 2016, when the UK's Investigatory Power Act (2016) was still a mere bill under discussion, I wrote this:

This column has long argued that whenever we consider granting the State increased surveillance powers we should imagine life down the road if those powers are available to a government less benign than the present one. Now, two US 2016 presidential primaries in, we can say it thusly: what if the man wielding the Investigatory Powers Bill is Donald Trump?

Much of the rest of that net.wars focused on the UK bill and some aspects of the data protection laws. However, it also included this:

Finally, Privacy International found "thematic warrants" hiding in paragraph 212 of the explanatory notes and referenced in clauses 13(2) and 83 of the draft bill. PI calls this a Home Office attempt to disguise these as "targeted surveillance". They're so vaguely defined - people or equipment "who share a common purpose who carry on, or may carry on, a particular activity" - that they could include my tennis club. PI notes that such provisions contravene a long tradition of UK law that has prohibited general warrants, and directly conflict with recent rulings by the European Court of Human Rights.

It's hard to guess who Trump would turn this against first: Muslims, Mexicans, or Clintons.

The events of the last year and a half - parents and children torn apart at the border; the Border Patrol operating an 11-hour stop-and-demand-citizenship checkpoint on I-95 in Maine, legal under the 1953 rule that the "border" is a 100-mile swath in which the Fourth Amendment is suspended; and, well you read the news - suggest the question was entirely fair.

Now, you could argue that universal and better identification could stop this sort of the thing by providing the facility to establish quickly and unambiguously who has rights. You could even argue that up-ending the innocent-until-proven-guilty principle (being required to show papers on demand presumes that you have no right to be where you are until you prove you do) is worth it (although you'd still have to fight an angry hive of constitutional lawyers). I believe you'd be wrong on both counts. Identification is never universal; there are always those who lack the necessary resources to acquire it. The groups that wind up being disenfranchised by such rules are the most vulnerable members of the groups that are suffering now. It won't even deter those who profit from spreading hate - and yes, I am looking at the Daily Mail - from continuing to do so; they will merely target another group. The American experience already shows this. Despite being a nation of immigrants, Americans are taught that their own rights matter more than other people's; and as Hua Hsu writes in a New Yorker review of Nancy Isenberg's recent book, White Trash, that same view is turned daily on the "lower" parts of the US's classist and racist hierarchy.

I have come to believe that there is a causative link between violating people's human rights and the anti-privacy values of surveillance and control. The more horribly we treat people and the less we offer them trust, the more reason we have to be think that they and their successors will want revenge - guilt and the expectation of punishment operating on a nation-state scale. The logic would then dictate that they must be watched even more closely. The last 20 years of increasing inequality have caused suspicion to burst the banks of "the usual suspects". "Privacy" is an inadequate word to convey all this, but it's the one we have.

A few weeks ago, I reminded a friend of the long-running mantra that if you have nothing to hide you have nothing to fear. "I don't see it that way at all," he said. "I see it as, I have nothing to hide, so why are you looking at me?"


Illustrations: 'Holy Mary full of grace, punch that devil in the face', book of hours ('The De Brailes Hours'), Oxford ca. 1240 BL, Add 49999, fol. 40V (via Discarding Images).


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

June 1, 2018

The three IPs

Thumbnail image for 1891_Telegraph_Lines.jpgAgainst last Friday's date history will record two major European events. The first, as previously noted is the arrival into force of the General Data Protection Regulation, which is currently inspiring a number of US news sites to block Europeans. The second is the amazing Irish landslide vote to repeal the 8th amendment to the country's constitution, which barred legislators from legalizing abortion. The vote led the MEP Luke Ming Flanagan to comment that, "I always knew voters were not conservative - they're just a bit complicated."

"A bit complicated" sums up nicely most people's views on privacy; it captures perfectly the cognitive dissonance of someone posting on Facebook that they're worried about their privacy. As Merlin Erroll commented, terrorist incidents help governments claim that giving them enough information will protect you. Countries whose short-term memories include human rights abuses set their balance point differently.

The occasion for these reflections was the 20th birthday of the Foundation for Information Policy Research. FIPR head Ross Anderson noted on Tuesday that FIPR isn't a campaigning organization, "But we provide the ammunition for those who are."

Led by the late Caspar Bowden, FIPR was most visibly activist in the late 1990s lead-up to the passage of the now-replaced Regulation of Investigatory Powers Act (2000). FIPR in general and Bowden in particular were instrumental in making the final legislation less dangerous than it could have been. Since then, FIPR helped spawn the 15-year-old European Digital Rights and UK health data privacy advocate medConfidential.

Many speakers noted how little the debates have changed, particularly regarding encryption and surveillance. In the case of encryption, this is partly because mathematical proofs are eternal, and partly because, as Yes, Minister co-writer Antony Jay said in 2015, large organizations such as governments always seek to impose control. "They don't see it as anything other than good government, but actually it's control government, which is what they want.". The only change, as Anderson pointed out, is that because today's end-to-end connections are encrypted, the push for access has moved to people's phones.

Other perennials include secondary uses of medical data, which Anderson debated in 1996 with the British Medical Association. Among significant new challenges, Anderson, like many others noted the problems of safety and sustainability. The need to patch devices that can kill you changes our ideas about the consequences of hacking. How do you patch a car over 20 years? he asked. One might add: how do you stop a botnet of pancreatic implants without killing the patients?

We've noted here before that built infrastructure tends to attract more of the same. Today, said Duncan Campbell, 25% of global internet traffic transits the UK; Bude, Cornwall remains the critical node for US-EU data links, as in the days of the telegraph. As Campbell said, the UK's traditional position makes it perfectly placed to conduct global surveillance.

One of the most notable changes in 20 years: there were no less than two speakers whose open presence would have been unthinkable: Ian Levy, the technical director of the National Cyber Security centre, the defensive arm of GCHQ, and Anthony Finkelstein, the government's chief scientific advisor for national security. You wouldn't have seen them even ten years ago, when GCHQ was deploying its Mastering the Internet plan, known to us courtesy of Edward Snowden. Levy made a plea to get away from the angels versus demons school of debate.

"The three horsemen, all with the initials 'IP' - intellectual property, Internet Protocol, and investigatory powers - bind us in a crystal lattice," said Bill Thompson. The essential difficulty he was getting at is that it's not that organizations like Google DeepMind and others have done bad things, but that we can't be sure they haven't. Being trustworthy, said medConfidential's Sam Smith, doesn't mean you never have to check the infrastructure but that people *can* check it if they want to.

What happens next is the hard question. Onora O'Neill suggested that our shiny, new GDPR won't work, because it's premised on the no-longer-valid idea that personal and non-personal data are distinguishable. Within a decade, she said, new approaches will be needed. Today, consent is already largely a façade; true consent requires understanding and agreement.

She is absolutely right. Even today's "smart" speakers pose a challenge: where should my Alexa-enabled host post the privacy policy? Is crossing their threshold consent? What does consent even mean in a world where sensors are everywhere and how the data will be used and by whom may be murky. Many of the laws built up over the last 20 years will have to be rethought, particularly as connected medical devices pose new challenges.

One of the other significant changes will be the influx of new and numerous stakeholders whose ideas about what the internet is are very different from those of the parties who have shaped it to date. The mobile world, for example, vastly outnumbers us; the Internet of Things is being developed by Asian manufacturers from a very different culture.

It will get much harder from here, I concluded. In response, O'Neill was not content. It's not enough, she said, to point out problems. We must propose at least the bare bones of solutions.


Illustrations: 1891 map of telegraph lines (via Wikimedia)

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.


April 6, 2018

Leverage

Facebook-76536_640.pngWell, what's 37 million or 2 billion scraped accounts more or less among friends? The exploding hairball of the Facebook/Cambridge Analytica scandal keeps getting bigger. And, as Rana Dasgubta writes in the Guardian, we are complaining now because it's happening to us, but we did not notice when these techniques were tried out first in third-world countries. Dasgupta has much to say about how nation-states will have to adapt to these conditions.

Given that we will probably never pin down every detail of how much data and where it went, it's safest to assume that all of us have been compromised in some way. The smug "I've never used Facebook" population should remember that they almost certainly exist in the dataset, by either reference (your sister posts pictures of "my brother's birthday") or inference (like deducing the existence, size, and orbit of an unseen planet based on its gravitational pull on already-known objects).

Downloading our archives tells us far less than people recognize. My own archive had no real surprises (my account dates in 2007, but I post little and adblock the hell out of everything). The shock many people have experienced of seeing years of messages and photographs laid out in front of them, plus the SMS messages and call records that Facebook shouldn't have been retaining in the first place, hides the fact that these archives are a very limited picture of what Facebook knows about us. It shows us nothing about information posted about us by others, photos others have posted and tagged, or comments made in response to things we've posted.

The "me-ness" of the way Facebook and other social media present themselves was called out by Christian Fuchs in launching his book Digital Demagogue: Authoritarian Capitalism in the Age of Trump and Twitter. "Twitter is a me-centred medium. 'Social media' is the wrong term, because it's actually anti-social, Me media. It's all about individual profiles, accumulating reputation, followers, likes, and so on."

Saying that, however, plays into Facebook's own public mythology about itself. Facebook's actual and most significant holdings about us are far more extensive, and the company derives its real power from the complex social graphs it has built and the insights that can be gleaned from them. None of that is clear from the long list of friends. Even more significant is how Facebook matches up user profiles to other public records and social media services and with other brokers' datasets - but the archives give us no sense of that either. Facebook's knowledge of you is also greatly enhanced - as is its ability to lock you in as a user - if you, like many people, have opted to use Facebook credentials to log into third-party sites. Undoing that is about as easy and as much fun as undoing all your direct debit payments in order to move your bank account.

Facebook and the other tech companies are only the beginning. There's a few people out there trying to suggest Google is better, but Zeynep Tufekci discovered it had gone on retaining her YouTube history even though she had withdrawn permission to do so. As Tufekci then writes, if a person with a technical background whose job it is to study such things could fail to protect her data, how could others hope to do so?

But what about publishers and the others dependent on that same ecosystem? As Doc Searls writes, the investigative outrage on display in many media outlets glosses over the fact that they, too, are compromised. Third party trackers, social media buttons, Google analytics, and so on all deliver up readers to advertisers in increasing detail, feeding the business plans of thousands of companies all aimed at improving precision and targeting.

And why stop with publishers? At least they have the defense of needing to make a living. Government sites, libraries, and other public services do the same thing, without that justification. The Richmond Council website shows no ads - but it still uses Google Analytics, which means sending a steady stream of user data Google's way. Eventbrite, which everyone now uses for event sign-ups, is constantly exhorting me to post my attendance to Facebook. What benefit does Eventbrite get from my complying? It never says.

Meanwhile, every club, member organization, and creative endeavor begs its adherents to "like my page on Facebook" or "follow me on Twitter". While they see that as building audience and engagement, the reality is that they are acting as propagandists for those companies. When you try to argue against doing this, people will say they know, but then shrug helplessly and say they have to go where the audience is. If the audience is on Facebook, and it takes page likes to make Facebook highlight your existence, then what choice is there? Very few people are willing to contemplate the hard work of building community without shortcuts, and many seem to have come to believe that social media engagement as measured in ticks of approval is community, like Mark Zuckerberg tried to say last year.

For all these reasons, it's not enough to "fix Facebook". We must undo its leverage.


Illustrations: Facebook logo.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

January 19, 2018

Expressionism

Thumbnail image for discardingimages-escherbackground.jpg"Regulatory oversight is going to be inevitable," Adam Kinsley, Sky's director of policy, predicted on Tuesday. He was not alone in saying this is the internet's direction of travel, and we shouldn't feel too bad about it. "Regulation is not inherently bad," suggested Facebook's UK public policy manager, Karim Palant.

The occasion was the Westminster eForum's seminar on internet regulation (PDF). The discussion focused on the key question, posed at the outset by digital policy consultant Julian Coles: who is responsible, and for what? Free speech fundamentalists find it easy to condemn anything smacking of censorship. Yet even some of them are demanding proactive removal of some types of content.

Two government initiatives sparked this discussion. The first is the UK's Internet Safety Strategy green paper, published last October. Two aspects grabbed initial attention: a levy on social media companies and age verification for pornography sites, now assigned to the British Board of Film Classification to oversee. But there was always more to pick at, as Evelyn Douek helpfully summarized at Lawfare. Coles' question is fundamental, and 2018 may be its defining moment.

The second, noted by Graham Smith, was raised by the European Commission at the December 2017 Global Internet Forum, and aims to force technology companies to take down extremist content within one to two hours of posting. Smith's description: "...act as detective, informant, arresting officer, prosecutor, defense, judge, jury, and prison warder all at once." Open Rights Group executive director Jim Killock added later that it's unreasonable to expect technology companies to do the right thing perfectly within a set period at scale, making no mistakes.

As Coles said - and as Old Net Curmudgeons remember - the present state of the law was largely set in the mid-to-late 1990s, when the goal of fostering innovation led both the US Congress (via Section 230 of the Communications Decency Act, 1996) and the EU (via the Electronic Commerce Directive, 2000) to hold that ISPs are not liable for the content they carry.

However, those decisions also had precedents of their own. The 1991 US case Cubby v. CompuServe ended in CompuServe's favor, holding it not liable for defamatory content posted to one of its online forums. In 2000, the UK's Godfrey v. Demon Internet successfully applied libel law to Usenet postings, ultimately creating the notice and takedown rules we still live by today. Also crucial in shaping those rules was Scientology's actions in 1994-1995 to remove its top-level secret documents from the internet.

In the simpler landscape when these laws were drafted, the distinction between access providers and content providers was cleaner. Before then, the early online services - CompuServe, AOL, and smaller efforts such as the WELL, CIX, and many others were hybrids - social media platforms by a different name - providing access and a platform for content providers, who curated user postings and chat.

Eventually, when social media were "invented" (Coles's term; more correctly, when everything migrated to the web), today's GAFA (or, in the US, FAANG) inherited that freedom from liability. GAFA/FAANG straddle that briefly sharp boundary between pipes and content like the dead body on the Quebec-Ontario boundary sign in the Canadian film Bon Cop, Bad Cop. The vertical integration that is proceeding apace - Verizon buying AOL and Yahoo!; Comcast buying NBC Universal; BT buying TV sports rights - is setting up the antitrust cases of 2030 and ensuring that the biggest companies - especially Amazon - play many roles in the internet ecosystem. They might be too big for governments to regulate on their own (see also: paying taxes), but public and advertisers' opinions are joining in.

All of this history has shaped the status quo that Kinsley seems to perceive as somewhat unfair when he noted that the same video that is regulated for TV broadcast is not for Facebook streaming. Palant noted that Facebook isn't exactly regulation-free. Contrary to popular belief, he said, many aspects of the industry, such as data and advertising, are already "heavily regulated". The present focus, however, is content, a different matter. It was Smith who explained why change is not simple: "No one is saying the internet is not subject to general law. But if [Kinsley] is suggesting TV-like regulation...where it will end up is applying to newspapers online." The Authority for Television on Demand, active from 2010 to 2015, already tested this, he said, and the Sun newspaper got it struck down. TV broadcasting's regulatory regime was the exception, Smith argued, driven by spectrum scarcity and licensing, neither of which applies to the internet.

New independent Internet Watch Foundation chair Andrew Puddephatt listed five key lessons from the IWF's accumulated 21 years of experience: removing content requires clear legal definitions; independence is essential; human analysts should review takedowns, which have to be automated for reasons of scale; outside independent audits are also necessary; companies should be transparent about their content removal processes.

If there is going to be a regulatory system, this list is a good place to start. So far, it's far from the UK's present system. As Killock explained, PIPCU, CTRIU, and Nominet all make censorship decisions - but transparency, accountability, oversight, and the ability to appeal are lacking.


Illustrations: "Escher background" (from Discarding Images, Boccaccio, "Des cleres et nobles femmes" (French version of "De mulieribus claris"), France ca. 1488-1496, BnF, Français 599, fol. 89v).


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.


December 1, 2017

Unstacking the deck

Thumbnail image for Alice_par_John_Tenniel_42.pngA couple of weeks ago, I was asked to talk to a workshop studying issues in decision-making in standards development organizations about why the consumer voice is important. This is what I think I may have said.

About a year ago, my home router got hacked thanks to a port deliberately left open by the manufacturer and documented (I now know) in somewhat vague terms on page 210 of a 320-page manual. The really important lesson I took from the experience was that security is a market failure: you can do everything right and still lose. The router was made by an eminently respectable manufacturer, sold by a knowledgeable expert, configured correctly, patched up to date, and yet still failed a basic security test. The underlying problem was that the manufacturer imagined that the port it left open would only ever be used by ISPs wishing to push updates to their customers and that ordinary customers would not be technically capable of opening the port when needed. The latter assumption is probably true, but the former is nonsense. No attacker says, "Oh, look, a hole! I wonder if we're allowed to use it." Consumers are defenseless against manufacturers who fail to understand this.

But they are also, as we have seen this year, defenseless against companies' changing business plans and models. In April, Google's Nest subsidiary decided to turn off devices made by Revolv, a company it bought in 2014 that made a smart home hub. Again, this is not a question of ending support for a device that continues to function as would have happened any time in the past. The fact that the hub is controlled by an app means both the hardware and the software can be turned off when the company loses interest in the product. These are, as Arlo Gilbert wrote at Medium, devices people bought and paid for. Where does Google get the right, in Gilbert's phrasing, to "reach into your home and pull the plug"?

In August, sound system manufacturer Sonos offered its customers two choices: accept its new privacy policy, which requires customers to agree to broader and more detailed data collection, or watch your equipment decline in functionality as updates are no longer applied and possibly cease to function. Here, the issue appears to be that Sonos wants its speakers to integrate with voice assistants, and the company therefore must conform to privacy policies issued by upstream companies such as Amazon. If you do not accept, eventually you have an ex-sound system. Why can't you accept the privacy policy if and only if you want to add the voice assistant?

Finally, in November, Logitech announced it would end service and support for its Harmony Hub devices in March 2018. This might have been a "yawn" moment except that "end of life" means "stop working". The company eventually promised to replace all these devices with newer Harmony Hubs, which can control a somewhat larger range of devices, but the really interesting thing is why it made the change. According to Ars Technica, Logitech did not want to renew an encryption certificate whose expiration will leave Harmony Link devices vulnerable to attacks. It was, as the linked blog posting makes plain, a business decision. For consumers and the ecologically conscientious, a wasteful one.

So, three cases where consumers, having paid money for devices in good faith, are either forced to replace them or accept being extorted for their data. In a world where even the most mundane devices are reconfigurable via software and receive updates over the internet, consumers need to be protected in new ways. Standards development organizations have a role to play in that, even if it's not traditionally been their job. We have accepted "Pay-with-data" as a tradeoff for "free" online; now this is "pay-with-data" as part of devices we've paid to buy.

The irony is that the internet was supposed to empower consumers by redressing the pricing information imbalance between buyers and sellers. While that has certainly happened, the incoming hybrid cyber-physical world will up-end that. We will continue to know a lot more about pricing than we used to, but connected software allows the companies that make the objects that clutter our homes to retain control of those items throughout their useful lives. In such a situation the power balance that applies is "Possession is nine-tenths of the law." And possession will no longer be measurable by the physical location of the object but by who has access to change what it does. Increasingly, that's not us. Consumers have no ability to test their cars for regulatory failures (VW) or know whether Uber is screwing the regulators or Uber drivers are screwing riders. This is a new imbalance of power we cannot fix by ourselves.

Worse, much of this will be invisible to us. All the situations discussed here became visible. But I only found out about the hack on my router because I am eccentric enough to run my own mail server and the spam my router sent got my outgoing email bounced when it caused an anti-spam service to blacklist my mail server. In the billion-object Internet of Things, such communications and many of their effects will primarily be machine-to-machine and hidden from human users, and the world will cease to function in unpredictable odd ways.

Illustrations: John Tenniel's Alice, under attack by a pack of cards.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

October 6, 2017

Send lawyers, guns, and money

Thumbnail image for Las_Vegas_strip.jpgThere are many reasons why, Bryan Schatz finds at Mother Jones, people around Las Vegas disagree with President Donald Trump's claim that now is not the time to talk about gun control. The National Rifle Association probably agrees; in the past, it's been criticized for saving its public statements for proposed legislation and staying out of the post-shooting - you should excuse the expression - crossfire.

Gun control doesn't usually fit into net.wars' run of computers, freedom, and privacy subjects. There are two reasons for making an exception now. First, the discovery of the Firearm Owners Protection Act, which prohibits the creation of *any* searchable registry of firearms in the US. Second, the rhetoric surrounding gun control debates.

To take the second first, in a civil conversation on the subject, it was striking that the arguments we typically use to protest knee-jerk demands for ramped-up surveillance legislation to atrocious incidents are the same ones used to oppose gun control legislation. Namely: don't pass bad laws out of fear that do not make us safer; tackle underlying causes such as mental illness and inequality; put more resources into law enforcement/intelligence. In the 1990s crypto wars, John Perry Barlow deliberately and consciously adapted the NRA' slogan to create "You can have my encryption algorithm...when you pry it from my cold, dead fingers from my private key".

Using the same rhetoric doesn't mean both are right or both are wrong: we must decide on evidence. Public debates over surveillance do typically feature evidence about the mathematical underpinnings of how encryption works, day-to-day realities of intelligence work, and so on. The problem with gun control debates in the US is that evidence from other countries is automatically written off as irrelevant, and, more like the subject of copyright reform, lobbying money hugely distorts the debate.

Thumbnail image for Atf_ffl_check-licensed-gun-dealer.jpgThe second issue touches directly on privacy. Soon after the news of the Las Vegas shooting broke, a friend posted a link to the 2016 GQ article Inside the Federal Bureau of Way Too Many Guns. In it, writer and author Jeanne Marie Laskas pays a comprehensive visit to Martinsburg, West Virginia, where she finds a "low, flat, boring building" with a load of shipping containers kept out in the parking lot so the building's floors don't collapse under the weight of the millions of gun license records they contain. These are copies of federal form 4473, which is filled out at the time of gun purchases and retained by the retailer. If a retailer goes out of business, the forms it holds are shipped to the tracing center. When a law enforcement officer anywhere in the US finds a gun at a crime scene, this is where they call to trace it. The kicker: all those records are eventually photographed and stored on microfilm. Miles and miles of microfilm. Charlie Houser, the tracing center's head, has put enormous effort into making his human-paper-microfilm system as effective and efficient as possible; it's an amazing story of what humans can do.

Why microfilm? Gun control began in 1968, five years after the shooting of President John F. Kennedy. Even at that moment of national grief and outrage, the only way President Lyndon B. Johnson could get the Gun Control Act passed was to agree not to include a clause he wanted that would have set up a national gun registry to enable speedy tracing. In 1986, the NRA successfully lobbied for the Firearm Owners Protection Act, which prohibits the creation of *any* registry of firearms. What you register can be found and confiscated, the reasoning apparently goes. So, while all the rest of us engaged in every other activity - getting health care, buying homes, opening bank accounts, seeking employment - were being captured, collected, profiled, and targeted, the one group whose activities are made as difficult to trace as possible is...gun owners?

It is to boggle.

That said, the reasons why the American gun problem will likely never be solved include the already noted effect of lobbying money and, as E.J. Dionne Jr., Norman J. Ornstein and Thomas E. Mann discuss in the Washington Post, the non-majoritarian democracy the US has become. Even though majorities in both major parties favor universal background checks and most Americans want greater gun control, Congress "vastly overrepresents the interests of rural areas and small states". In the Senate that's by design to ensure nationwide balance: the smallest and most thinly populated states have the same number of senators - two - as the biggest, most populous states. In Congress, the story is more about gerrymandering and redistricting. Our institutions, they conclude, are not adapting to rising urbanization: 63% in 1960, 84% in 2010.

Besides those reasons, the identification of guns and personal safety endures, chiefly in states where at one time it was true.

A month and a half ago, one of my many conversations around Nashville went like this, after an opening exchange of mundane pleasantries:

"I live in London."

"Oh, I wouldn't want to live there."

"Why?"

"Too much terrorism." (When you recount this in London, people laugh.)

"If you live there, it actually feels like a very safe city." Then, deliberately provocative, "For one thing, there are practically no guns."

"Oh, that would make me feel *un"safe."

Illustrations: Las Vegas strip, featuring the Mandelay Bay; an ATF inspector checks up on a gun retailer.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

September 22, 2017

Fakeout

original-LOC-opper-newspaper.png"Fake news is not some unfortunate consequence," the writer and policy consultant Maria Farrell commented at the UK Internet Governance Forum last week. "It is the system working as it should in the attention economy."

The occasion was a panel featuring Simon Milner, Facebook's UK policy director; Carl Miller, from the Demos think tank, James Cook, Business Insider UK's technology editor; the MP and shadow minister for industrial strategy Chi Onwurah (Labour - Newcastle upon Tyne Central); and, as moderator, Nominet chair Mark Wood.

cropped-Official_portrait_of_Chi_Onwurah.jpgThey all agreed to disagree on the definition of "fake news". Cook largely saw it as a journalism problem: fact checkers and sub-editors are vanishing. Milner said Facebook has a four-pronged strategy: collaborate with others to find industry solutions, as in the Facebook Journalism Project; disrupt the economic flow - that is, target clickbait designed to take people *off* Facebook to sites full of ads (irony alert); take down fake accounts (30,000 before the French election); try to build new products that improve information diversity and educate users. Miller wants digital literacy added to the national curriculum: "We have to change the skills we teach people. Journalists used to make those decisions on our behalf, but they don't any more." Onwurah, a chartered electrical engineer who has worked for Ofcom, focused on consequences: she felt the technology giants could do more to combat the problem, and expressed intelligent concern about algorithmic "black boxes" that determine what we see.

Boil this down. Onwurah is talking technology and oversight. Milner also wants technology: solutions should be content-neutral but identify and eliminate bad behavior at the scale of 2 billion users, who don't want to read terms and conditions or be repeatedly asked for ratings. Miller - "It undermines our democracy" - wants governments to take greater responsibility: "it's a race between politics and technology". Cook wants better journalism, but, "It's terrifying, as someone in technology, to think of government seeing inside the Facebook algorithm." Because other governments will want their privilege, too; Apple is censoring its app store in order to continue selling iPhones in China.

Thumbnail image for MariaFarrellPortrait.jpgIt was Farrell's comment, though, that sparked the realization that fake news cannot be solved by thinking of it as a problem in only one of the fields of journalism, international relations, economic inequality, market forces, or technology. It is all those things and more, and we will not make any progress until we take an approach that combines all those disciplines.

Fake news is the democratization of institutional practices that have become structural over many decades. Much of today's fake news uses tactics originally developed by publishers to sell papers. Even journalists often fail to ask the right questions, sometimes because of editorial agendas, sometimes because the threat of lost access to top people inhibits what they ask.

Everyone needs the traditional journalist's mindset of asking, "What's the source?" and "What's their agenda?" before deciding on a story's truth. But there's no future in blaming the people who share these stories (with or without believing them) or calling them stupid. Today we're talking about absurdist junk designed to make people share it; tomorrow's equivalent may be crafted for greater credibility and hence be far more dangerous. Miller's concern for the future of democracy is right. It's not just that these stories are used to poison the information supply and sow division just before an election; the incessant stream of everyday crap causes people to disengage because they trust nothing.

In 1987 I founded The Skeptic in 1987 to counter what the late, great Simon Hoggart called paranormal beliefs' "background noise, interfering with the truth". Of course it matters that a lie on the internet can nearly cause a shoot-out at a pizza restaurant. But we can't solve it with technology, fact-checking, or government fiat at it. Today's generation is growing up in a world where everybody cheats and then lies about it: sports stars.

What we're really talking about here is where to draw the line between acceptable fakery ("spin") and unacceptable fakery. Astrology columns get a pass. Apparently so do professional PR people, as in the 1995 book Toxic Sludge Is Good for You: Lies, Damn Lies, and the Public Relations Industry, by John Stauber and Sheldon Rampton (made into a TV documentary in 2002). In mainstream discussions we don't hear that Big Tobacco's decades-long denial about its own research or Exxon Mobil's approach to climate change undermine democracy. If these are acceptable, it seems harder to condemn the Macedonian teen seeking ad revenue.

This is the same imbalance as prosecuting lone, young, often neuro-atypical computer hackers while the really pressing issues are attacks by criminals and organized gangs.

That analogy is the point: fake news and cybersecurity are sibling problems. Both are tennis, not figure skating; that is, at all times there is an adversary actively trying to frustrate you. "Fixing the users" through training is only one piece of either puzzle.

Treating cybersecurity as a purely technical problem failed. Today's crosses many fields: computer science, philosophy, psychology, law, international relations, economics. So does the VOX-Pol project to study online extremism. This is what we need for fake news.


Illustrations: "The fin de siecle newspaper proprietor", by Frederick Burr Opper, 1894 (from the Library of Congress via Wikipedia); Chi Onwurah; Maria Farrell.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.


May 24, 2013

Forcing functions

At last Saturday's OpenTech, perennial grain-of-sand-in-the-Internet-oyster Bill Thompson, in a session on open data, asked an interesting question. In a nod to NTK's old slogan, "They stole our revolution - now we're stealing it back", he asked: how can we ensure that open data supports values of democracy, openness, transparency, and social justice? The Internet pioneers did their best to embed these things into their designs, and the open architecture, software, and licensing they pioneered can be taken without paying by any oppressive government or large company that cares to, Is this what we want for open data, too?

Thompson writes (and, if I remember correctly, actually said, more or less):

...destruction seems like a real danger, not least because the principles on which the Internet is founded leave us open to exploitation and appropriation by those who see openness as an opportunity to take without paying - the venture capitalists, startups and big tech companies who have built their empires in the commons and argue that their right to build fences and walls is just another aspect of 'openness'.

Constraining the ability to take what's been freely developed and exploit it has certainly been attempted, most famously by Richard Stallman's efforts to use copyright law to create software licenses that would bar companies from taking free software and locking it up into proprietary software. It's part of what Creative Commons is about, too: giving people the ability to easily specify how their work may be used. Barring commercial exploitation without payment is a popular option: most people want a cut when they see others making a profit from their work.

The problem, unfortunately, is that it isn't really possible to create an open system that can *only* be used by the "good guys" in "good" ways. The "free speech, not free beer" analogy Stallman used to explain "free software" applies. You can make licensing terms that bar Microsoft from taking GNU/Linux, adding a new user interface, and claiming copyright in the whole thing. But you can't make licensing terms that bar people using Linux from using it to build wiretapping boxes for governments to install in ISPs to collect everyone's email. If you did, either the terms wouldn't hold up in a court of law or it would no longer be free software but instead proprietary software controlled by a well-meaning elite.

One of the fascinating things about the early days of the Internet is the way everyone viewed it as an unbroken field of snow they could mold into the image they wanted. What makes the Internet special is that any of those models really can apply: it's as reasonable to be the entertainment industry and see it as a platform that just needs some locks and laws to improve its effectiveness as a distribution channel as to be Bill Thompson and view it as a platform for social justice that's in danger of being subverted.

One could view the legal history of The Pirate Bay as a worked example, at least as it's shown in the documentary TPB-AFK: The Pirate Bay - Away From Keyboard, released in February and freely downloadable under a Creative Commons license from a torrent site near you (like The Pirate Bay). The documentary has had the best possible publicity this week when the movie studios issued DMCA takedown notices to a batch of sites.

I'm not sure what leg their DMCA claims could stand on, so the most likely explanation is the one TorrentFreak came up with: that the notices are collateral damage. The only remotely likely thing in the documentary to have set them off - other than simple false positives - is the four movie studio logos that appear in it.

There are many lessons to take away from the movie, most notably how much more nuanced the TPB founders' views are than they came across at the time. My favorite moment is probably when Fredrik Tiamo discusses the opposing counsels' inability to understand how TPB actually worked: "We tried to get organized, but we failed every single time." Instead, no boss, no contracts, no company. "We're just a couple of guys in a chat room." My other favorite is probably the moment when Monique Wadsted, Hollywood's lawyer on the case, explains that the notion that young people are disaffected with copyright law is a myth.

"We prefer AFK to IRL," says one of the founders, "because we think the Internet is real."

Given its impact on their business, I'm sure the entertainment industry thinks the Internet is real, too. They're just one of many groups who would like to close down the Internet so it can't be exploited by the "bad guys": security people, governments, child protection campaigners, and so on. Open data will be no different. So, sadly, my answer to Bill Thompson is no, there probably isn't a way to do what he has in mind. Closed in the name of social justice is still closed. Open systems can be exploited by both good and bad guys (for your value of "good" and "bad"); the group exploiting a closed system is always *someone's* bad guy.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted irregularly during the week at the net.wars Pinboard - or follow on Twitter.


November 9, 2012

The billion-dollar spree

"This will be the grossest money election we've seen since Nixon," Lawrence Lessig predicted earlier this year. And the numbers are indeed staggering.

Never mind the 1%. In October, Lessig estimated that 42 percent of the money spent so far in the 2012 election cycle had come from just 47 Americans - the .000015 percent. At this rate, politicians - congressional as well as presidential - are perpetual candidates; fundraising leaves no time to do anything else. By comparison, the total UK expenditure by all candidates in the last general election (PDF) was £31 million - call it $50 million. A mere snip.

Some examples. CNN totals up $506,417,910 spent on advertising in just the eight "battleground" states - since April 10, 2012. Funds raised - again since April 10, 2012 - $1,021,265,691, much of it from states not in the battleground category - like New York, Texas, and California. In October, the National Record predicted that Obama's would be the first billion-dollar campaign.

The immediate source of these particular discontents is the 2010 Supreme Court decision in Citizens United v. Federal Election Commission that held that restricting political expenditure on "electioneering communications" by organizations contravened the First Amendment's provisions on freedom of expression. This is a perfectly valid argument if you accept the idea that organizations - corporations, trade unions, and so on - are people who should not be checked from spending their money to buy themselves airtime in which to speak freely.

An earlier rule retained in Citizens United was that donors to so-called SuperPACs (that is, political action committees that can spend unlimited amounts on political advertising as long as their efforts are independent of those of the campaigns) must be identified. That's not much of a consolation: just like money laundering in other contexts, if you want to buy yourself a piece of a president and don't want to be identified, you donate to a non-profit advocacy group and they'll spend or donate it for you and you can remain anonymous, at least to the wider public outside the SuperPAC..

And they worry about anonymous trolling on the Internet.

CNN cites Public Citizen as the source of the news that 60 percent of PACS spend their funds on promoting a single candidate, and that often these are set up and run by families, close associates, or friends of the politicians they support. US News has a handy list of the top 12 donors willing to be identified. Their interests vary; it's not like they're all ganging up on the rest of us with a clear congruence of policy desires; similarly, SuperPACs cover causes I like as well as causes I don't. And even if they didn't, it's not the kind of straightforward corruption where there is an obvious chain where you can say, money here, policy there.

If securing yourself access to put your views is your game, donating huge sums of money to a single candidate or party traditionally you want to donate to both sides, so that no matter who gets into office they'll listen to you. It's equally not a straightforward equation of more money here, victory there, although it's true: Obama outcompeted Romney on the money front, perhaps because so many Democrats were so afraid he wouldn't be able to keep up. But, as Lessig, has commented, even if the direct corrupt link is not there, the situation breeds distrust, doubt, and alienation in voters' minds.

The Washington Post argues that the big explosion of money this time is at least partly due to the one cause most rich people can agree on: tax policy. Some big decisions - the fiscal cliff - lie ahead in the next few months, as tax cuts implemented during the Bush (II) administration automatically expire. When those cuts were passed, the Republicans must have expected the prospect would push the electorate to vote them back in. Oops.

Some more details. Rootstrikers, the activist group Lessig founded to return the balance of power in American politics to the people, has a series of graphics intended to illustrate the sources of money behind superPACs; the president; and their backers. The Sunlight Foundation has an assessment of donors' return on investment

An even better one comes from the Federal Election Commission via Radio Boston, showing the distribution of contributions. The pattern is perfectly clear: the serious money is coming from the richer, more populated, more urbanized states. The way this can distort policy is also perfectly clear.

One of the big concerns in this election was that measures enacted in the name of combating voter fraud (almost non-existent) would block would-be voters from being able to cast ballots. Instead, it seems that Obama was more successful in getting out the vote.

The conundrum I'd like answered is this. Money is clearly a key factor in US elections - it can't get you elected, but the lack of it can certainly keep you out of office. It's clearly much less so elsewhere. So, if the mechanism by which distorted special-interest policies get adopted in the US is money, then what's the mechanism in other countries? I'd really like to know.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series.

October 26, 2012

Lie to me

I thought her head was going to explode.

The discussion that kicked off this week's Parliament and Internet conference revolved around cybersecurity and trust online, harmlessly at first. Then Helen Goodman (Labour - Bishop Auckland), the shadow minister for Culture, Media, and Sport, raised a question: what was Nominet doing to get rid of anonymity online? Simon McCalla, Nominet's CTO, had some answers: primarily, they're constantly trying to improve the accuracy and reliability of the Whois database, but it's only a very small criminal element that engage in false domain name registration. Like that.

A few minutes later, Andy Smith, PSTSA Security Manager, Cabinet Office, in answer to a question about why the government was joining the Open Identity Exchange (as part of the Identity Assurance Programme) advised those assembled to protect themselves online by lying. Don't give your real name, date of birth, and other information that can be used to perpetrate identity theft.

Like I say, bang! Goodman was horrified. I was sitting near enough to feel the splat.

It's the way of now that the comment was immediately tweeted, picked up by the BBC reporter in the room, published as a story, retweeted, Slashdotted, tweeted some more, and finally boomeranged back to be recontextualized from the podium. Given a reporter with a cellphone and multiple daily newspaper editions, George Osborne's contretemps in first class would still have reached the public eye the same day 15 years ago. This bit of flashback couldn't have happened even five years ago.

For the record, I think it's clear that Smith gave good security advice, and that the headline - the greater source of concern - ought to be that Goodman, an MP apparently frequently contacted by constituents complaining about anonymous cyberbullying, doesn't quite grasp that this is a nuanced issue with multiple trade-offs. (Or, possibly, how often the cyberbully is actually someone you know.) Dates of birth, mother's maiden names, the names of first pets...these are all things that real-life friends and old schoolmates may well know, and lying about the answers is a perfectly sensible precaution given that there is no often choice about giving the real answers for more sensitive purposes, like interacting with government, medical, and financial services. It is not illegal to fake or refuse to disclose these things, and while Facebook has a real names policy it's enforced with so little rigor that it has a roster of fake accounts the size of Egypt.

Although: the Earl of Erroll might be a bit busy today changing the fake birth date - April 1, 1900 - he cheerfully told us and Radio 4 he uses throughout; one can only hope that he doesn't use his real mother's maiden name, since that, as Tom Scott pointed out later, is in Erroll's Wikipedia entry. Since my real birth date is also in *my* Wikipedia entry and who knows what I've said where, I routinely give false answers to standardized security questions. What's the alternative? Giving potentially thousands of people the answers that will unlock your bank account? On social networking sites it's not enough for you to be taciturn; your birth date may be easily outed by well-meaning friends writing on your wall. None of this is - or should be - illegal.

It turns out that it's still pretty difficult to explain to some people how the Internet works or why . Nominet can work as hard as it likes on verifying its own Whois database, but it is powerless over the many UK citizens and businesses that choose to register under .com, .net, and other gTLDs and country codes. Making a law to enjoin British residents and companies from registering domains outside of .uk...well, how on earth would you enforce that? And then there's the whole problem of trying to check, say, registrations in Chinese characters. Computers can't read Chinese? Well, no, not really, no matter what Google Translate might lead you to believe.

Anonymity on the Net has been under fire for a long, long time. Twenty years ago, the main source of complaints was AOL, whose million-CD marketing program made it easy for anyone to get a throwaway email address for 24 hours or so until the system locked you out for providing an invalid credit card number. Then came Hotmail, and you didn't even need that. Then, as now, there are good and bad reasons for being anonymous. For every nasty troll who uses the cloak to hide there are many whistleblowers and people in private pain who need its protection.

Smith's advice only sounds outrageous if, like Goodman, you think there's a valid comparison between Nominet's registration activity and the function of the Driver and Vehicle Licensing Agency (and if you think the domain name system is the answer to ensuring a traceable online identity). And therein lies the theme of the day: the 200-odd Parliamentarians, consultants, analysts, government, and company representatives assembled repeatedly wanted incompatible things in conflicting ways. The morning speakers wanted better security, stronger online identities, and the resources to fight cybercrime; the afternoon folks were all into education and getting kids to hack and explore so they learn to build things and understand things and maybe have jobs someday, to their own benefit and that of the rest of the country. Paul Bernal has a good summary.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


June 15, 2012

A license to print money

"It's only a draft," Julian Huppert, the Liberal Democrat MP for Cambridge, said repeatedly yesterday. He was talking about the Draft Communications Data Bill (PDF), which was published on Wednesday. Yesterday, in a room in a Parliamentary turret, Hupper convened a meeting to discuss the draft; in attendance were a variety of Parliamentarians plus experts from civil society groups such as Privacy International, the Open Rights Group, Liberty, and Big Brother Watch. Do we want to be a nation of suspects?

The Home Office characterizes the provisions in the draft bill as vital powers to help catch criminals, save lives, and protect children. Everyone else - the Guardian, ZDNet UK, and dozens more - is calling them the "Snooper's charter".

Huppert's point is important. Like the Defamation Bill before it, publishing a draft means there will be a select committee with 12 members, discussion, comments, evidence taken, a report (by November 30, 2012), and then a rewritten bill. This draft will not be voted on in Parliament. We don't have to convince 650 MPs that the bill is wrong; it's a lot easier to talk to 12 people. This bill, as is, would never pass either House in any case, he suggested.

This is the optimistic view. The cynic might suggest that since it's been clear for something like ten years that the British security services (or perhaps their civil servants) have a recurring wet dream in which their mountain of data is the envy of other governments, they're just trying to see what they can get away with. The comprehensive provisions in the first draft set the bar, softening us up to give away far more than we would have in future versions. Psychologists call this anchoring, and while probably few outside the security services would regard the wholesale surveillance and monitoring of innocent people as normal, the crucial bit is where you set the initial bar for comparison for future drafts of the legislation. However invasive the next proposals are, it will be easy for us to lose the bearings we came in with and feel that we've successfully beaten back at least some of the intrusiveness.

But Huppert is keeping his eye on the ball: maybe we can not only get the worst stuff out of this bill but make things actually better than they are now; it will amend RIPA. The Independent argues that private companies hold much more data on us overall but that article misses that this bill intends to grant government access to all of it, at any time, without notice.

The big disappointment in all this, as William Heath said yesterday, is that it marks a return to the old, bad, government IT ways of the past. We were just getting away from giant, failed public IT projects like the late unlamented NHS platform for IT and the even more unlamented ID card towards agile, cheap public projects run by smart guys who know what they're doing. And now we're going to spend £1.8 billion of public money over ten years (draft bill, p92) building something no one much wants and that probably won't work? The draft bill claims - on what authority is unclear - that the expenditure will bring in £5 to £6 billion in revenues. From what? Are they planning to sell the data?

Or are they imagining the economic growth implied by the activity that will be necessary to build, install, maintain, and update the black boxes that will be needed by every ISP in order to comply with the law. The security consultant Alec Muffet has laid out the parameters for this SpookBox 5000: certified, tested, tamperproof, made by, say, three trusted British companies. Hundreds of them, legally required, with ongoing maintenance contracts. "A license to print money," he calls them. Nice work if you can get it, of course.

So we're talking - again - about spending huge sums of government money on a project that only a handful of people want and whose objectives could be better achieved by less intrusive means. Give police better training in computer forensics, for example, so they can retrieve the evidence they need from the devices they find when executing a search warrant.

Ultimately, the real enemy is the lack of detail in the draft bill. Using the excuse that the communications environment is changing rapidly and continuously, the notes argue that flexibility is absolutely necessary for Clause 1, the one that grants the government all the actual surveillance power, and so it's been drafted to include pretty much everything, like those contracts that claim copyright in perpetuity in all forms of media that exist now or may hereinafter be invented throughout the universe. This is dangerous because in recent years the use of statutory instruments to bypass Parliamentary debate has skyrocketed. No. Make the defenders of this bill prove every contention; make them show the evidence that makes every extra bit of intrusion necessary.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


April 28, 2012

Interview with Lawrence Lessig

This interview was originally intended for a different publication; I only discovered recently that it hadn't run. Lessig and I spoke in late January, while the fate of the Research Works Act was still unknown (it's since been killed.

"This will be the grossest money election we've seen since Nixon," says the law professor Lawrence Lessig, looking ahead to the US Presidential election in November. "As John McCain said, this kind of spending level is certain to inspire a kind of scandal. What's needed is scandals."

It's not that Lessig wants electoral disaster; it's that scandals are what he thinks it might take to wake Americans up to the co-option of the country's political system. The key is the vast, escalating sums of money politicians need to stay in the game. In his latest book, Republic, Lost, Lessig charts this: in 1982 aggregate campaign spending for all House and Senate candidates was $343 million; in 2008 it was $1.8 billion. Another big bump upward is expected this year: the McCain quote he references was in response to the 2010 Supreme Court decision in Citizens United legalising Super-PACs. These can raise unlimited campaign funds as long as they have no official contact with the candidates. But as Lessig details in Republic, Lost, money-hungry politicians don't need things spelled out.

Anyone campaigning against the seemingly endless stream of anti-open Internet, pro-copyright-tightening policies and legislation in the US, EU, and UK - think the recent protests against the US's Stop Internet Piracy (SOPA) and Protect Intellectual Property (PIPA) Acts and the controversy over the Digital Economy Act and the just-signed Anti-Counterfeiting Trade Agreement (ACTA) treaty - has experienced the blinkered conviction among many politicians that there is only one point of view on these issues. Years of trying to teach them otherwise helped convince Lessig that it was vital to get at the root cause, at least in the US: the constant, relentless need to raise escalating sums of money to fund their election campaigns.

"The anti-open access bill is such a great example of the money story," he says, referring to the Research Works Act (H.R. 3699), which would bar government agencies from mandating that the results of publicly funded research be made accessible to the public. The target is the National Institutes of Health, which adopted such a policy in 2008; the backers are journal publishers.

"It was introduced by a Democrat from New York and a Republican from California and the single most important thing explaining what they're doing is the money. Forty percent of the contributions that Elsevier and its senior executives have made have gone to this one Democrat." There is also, he adds, "a lot to be done to document the way money is blocking community broadband projects".

Lessig, a constitutional scholar, came to public attention in 1998, when he briefly served as a special master in Microsoft's antitrust case. In 2000, he wrote the frequently cited book Code and Other Laws of Cyberspace, following up by founding Creative Commons to provide a simple way to licence work on the Internet. In 2002, he argued Eldred v. Ashcroft against copyright term extension in front of the Supreme Court, a loss that still haunts him. Several books later - The Future of Ideas, Free Culture, and Remix - in 2008, at the Emerging Technology conference, he changed course into his present direction, "coding against corruption". The discovery that he was writing a book about corruption led Harvard to invite him to run the Edmond J. Safra Foundation Center for Ethics, where he fosters RootStrikers, a network of activists.

Of the Harvard centre, he says, "It's a bigger project than just being focused on Congress. It's a pretty general frame for thinking about corruption and trying to think in many different contexts." Given the amount of energy and research, "I hope we will be able to demonstrate something useful for people trying to remedy it." And yet, as he admits, although corruption - and similar copyright policies - can be found everywhere his book and research are resolutely limited to the US: "I don't know enough about different political environments."

Lessig sees his own role as a purveyor of ideas rather than an activist.

"A division of labour is sensible," he says. "Others are better at organising and creating a movement." For similar reasons, despite a brief flirtation with the notion in early 2008, he rules out running for office.

"It's very hard to be a reformer with idealistic ideas about how the system should change while trying to be part of the system," he says. "You have to raise money to be part of the system and engage in the behaviour you're trying to attack."

Getting others - distinguished non-politicians - to run on a platform of campaign finance reform is one of four strategies he proposes for reclaiming the republic for the people.

"I've had a bunch of people contact me about becoming super-candidates, but I don't have the infrastructure to support them. We're talking about how to build that infrastructure." Lessig is about to publish a short book mapping out strategy; later this year he will update incorporating contributions made on a related wiki.

The failure of Obama, a colleague at the University of Illinois at Chicago in the mid-1990s, to fulfil his campaign promises in this area is a significant disappointment.

"I thought he had a chance to correct it and the fact that he seemed not to pay attention to it at all made me despair," he says.

Discussion is also growing around the most radical of the four proposals, a constitutional convention under Article V to force through an amendment; to make it happen 34 state legislatures would have to apply.

"The hard problem is how you motivate a political movement that could actually be strong enough to respond to this corruption," he says. "I'm doing everything I can to try to do that. We'll see if I can succeed. That's the objective."


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this seriesand one of other interviews.


March 16, 2012

The end of the beginning

The coming months could see significant boosts to freedom of expression in the UK. Last night, the Libel Reform Campaign launched its report on alternatives to libel litigation at an event filled with hope that the Defamation Bill will form part of the Queen's speech in May. A day or two earlier, Consumer Focus hosted an event at the House of Commons to discuss responses to the consultation on copyright following the Hargreaves Review, which are due March 21. Dare we hope that a year or two from now the twin chilling towers of libel law and copyright might be a little shorter?

It's actually a good sign, said the former judge Sir Stephen Sedley last night, that the draft defamation bill doesn't contain everything reform campaigners want: all bills change considerably in the process of Parliamentary scrutiny and passage. There are some other favorable signs: the defamation bill is not locked to any particular party. Instead, there's something of a consensus that libel law needs to be reformed for the 21st century - after all, the multiple publication rule that causes Internet users so much trouble was created by the 1849 court case Duke of Bunswick v Harmer, in which the Duke of Brunswick managed to get the 17-year limit overridden on the basis that his manservant, sent from Paris to London, was able to buy copies of the magazine he believed had defamed him. These new purchases, he argued successfully, constituted a new publication of the libel. Well, you know the Internet: nothing ever really completely dies, and so that law, applied today, means liability in perpetuity. Ain't new technology grand?

The same is, of course, true in spades of copyright law, even though it's been updated much more recently; the Copyright, Designs, and Patents Act only dates to 1988 (and was then a revision of laws as recent as 1956). At the Consumer Focus event, Saskia Walzel argued that it's appropriate to expect to reform copyright law every ten to 15 years, but that the law should be based on principles, not technologies. The clauses that allow consumers to record TV programs on video recorders, for example, did not have to be updated for PVRs.

The two have something else in common: both are being brought into disrepute by the Internet because both were formulated in a time when publishers were relatively few in number and relatively powerful and needed to be kept in check. Libel law was intended to curb their power to damage the reputations of individuals with little ability to fight back. Copyright law kept them from stealing artists' and creators' work - and each other's.

Sedley's comment last night about libel reform could, with a little adaptation, apply equally well to copyright: "The law has to apply to both the wealthy bully and the small individual needing redress from a large media organization." Sedley went on to argue that it is in the procedures that the playing field can be leveled; hence the recommendation for options to speed up dispute resolutions and lower costs.

Of course, publishers are not what they were. Even as recently as 1988 the landscape of rightsholders was much more diverse. Many more independent record labels jostled for market share with somewhat more larger ones; scores of independent book publishers and bookshops were thriving; and photographers, probably the creators being damaged the most in the present situation, still relied for their livelihood on the services of a large ecology of small agencies who understood them and cared about their work. Compare that to now, when cross-media ownership is the order of the day, and we may soon be down to just two giant music companies.

It is for this reason that I have long argued (as Walzel also said on Tuesday) that if you really want to help artists and other creators, they will be better served by improving contract law so they can't be bullied into unfair terms than by tightening and aggressively enforcing copyright law.

Libel law can't be so easily mitigated, but in both cases we can greatly improve matters by allowing exceptions that serve the public interest. In the case of libel law, that means scientific criticism: if someone claims abilities that are contrary to our best understanding of science, critique on that basis should be allowed to proceed. Similarly, there is clearly no economic loss to rightsholders from allowing exceptions for parody, disabled access, and archiving.

It was Lord McNally, the Minister of Justice who called this moment in the work on libel law reform the end of the beginning, reminding those present that now is to use whatever influence campaigners have with Parliamentarians to get through the changes that are needed. He probably wouldn't think of it this way, but his comment reminded me of the 1970s and 1980s tennis champion Chris Evert, who commented that many (lesser) players focused on reaching the finals of tournaments and forgot, once there, that there was a step further to go to win the title.

So enjoy that celebratory drink - and then get back to work!

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


March 9, 2012

Private parts

In 1995, when the EU Data Protection Directive was passed, Facebook founder and CEO Mark Zuckerberg was 11 years old. Google was three years away from incorporation. Amazon.com was a year old and losing money fast enough to convince many onlookers that it would never be profitable; the first online banner ads were only months old. It was the year eBay and Yahoo! were founded and Netscape went public. This is how long ago it was: CompuServe was a major player in online services, AOL was just setting up its international services, and both of them were still funded by per-minute usage fees.

In other words: even when it was published there were no Internet companies whose business models depended on exploiting user data. During the years it was being drafted only posers and rich people owned mobile phone, selling fax machines was a good business, and women were still wearing leggings the *first* time. It's impressive that the basic principles formulated then have held up well. Practice, however, has been another matter.

The discussions that led to the publication in January of of a package of reforms to the data protection rules began in 2008. Discussions among data protection commissioners, Peter Hustinx, the European Data Protection Supervisor, said at Thursday's Westminster eForum on data protection and electronic privacy, produced a consensus that changes were needed, including making controllers more accountable, increasing "privacy by design", and making data protection a top-level issue for corporate governance.

These aren't necessarily the issues that first spring to mind for privacy advocates, particularly in the UK, where many have complained that the Information Commissioner's Office has failed. (It was, for example, out of step with the rest of the world with respect to Google's Street View.) Privacy International has a long history of complaints about the ICO's operation. But even the EU hasn't performed as well as citizens might hope under the present regime: PI also exposed the transfer of SWIFT financial data to the US, while Edward Hasbrouck has consistently and publicly opposed the transfer of passenger name record data from the EU to the US.

Hustinx has published a comprehensive opinion of the reform package. The details of both the package itself and the opinion require study. But some of the main points are an effort to implement a single regime and the rights to erasure (aka the right to be forgotten), require breach notification within 24 hours of discovery, strengthen the data protection authorities and make them more accountable.

Of course, everyone has a complaint. The UK's deputy information commissioner, David Smith, complained that the package is too prescriptive of details and focuses on paperwork rather than privacy risk. Lord McNally, Minister of State at the Ministry of Justice, complained that the proposed fines of up to 2 percent of global corporate income are disproportionate and that 24 hours is too little time. Hustinx outlined his main difficulties: that the package has gaps, most notably surrounding the transfer of telephone data to law enforcement; that fines should be discretionary and proportionate rather than compulsory; and that there remain difficulties in dealing with national and EU laws.

We used to talk about the way the Internet enabled the US to export the First Amendment. You could, similarly, see the data protection laws as the EU's effort to export privacy rules; a key element is the prohibition on transferring data to countries without similar regimes - which is why the SWIFT and PNR cases were so problematic. In 1999, for a piece that's now behind Scientific American's paywall, PI's Simon Davies predicted that US companies might find themselves unable to trade in Europe because of data flows. Big questions, therefore, revolve around the business corporate rules, which allow companies to transfer data to third countries without equivalent data protection as long as the data stays within their corporate boundaries.

The arguments over data protection law have a lot in common with the arguments over copyright. In both cases, the goal is to find a balance of power between competing interests that keeps individuals from being squashed. Also like copyright, data protection policy is such a dry and esoteric subject that it's hard to get non-specialists engaged with it. Hard, but not impossible: copyright has never had a George Orwell to make the dangers up close and personal. Copyright law began, Lawrence Lessig argued in (I think it was) Free Culture, as a way to curb the power of publishers (although by now it has ended up greatly empowering them). Similarly while most of us may think of data protection law as protecting the abuse of personal data, a voice argued from the floor yesterday that the law was originally drafted to enable free data transfers within the single market.

There is another similarity. Rightsholders and government policymakers often talk as though the population-at-large are consumers, not creators in their own right. Similarly, yesterday, Mydex's David Alexander had this objection to make: "We seem to keep forgetting that humans are not just subjects, but participants in the management of their own personal data...Why can't we be participants?"


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


February 24, 2012

Copyright U

"You cannot have democracy without a public domain," says Tracy Mitrano. She clarifies: "Where the issues that matter are part of what people think about every day and we express them to our representatives in a representative democracy."

As commentators, campaigners, and observers keep pointing out, copyright policy hasn't been like that. A key part of the street protests over the Anti-Counterfeiting Trade Agreement (ACTA) was the secrecy of the negotiations over its contents. Similarly, even if there had been widespread content with the provisions of the Digital Economy Act, the way it was passed would be disturbing: on the nod, revised at the last minute with no debate, in the wash-up before the election with many MPs already on the road to their constituencies. If these are such good policies, why do they need to be agreed and passed in such anti-democratic ways?

My conversation with Mitrano is partly an accident of geography: when you're in Ithaca, NY, and interested in the Internet and copyright she's the person you visit. Mitrano is the director of IT policy at Cornell University, one of the first academic institutions where the Internet took hold. As such, she has been on the front lines of the copyright battles of the last 15 years, trying to balance academic values and student privacy against the demands of copyright enforcement, much like a testbed for the wider population. She also convenes an annual computer policy and law conference on Internet culture in the academy.

"Higher education was the canary in the coal mine for the enforcement of copyright and intellectual property on the Internet," she says.

We don't generally think of universities as ISPs, but, particularly in the US where so many students live in dorms, that is one of their functions: to provide high-speed, campus-wide access for tens of thousands of users of all types, from students to staff to researchers, plus serving hundreds of thousands of alumni wanting those prestigious-sounding email addresses. In 2004, Cornell was one of the leaders of discussions with the music industry regarding student subscription fees.

"To have picked on us was to pick on an easy target in the sense that we're fish in a barrel given our dependence on federal funding," she says, "and we're an easily caricatured representation of the problem because of the demographic of students, who care about culture, don't have a lot of money, are interested in new technology, and it all seemed to be flowing to them so easily. And the last reason: we were a patsy, because given that we care about education and we're not competing with the content industry for profits or market share, we wanted to help."

The result: "The content industry paid for and got, through lobbying, legislation that places greater demands on higher education ISPs than on commercial ISPs." The relevant legislation is the Higher Education Act 2008. "They wanted filtering devices on all our networks," Mitrano says, "completely antithetical to all our values." Still, the industry got a clause whose language is very like what's being pushed for now in the UK, the EU, and, in fact, everywhere else.

"After they got what they wanted there, they started in Europe on "three strikes"," she says. "Not they've come back with SOPA, ACTA, and PIPA."

Higher education in the US is still paying the price for that early focus.

"Even under the least strict test of the equal protection clause, the rational basis test, there is no rational basis for why higher education as an ISP has to do anything more or less than a commercial ISP in terms of being a virtual agent of enforcement of the content industry. Their numbers prove to be wrong in every field - how much they're losing, how many alleged offenders, what percentage of offenders the students are alleged to be in the whole world in copyright infringement."

Every mid-career lawyer with an interest in Internet policy tells the story of how tiny and arcane a field intellectual property was 20 years ago. Mitrano's version is that of the 15 students in her intellectual property class, most were engineers wishing to learn about patents; two were English students who wanted to know why J.D. Salinger's biography had been pulled before publication. By the time she finished law school in 1995, the Internet had been opened up to commercial traffic, though few still saw the significance.

"Copyright, at that moment, went from backwater area to front and center in US politics, but you couldn't prove that," she says. "The day it became apparent to most people in American society was the day last month when Wikipedia went black."

Unusually for someone in the US, Mitrano thinks loosening the US's grip on Internet governance is a good idea.

"I'm not really willing to give up US control entirely," she admits, "it's in the US's interests to be thinking about Internet governance much more internationally and much more collaboratively than we do today. And there's nothing more representative than issues around copyright and its enforcement globally."


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


January 13, 2012

Pot pourri

You have to think that 2012 so far has been orchestrated by someone with a truly strange sense of humor. To wit:

- EMI Records is suing the Irish government for failing to pass laws to block "pirate sites". The way PC Pro tells it, Ireland ought to have implemented site blocking laws to harmonize with European law and one of its own judges has agreed it failed to do so. I'm not surprised, personally: Ireland has a lot of other things on its mind, like the collapse of the Catholic church that dominated Irish politics, education, and health for so long, and the economic situation post-tech boom.

- The US Congress and Senate are, respectively, about to vote on SOPA (Stop Online Piracy Act) and PIPA (Protect Intellectual Property Act), laws to give the US site blocking, search engine de-listing, and other goodies. (Who names these things? SOPA and PIPA sound like they escaped from Anna Russell's La Cantatrice Squelante.) Senator Ron Wyden (D-OR) and Representative Darrell Issa (R-CA) have proposed an alternative, the OPEN Act (PDF), which aims to treat copyright violations as a trade issue rather than a criminal one.

- Issa and Representative Carolyn Maloney (D-NY) have introduced the Research Works Act to give science journal publishers exclusive rights over the taxpayer-funded research they publish. The primary beneficiary would be Elsevier (which also publishes Infosecurity, which I write for), whose campaign contributions have been funding Maloney.

- Google is mixing Google+ with its search engine results because, see, when you're looking up impetigo, as previously noted, what you really want is to know which of your friends has it.

- Privacy International has accused Facebook of destroying someone's life through its automated targeted advertising, an accusation the company disputes.

- And finally, a British judge has ruled that a Sheffield student Richard O'Dwyer can be extradited to the US to face charges of copyright infringement; he owned the now-removed TVShack.net site, which hosted links to unauthorized copies of US movies and TV shows.

So many net.wars, so little time...

The eek!-Facebook-knows-I'm-gay story seems overblown. I'm sure the situation is utterly horrible for the young man in question, whom PI's now-removed blog posting said was instantly banished from his parents' home, but I still would like to observe that the ads were placed on his page by a robot (one without the Asimov Three Laws programmed into it). On this occasion the robot apparently guessed right but that's not always true. Remember 2002, when several TiVos thought their owners were gay? These are emotive issues and, as Forbes concludes in the article linked above, the more targeting gets good and online behavioral advertising spreads the more you have to think about what someone looking over your shoulder will see. Perhaps that's a new-economy job for 2012: the digital image consultant who knows how to game the system so the ads appearing on your personalized pages will send the "right" messages about you. Except...

It was predicted - I forget by whom - that search generally would need to incorporate social networking to make its search results more "relevant" and "personal". I can see the appeal if I'm looking for a movie to see, a book to read, or a place to travel to: why wouldn't I want to see first the recommendations of my friends, whom I trust and who likely have tastes similar to mine? But if I'm looking to understand what campaigners are saying about American hate radio (PDF), I'm more interested in the National Hispanic Media Coalition's new report than in collectively condemning Rush Limbaugh. Google Plus Search makes sense in terms of competing with Facebook and Twitter, but mix it up with the story above, and you have a bigger mess in sight. By their search results shall ye know their innermost secrets.

Besides proving Larry Lessig's point about the way campaign funding destroys our trust in our elected representatives, the Research Works Act is a terrible violation of principle. It's taken years of campaigning - by the Guardian as well as individuals pushing open standards - to get the UK government to open up its data coffers. And just at the moment when they finally do it, the US, which until now has been the model of taxpayers-paid-for-it-they-own-the-data, is thinking about going all protectionist and proprietary?

The copyright wars were always kind of ridiculous (and, says Cory Doctorow, only an opening skirmish), but there's something that's just wrong - lopsided, disproportionate, arrogant, take your pick - about a company suing a national government over it. Similarly, there's something that seems disproportionate about extraditing a British student for running a Web site on the basis that it was registered in .net, which is controlled by a US-based registry (and has now been removed from same). Granted, I'm no expert on extradition law, and must wait for either Lilian Edwards or David Allen Green to explain the details of the 2003 law. That law was and remains controversial, that much I know.

And this is only the second week. Happy new year, indeed.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


December 30, 2011

Ignorance is no excuse

My father was not a patient man. He could summon up some compassion for those unfortunates who were stupider than himself. What he couldn't stand was ignorance, particularly willful ignorance. The kind of thing where someone boasts about how little they know.

That said, he also couldn't abide computers. "What can you do with a computer that you can't do with a paper and pencil?" he demanded to know when I told him I was buying a friend's TRS-80 Model III in 1981. He was not impressed when I suggested that it would enable me to make changes on page 3 of a 78-page manuscript without retyping the whole thing.

My father had a valid excuse for that particular bit of ignorance or lack of imagination. It was 1981, when most people had no clue about the future of the embryonic technology they were beginning to read about. And he was 75. But I bet if he'd made it past 1984 he'd have put some effort into understanding this technology that would soon begin changing the printing industry he worked in all his life.

While computers were new on the block, and their devotees were a relatively small cult of people who could be relatively easily spotted as "other", you could see the boast "I know nothing about computers" as a replay of high school. In American movies and TV shows that would be jocks and the in-crowd on one side, a small band of miserable, bullied nerds on the other. In the UK, where for reasons I've never understood it's considered more admirable to achieve excellence without ever being seen to work hard for it, the sociology plays out a little differently. I guess here the deterrent is less being "uncool" and more being seen as having done some work to understand these machines.

Here's the problem: the people who by and large populate the ranks of politicians and the civil service are the *other* people. Recent events such as the UK's Government Digital Service launch suggest that this is changing. Perhaps computers have gained respectability at the top level from the presence of MPs who can boast that they misspent their youth playing video games rather than, like the last generation's Ian Taylor, getting their knowledge the hard way, by sweating for it in the industry.

There are several consequences of all this. The most obvious and longstanding one is that too many politicians don't "get" the Net, which is how we get legislation like the DEA, SOPA, PIPA, and so on. The less obvious and bigger one is that we - the technology-minded, the early adopters, the educated users - write them off as too stupid to talk to. We call them "congresscritters" and deride their ignorance and venality in listening to lobbyists and special interest groups.

The problem, as Emily Badger writes for Miller-McCune as part of a review of Clay Johnson's latest book, is that if we don't talk to them how can we expect them to learn anything?

This sentiment is echoed in a lecture given recently at Rutgers by the distinguished computer scientist David Farber on the technical and political evolution of the Internet (MP3) (the slides are here (PDF)). Farber's done his time in Washington, DC, as chief technical advisor to the Federal Communications Commission and as a member of the Presidential Advisory Board on Information Technology. In that talk, Farber makes a number of interesting points about what comes next technically - it's unlikely, he says, that today's Internet Protocols will be able to cope with the terabyte networks on the horizon, and reengineering is going to be a very, very hard problem because of the way humans resist change - but the more relevant stuff for this column has to do with what he learned from his time in DC.

Very few people inside the Beltway understand technology, he says there, citing the Congressman who asked him seriously, "What is the Internet?" (Well, see, it's this series of tubes...) And so we get bad - that is, poorly grounded - decisions on technology issues.

Early in the Net's history, the libertarian fantasy was that we could get on just fine without their input, thank you very much. But as Farber says, politicians are not going to stop trying to govern the Internet. And, as he doesn't quite say, it's not like we can show them that we can run a perfect world without them. Look at the problems techies have invented: spam, the flaky software infrastructure on which critical services are based, and so on. "It's hard to be at the edge in DC," Farber concludes.

So, going back to Badger's review of Johnson: the point is it's up to us. Set aside your contempt and distrust. Whether we like politicians or not, they will always be with us. For 2012, adopt your MP, your Congressman, your Senator, your local councilor. Make it your job to help them understand the bills they're voting on. Show them tshat even if they don't understand the technology there's votes in those who do. It's time to stop thinking of their ignorance as solely *their* fault.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.


September 16, 2011

The world at ten

Like Meetup.org, net.wars-the-column is to some extent a child of 9/11 (the column was preceded by the book. four years of near-weekly news analysis pieces for the Daily Telegraph, and a sequel book, From Anarchy to Power: the Net Comes of Age). On November 2, 2011 the column will be ten years old, its creation sparked by a burst of frustrated anger when then foreign minister Jack Straw wagged a post-9/11 finger at those who had opposed his plans to restrict the use of strong encryption and implement key escrow in the mid 1990s when he was at the Home Office and blamed us.

Ten years on, we can revisit his claim. We now know, for example, that when Osama bin Laden wanted to hide, he didn't use cryptography to cloak his whereabouts. Instead, the reason his safe house stood out from those around it was that it was a technological black spot: "no phones, no broadband. In other words, bin Laden feared the power of technology as much as Straw and his cohorts: both feared it would empower their enemies. That paranoia was justified - but backfired spectacularly.

In our own case, it's clear that "the terrorists" have scored a substantial amount of victory. We - the US, the UK, Europe - would have had some kind of recession anyway, given the rapacious and unregulated behavior of banks and brokers leading up to 2008 - but we would have been much better placed to cope with it if we - the US - hadn't been simultaneously throwing $1.29 trillion at invading Iraq and Afghanistan. If you include medical and disability care for current and future veterans, according to the Eisenhower Research Project at Brown University that number rises to as much as $4 trillion.

But more than that, as Ryan Singel writes US-specifically at Wired, the West has built up a gigantic and expensive inward-turned surveillance infrastructure that is unlikely to be dismantled when or if the threat it was built to control goes away. In the last ten years, countless hundreds of millions of dollars and countless million of hours of lost productivity have been spent on airport security when, as Bruce Schneier frequently writes, the only two changes that have made a significant difference to air travel safety have been reinforcing the cockpit doors and teaching passengers to fight back. The Department of Homeland Security's budget for its 2011 financial year is $56.3 billion (PDF) - which includes $214.7 million for airport scanners and another $218.9 million for people to staff them (so much for automation).

The UK in particular has spent much of the last ten years building the database state, creating dozens of large databases aimed at tracking various portions of society through various parts of their lives. Some of this has been dismantled by the coalition, but not all. The most visible part of the ID card is gone - but the key element was always the database of the nation's residents, and as data-sharing between government departments becomes ever easier, the equivalent may be built in practice rather than by explicit plan. In every Western country CCTV cameras are proliferating, as are surveillance-by-design policies such as data retention, built-in wiretapping, and widespread filtering. Every time a new system is built - the London congestion charge, for example, or the mooted smart road pricing systems - there are choices that would allow privacy to be built in. And so far, each time those choices are not taken.

But if the policies aimed at our ourselves are misguided, as net.wars has frequently argued, the same is true of the policies we have directed at others. As part of the British Science Festival, Paul Rogers, a researcher with the Oxford Group, presented A War Gone Badly Wrong - The War on Terror Ten Years On, looking back at the aftermath of the attacks rather than the attacks themselves; the Brown research shows that in the various post-9/11 military actions 80 people have died for every 9/11 victim. Like millions of others who were ignored, the Oxford Research Group opposed the war at the time.

"The whole approach was a mistake." he told the press last Friday, arguing that the US should instead have called it an act of international criminality and sworn to work with everyone to bring the criminals to justice. "The US would have had worldwide support for that kind of action that it did not have for Afghanistan - or, especially, Iraq." He added, "If they had treated al-Qaeda as a common, bitter, vicious criminal movement, not a brave, religious movement worthy of fighting, that degrades it."

What he hopes his research will lead to now is "a really serious understanding of what wrong, and the risks of early recourse to early military responses." And, he added, "sustainable security" that focuses on conflict prevention. "Why it's important to look at the experience of the war on terror is to discern and learn those lessons."

They say that a conservative is a liberal who's been mugged. By analogy, it seems that a surveillance state is a democracy that's been attacked.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

September 9, 2011

The final countdown

The we-thought-it-was-dead specter of copyright term extension in sound recordings has done a Diabolique maneuver and been voted alive by the European Council. In a few days, the Council of Ministers could make it EU law because, as can happen under the inscrutable government structures of the EU, opposition has melted away.

At stake is the extension of copyright in sound recordings from 50 years to 70, something the Open Rights Group has been fighting since it was born. The push to extend it above 50 years has been with us for at least five years; originally the proposal was to take it to 95 years. An extension from 50 to 70 years is modest by comparison, but given the way these things have been going over the last 50 years, that would buy the recording industry 20 years in which to lobby for the 95 years they originally wanted, and then 25 years to lobby for the line to be moved further. Why now? A great tranche of commercially popular recordings is up for entry into the public domain: Elvis Presley's earliest recordings date to 1956, and The Beatles' first album came out in 1963; their first singles are 50 years old this year. It's not long after that to all the great rock records of the 1970s.

My fellow Open Rights Group advisory council member Paul Sanders, has up a concise little analysis about what's wrong here. Basically, it's never jam today for the artists, but jam yesterday, today, and tomorrow for the recording companies. I have commented frequently on the fact that the more record companies are able to make nearly pure profit on their back catalogues whose sunk costs have long ago been paid, the more new, young artists are required to compete for their attention with an ever-expanding back catalogue. I like Sanders' language on this: "redistributive, from younger artists to older and dead ones".

In recent years, we've heard a lof of the mantra "evidence-based policy" from the UK government. So, in the interests of ensuring this evidence-based policy the UK government is so keen on, here is some. The good news is they commissioned it themselves, so it ought to carry a lot of weight with them. Right? Right.

There have been two major British government reports studying the future of copyright and intellectual property law generally in the last five years: the Gowers Review, published in 2006, and the Hargreaves report was commissioned in November 2010 and released in May 2011.

From Hargreaves:

Economic evidence is clear that the likely deadweight loss to the economy exceeds any additional incentivising effect which might result from the extension of copyright term beyond its present levels.14 This is doubly clear for retrospective extension to copyright term, given the impossibility of incentivising the creation of already existing works, or work from artists already dead.

Despite this, there are frequent proposals to increase term, such as the current proposal to extend protection for sound recordings in Europe from 50 to 70 or even 95 years. The UK Government assessment found it to be economically detrimental. An international study found term extension to have no impact on output.

And further:

Such an extension was opposed by the Gowers Review and by published studies commissioned by the European Commission.

Ah, yes, Gowers and its 54 recommendations, many or most of which have been largely ignored. (Government policy seems to have embraced "strengthening of IP rights, whether through clamping down on piracy" to the exclusion of things like "improving the balance and flexibility of IP rights to allow individuals, businesses, and institutions to use content in ways consistent with the digital age".

To Gowers:

Recommendation 3: The European Commission should retain the length of protection on sound recordings and performers' rights at 50 years.

And:

Recommendation 4: Policy makers should adopt the principle that the term and scope of protection for IP rights should not be altered retrospectively.

I'd use the word "retroactive", myself, but the point is the same. Copyright is a contract with society: you get the right to exploit your intellectual property for some number of years, and in return after that number of years your work belongs to the society whose culture helped produce it. Trying to change an agreed contract retroactively usually requires you to show that the contract was not concluded in good faith, or that someone is in breach. Neither of those situations applies here, and I don't think these large companies with their in-house lawyers, many of whom participated in drafting prior copyright law, can realistically argue that they didn't understand the provisions. Of course, this recommendation cuts both ways: if we can't put Elvis's earliest recordings back into copyright, thereby robbing the public domain, we also can't shorten the copyright protection that applies to recordings created with the promise of 50 years' worth of protection.

This whole mess is a fine example of policy laundering: shopping the thing around until you either wear out the opposition or find sufficient champions. The EU, with its Hampton Court maze of interrelated institutions, could have been deliberately designed to facilitate this. You can write to your MP, or even your MEP - but the sad fact is that the shiny, new EU government is doing all this in old-style backroom deals.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

August 12, 2011

"Phony concerns about human rights"

Why can't you both condemn violent rioting and looting *and* care about civil liberties?

One comment of David Cameron's yesterday in the Commons hit a nerve: that "phony" (or "phoney", if you're British) human rights concerns would not get in the way of publishing CCTV images in the interests of bringing the looters and rioters to justice. Here's why it bothers me: even the most radical pro-privacy campaigner is not suggesting that using these images in this way is wrong. But in saying it, Cameron placed human rights on the side of lawlessness. One can oppose the privacy invasiveness of embedding crowdsourced facial recognition into Facebook and still support the use of the same techniques by law enforcement to identify criminals.

It may seem picky to focus on one phrase in a long speech in a crisis, but this kind of thinking is endemic - and, when it's coupled with bad things happening and a need for politicians to respond quickly and decisively, dangerous. Cameron shortly followed it with the suggestion that it might be appropriate to shut down access to social media sites when they are being used to plan "violence, disorder and criminality".

Consider the logic there: given the size of the population, there are probably people right now planning crimes over pints of beer in pubs, over the phone, and sitting in top-level corporate boardrooms. Fellow ORG advisory council member Kevin Marks blogs a neat comparison by Douglas Adams to cups of tea. But no, let's focus on social media.

Louise Mensch, MP and novelist, was impressove during the phone hacking hearings aside from her big gaffe about Piers Morgan. But she's made another mistake here in suggesting that taking Twitter and/or Facebook down for an hour during an emergency is about like shutting down a road or a railway station.

First of all, shutting down the tube in the affected areas has costs: innocent bystanders were left with no means to escape their violent surroundings. (This is the same thinking that wanted to shut down the tube on New Year's Eve 1999 to keep people out of central London.)

But more important, the comparison is wrong. Shutting down social networks is the modern equivalent of shutting down radio, TV, and telephones, not transport. The comparison suggests that Mensch is someone who uses social media for self-promotion rather than, like many of us, as a real-time news source and connector to friends and family. This is someone for whom social media are a late add-on to an already-structured life; in 1992 an Internet outage was regarded as a non-issue, too. The ability to use social media in an emergency surely takes pressure off the telephone network by helping people reassure friends and family, avoid trouble areas, find ways home, and so on. Are there rumors and misinformation? Sure. That's why journalists check stuff out before publishing it (we hope). But those are vastly overshadowed by the amount of useful and timely updates.

Is barring access is even possible? As Ben Rooney writes in the Wall Street Journal Europe, it's hard enough to ground one teenager these days, let alone a countryful. But let's say they decide to try. What approaches can they take?

One: The 95 percent approach. Shut down access to the biggest social media sites and hope that the crimes aren't being planned on the ones you haven't touched. Like the network that the Guardian finds was really used - Blackberry messaging.

Two: The Minority Report approach. Develop natural language processing and artificial intelligence technology to the point where it can interact on the social networks, spot prospective troublemakers, and turn them in before they commit crimes.

Three: The passive approach. Revive all the net.wars of the past two decades. Reinstate the real-world policing. One of the most important drawbacks to relying on mass surveillance technologies is that they encourage a reactive, almost passive, style of law enforcement. Knowing that the police can catch the crooks later is no comfort when your shop is being smashed up. It's a curious, schizophrenic mindset politicians have: blame social ills on new technology while imagining that other new technology can solve them.

The riots have ended - at least for now, but we will have to live for a long time with the decisions we make about what comes next. Let's not be hasty. Think of the PATRIOT Act, which will be ten years old soon.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

August 5, 2011

Cheaters in paradise

It seems that humans in general are not particularly good at analyzing incentives. How else can you explain the number of decisions we make with adverse, unintended consequences? Three examples.

One: this week US newspapers - such as the LA Times, the New York Times, and Education Week - report that myriad states have discovered a high number of erasures on standardized tests or suspiciously sudden improvement in test scores. (At one Pennsylvania school, for example, eighth graders' reading proficiency jumped from 28.9 percent to 63.8 percent between 2008 and 2009.)

The culprits: teachers and principals. When tests determined only the future of the students taking them, the only cheaters were students. Now that tests determine school rankings and therefore the economic future of teachers, principals, and schools, many more people are motivated to ensure that students score highly.

Don't imagine the kids don't grasp this. In 2002, when I wrote about plagiarism for the Independent, all the kids I interviewed noted that despite their teachers' warnings of dire consequences schools would not punish plagiarists and risk hurting their rankings in the league tables.

A kid in an American school this week might legitimately ask why he should be punished for cheating or plagiarism when his teachers are doing the same thing on a much grander scale for greater and far more immediate profit. A similar situation applies to our second example, this week's decision by the International Tennis Federation to suspend 31-year-old player Robert Kendrick for 12 months after testing positive for the banned stimulant methylhexaneamine.

At his age, a 12-month ban is an end-of-career notice. Everyone grants that he did not intend to cheat and that the amount of the drug was not performance-enhancing. Like a lot of people who travel through many time zones on the way to work, he took a jetlag pill whose ingredients he believed to be innocuous. He admits he screwed up; he and his lawyers have simply asked for what a fairer sentence. Fairer because in January 2010, when fellow player Wayne Odesnik was caught by Australian Customs with eight vials of human growth hormone, he was suspended for two years - double the sentence but far more than double the offense. And Odesnik didn't even stay out that long; his sentence was commuted to time served after seven months.

At the time, the ITF said that he had bought his way out of purgatory by cooperating with its anti-doping program, presumably under the rule that allows such a reversal when the player has turned informant. No follow-up has disclosed who Odesnik might have implicated, and although it's possible that it all forms part of a lengthy, ongoing investigation, the fact remains: his offense was a lot worse than Kendrick's but has cost him a lot less.

It says a lot that the other players are scathing about Odesnik, sympathetic to Kendrick. This is a watershed moment, where the athletes are openly querying the system's fairness despite any suspicions that might be raised by their doing so.

The anti-doping system as it is presently constructed has never made sense to me: it is invasive, unwieldly, and a poor fit for some sports (like tennis, where players are constantly on the move). The The lesson sent by these morality plays is: don't get caught. And there is enough money in professional sports to ensure that there are many actors invested in ensuring exactly that: coaches, agents, managers, corporate sponsors, and the tours themselves. Of course testing and punshing athletes is going to fail to contain the threat.

Kamakshi Tandon's ideas on this are very close to mine: do traditional policing. Instead of relying on test samples, which can be mishandled, misread, or unreliable, use other types of evidence when they're available. Why, for example, did the anti-doping authorities refuse Martina Hingis's request to do a hair strand test when a urine sample tested positive for cocaine at Wimbledon in 2007? Why are the A and B samples tested at the same lab instead of different labs? (What lab wants to say it misread the first sample?) My personal guess is that it's because the anti-doping authorities believe that anyone playing professional sports is probably guilty anyway, so why bother assembling the quality of evidence that would be required for a court case? That might even be true - but in that case anti-doping efforts to date have been a total failure.

Our third example: last week's decision by Fox to allow only verified paying cable customers to watch TV shows on Hulu in the first week after their initial broadcast. (Yet more evidence that Murdoch does not get the Internet.) We are in the 12th year of the wars on file-sharing, and still rights holders make decisions like this that increase the incentives to use unauthorized sources.

In the long scheme of things, as Becky Hogge used to say while she was the executive director of the Open Rights Group the result or poorly considered incentives that make bad law is that they teach people not to respect the law. That will have many worse consequences down the line.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series

July 15, 2011

Dirty digging

The late, great Molly Ivins warns (in Molly Ivins Can't Say That, Can She?) about the risk to journalists of becoming "power groupies" who identify more with the people they cover than with their readers. In the culture being exposed by the escalating phone hacking scandals the opposite happened: politicians and police became "publicity groupies" who feared tabloid wrath to such an extent that they identified with the interests of press barons more than those of the constituents they are sworn to protect. I put the apparent inconsistency between politicians' former acquiescence and their current baying for blood down to Stockholm syndrome: this is what happens when you hold people hostage through fear and intimidation for a few decades. When they can break free, oh, do they want revenge.

The consequences are many and varied, and won't be entirely clear for a decade or two. But surely one casualty must have been the balanced view of copyright frequently argued for in this column. Murdoch's media interests are broad-ranging. What kind of copyright regime do you suppose he'd like?

But the desire for revenge is a really bad way to plan the future, as I said (briefly) on Monday at the Westminster Skeptics.

For one thing, it's clearly wrong to focus on News International as if Rupert Murdoch and his hired help were the only contaminating apple. In the 2006 report What price privacy now? the Information Commissioner listed 30 publications caught in the illegal trade in confidential information. News of the World was only fifth; number one, by a considerable way, was the Daily Mail (the Observer was number nine). The ICO wanted jail sentences for those convicted of trading in data illegally, and called on private investigators' professional bodies to revoke or refuse licenses to PIs who breach the rules. Five years later, these are still good proposals.

Changing the culture of the press is another matter.
When I first began visiting Britain in the late 1970s, I found the tabloid press absolutely staggering. I began asking the people I met how the papers could do it.

"That's because *we* have a free press," I was told in multiple locations around the country. "Unlike the US." This was only a few years after The Washington Post backed Bob Woodward and Carl Bernstein's investigation of Watergate, so it was doubly baffling.

Tom Stoppard's 1978 play Night and Day explained a lot. It dropped competing British journalists into an escalating conflict in a fictitious African country. Over the course of the play, Stoppard's characters both attack and defend the tabloid culture.

"Junk journalism is the evidence of a society that has got at least one thing right, that there should be nobody with power to dictate where responsible journalism begins," says the naïve and idealistic new journalist on the block.

"The populace and the popular press. What a grubby symbiosis it is," complains the play's only female character, whose second marriage - "sex, money, and a title, and the parrots didn't harm it, either" - had been tabloid fodder.

The standards of that time now seem almost quaint. In the movie Starsuckers, filmmaker Chris Atkins fed fabricated celebrity stories to a range of tabloids. All were published. That documentary also showed in action illegal methods of obtaining information. In 2009, right around the time The Press Complaints Commission was publishing a report concluding, "there is no evidence that the practice of phone message tapping is ongoing".

Someone on Monday asked why US newspapers are better behaved despite First Amendment protection and less constraint by onerous libel laws. My best guess is fear of lawsuits. Conversely, Time magazine argues that Britain's libel laws have encouraged illegal information gathering: publication requires indisputable evidence. I'm not completely convinced: the libel laws are not new, and economics and new media are forcing change on press culture.

A lot of dangers lurk in the calls for greater press regulation. Phone hacking is illegal. Breaking into other people's computers is illegal. Enforce those laws. Send those responsible to jail. That is likely to be a better deterrent than any regulator could manage.

It is extremely hard to devise press regulations that don't enable cover-ups. For example, on Wednesday's Newsnight, the MP Louise Mensch, head of the DCMS committee conducting the hearings, called for a requirement that politicians disclose all meetings with the press. I get it: expose too-cosy relationships. But whistleblowers depend on confidentiality, and the last thing we want is for politicians to become as difficult to access as tennis stars and have their contact with the press limited to formal press conferences.

Two other lessons can be derived from the last couple of weeks. The first is that you cannot assume that confidential data can be protected simply by access rules. The second is the importance of alternatives to commercial, corporate journalism. Tom Watson has criticized the BBC for not taking the phone hacking allegations seriously. But it's no accident that the trust-owned Guardian was the organization willing to take on the tabloids. There's a lesson there for the US, as the FBI and others prepare to investigate Murdoch and News Corp: keep funding PBS.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

June 3, 2011

A forgotten man and a bowl of Japanese goldfish

"I'm the forgotten man," Godfrey (William Powell) explains in the 1936 film My Man Godfrey.

Godfrey was speaking during the Great Depression, when prosperity was just around the corner ("Yes, it's been there a long time," says one of Godfrey's fellow city dump dwellers) but the reality for many people was unemployment, poverty, and a general sense that they had ceased to exist except, perhaps, as curiosities to be collected by the rich in a scavenger hunt. Today the rich in question would record their visit to the city dump in an increasingly drunken stream of Tweets and Facebook postings, and people in Nepal would be viewing photographs and video clips even if Godfrey didn't use a library computer to create his own Facebook page.

The EU's push for a right to be forgotten is a logical outgrowth of today's data protection principles, which revolve around the idea that you have rights over your data even when someone else has paid to collect it. EU law grants the right to inspect and correct the data held about us and to prevent its use in unwanted marketing. The idea that we should also have the right to delete data we ourselves have posted seems simple and fair, especially given the widely reported difficulty of leaving social networks.

But reality is complicated. Godfrey was fictional; take a real case, from Pennsylvania. A radiology trainee, unsure what to do when she wanted a reality check whether the radiologist she was shadowing was behaving inappropriately, sought advice from her sister, also a health care worker before reporting the incident. The sister told a co-worker about the call, who told others, and someone in that widening ripple posted the story on Facebook, from where it was reported back to the student's program director. Result: the not-on-Facebook trainee was expelled on the grounds that she had discussed a confidential issue on a cell phone. Lawsuit.

So many things had to go wrong for that story to rebound and hit that trainee in the ass. No one - except presumably the radiologist under scrutiny - did anything actually wrong, though the incident illustrates the point that than people think. Preventing this kind of thing is hard. No contract can bar unrelated, third-hand gossipers from posting information that comes their way. There's nothing to invoke libel law. The worst you can say is that the sister was indiscreet and that the program administrator misunderstood and overreacted. But the key point for our purposes here is: which data belongs to whom?

Lilian Edwards has a nice analysis of the conflict between privacy and freedom of expression that is raised by the right to forget. The comments and photographs I post seem to me to belong to me, though they may be about a dozen other people. But on a social network your circle of friends are also stakeholders in what you post; you become part of their library. Howard Rheingold, writing in his 1992 book The Virtual Community, noted the ripped and gaping fabric of conversations on The Well when early member Blair Newman deleted all his messages. Photographs and today's far more pervasive, faster-paced technology make such holes deeper and multi-dimensional. How far do we need to go in granting deletion rights?

The short history of the Net suggests that complete withdrawal is roughly impossible. In the 1980s, Usenet was thought of as an ephemeral medium. People posted in the - they thought - safe assumption that anything they wrote would expire off the world's servers in a couple of weeks. And as long as everyone read live online that was probably true. But along came offline readers and people with large hard disks and Deja News, and Usenet messages written in 1981 with no thought of any future context are a few search terms away.

"It's a mistake to only have this conversation about absolutes," said Google's Alma Whitten at the Big Tent event two weeks ago, arguing that it's impossible to delete every scrap about anyone. Whitten favors a "reasonable effort" approach and a user dashboard to enable that so users can see and control the data that's being held. But we all know the problem with market forces: it is unlikely that any of the large corporations will come up with really effective tools unless forced. For one thing, there is a cultural clash here between the EU and the US, the home of many of these companies. But more important, it's just not in their interests to enable deletion: mining that data is how those companies make a living and in return we get free stuff.

Finding the right balance between freedom of expression (my right to post about my own life) and privacy, including the right to delete, will require a mix of answers as complex as the questions: technology (such as William Heath's Mydex), community standards, and, yes, law, applied carefully. We don't want to replace Britain's chilling libel laws with a DMCA-like deletion law.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

May 20, 2011

The world we thought we lived in

If one thing is more annoying than another, it's the fantasy technology on display in so many TV shows. "Enhance that for me!" barks an investigator. And, obediently, his subordinate geek/squint/nerd pushes a button or few, a line washes over the blurry image on screen, and now he can read the maker's mark on a pill in the hand of the target subject that was captured by a distant CCTV camera. The show 24 ended for me 15 minutes into season one, episode one, when Kiefer Sutherland's Jack Bauer, trying to find his missing daughter, thrust a piece of paper at an underling and shouted, "Get me all the Internet passwords associated with that telephone number!" Um...

But time has moved on, and screenwriters are more likely to have spent their formative years online and playing computer games, and so we have arrived at The Good Wife, which gloriously wrapped up its second season on Tuesday night (in the US; in the UK the season is still winding to a close on Channel 4). The show is a lot of things: a character study of an archetypal humiliated politician's wife (Alicia Florrick, played by Julianna Margulies) who rebuilds her life after her husband's betrayal and corruption scandal; a legal drama full of moral murk and quirky judges ( Carob chip?); a political drama; and, not least, a romantic comedy. The show is full of interesting, layered men and great, great women - some of them mature, powerful, sexy, brilliant women. It is also the smartest show on television when it comes to life in the time of rapid technological change.

When it was good, in its first season, Gossip Girl cleverly combined high school mean girls with the citizen reportage of TMZ to produce a world in which everyone spied on everyone else by sending tips, photos, and rumors to a Web site, which picks the most damaging moment to publish them and blast them to everyone's mobile phones.

The Good Wife goes further to exploit the fact that most of us, especially those old enough to remember life before CCTV, go on about our lives forgetting that everywhere we leave a trail. Some are, of course, old staples of investigative dramas: phone records, voice messages, ballistics, and the results of a good, old-fashioned break-in-and-search. But some are myth-busting.

One case (S2e15, "Silver Bullet") hinges on the difference between the compressed, digitized video copy and the original analog video footage: dropped frames change everything. A much earlier case (S1e06, "Conjugal") hinges on eyewitness testimony; despite a slightly too-pat resolution (I suspect now, with more confidence, it might have been handled differently), the show does a textbook job of demonstrating the flaws in human memory and their application to police line-ups. In a third case (S1e17, "Heart"), a man faces the loss of his medical insurance because of a single photograph posted to Facebook showing him smoking a cigarette. And the disgraced husband's (Peter Florrick, played by Chris Noth) attempt to clear his own name comes down to a fancy bit of investigative work capped by camera footage from an ATM in the Cayman Islands that the litigator is barely technically able to display in court. As entertaining demonstrations and dramatizations of the stuff net.wars talks about every week and the way technology can be both good and bad - Alicia finds romance in a phone tap! - these could hardly be better. The stuffed lion speaker phone (S2e19, "Wrongful Termination") is just a very satisfying cherry topping of technically clever hilarity.

But there's yet another layer, surrounding the season two campaign mounted to get Florrick elected back into office as State's Attorney: the ways that technology undermines as well as assists today's candidates.

"Do you know what a tracker is?" Peter's campaign manager (Eli Gold, played by Alan Cumming) asks Alicia (S2e01, "Taking Control"). Answer: in this time of cellphones and YouTube, unpaid political operatives follow opposing candidates' family and friends to provoke and then publish anything that might hurt or embarrass the opponent. So now: Peter's daughter (Makenzie Vega) is captured praising his opponent and ham-fistedly trying to defend her father's transgressions ("One prostitute!"). His professor brother-in-law's (Dallas Roberts) in-class joke that the candidate hates gays is live-streamed over the Internet. Peter's son (Graham Phillips) and a manipulative girlfriend (Dreama Walker), unknown to Eli, create embarrassing, fake Facebook pages in the name of the opponent's son. Peter's biggest fan decides to (he thinks) help by posting lame YouTube videos apparently designed to alienate the very voters Eli's polls tell him to attract. (He's going to post one a week; isn't Eli lucky?) Polling is old hat, as are rumors leaked to newspaper reporters; but today's news cycle is 20 minutes and can we have a quote from the candidate? No wonder Eli spends so much time choking and throwing stuff.

All of this fits together because the underlying theme of all parts of the show is control: control of the campaign, the message, the case, the technology, the image, your life. At the beginning of season one, Alicia has lost all control over the life she had; by the end of season two, she's in charge of her new one. Was a camera watching in that elevator? I guess we'll find out next year.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

May 6, 2011

Double exposure

So finally we know. Ever since Wikileaks began releasing diplomatic cables copyright activists have been waiting to see if the trove would expose undue influence on national laws. And this week there it was: a 2005 cable from the US Embassy in New Zealand requesting $386,158 to fund start-up costs and the first year of an industry-backed intellectual property enforcement unit and a 2009 cable offering "help" when New Zealand was considering a "three-strikes" law. Much, much more on this story has been presented and analyzed by the excellent Michael Geist, who also notes similar US lobbying pressure on Canada to "improve" its "lax" copyright laws.

My favorite is this bit, excerpted from the cable recounting an April 2007 meeting between Embassy officials and Geist himself:

His acknowledgement that Canada is a net importer of copyrighted materials helps explain the advantage he would like to hold on to with a weaker Canadian UPR protection regime. His unvoiced bias against the (primarily U.S. based) entertainment industry also reflects deeply ingrained Canadian preferences to protect and nurture homegrown artists.

In other words, Geist's disagreement with US copyright laws is due to nationalist bias, rather than deeply held principles. I wonder how they explain to themselves the very similar views of such diverse Americans as Macarthur award winner Pamela Samuelson, John Perry Barlow, Lawrence Lessig. The latter in fact got so angry over the US's legislative expansion of copyright that he founded a movement for Congressional reform, expanding to a Harvard Law School center to research broader questions of ethics.

It's often said that a significant flaw in the US Constitution is that it didn't - couldn't, because they didn't exist yet - take account of the development of multinational corporations. They have, of course, to answer to financial regulations, legal obligations covering health and safety, and public opinion, but in many areas concerning the practice of democracy there is very little to rein those in. They can limit their employees' freedom of speech, for example, without ever falling afoul of the First Amendment, which, contrary to often-expressed popular belief, limits only the power of Congress in this area.

There is also, as Lessig pointed out in his first book, Code: and Other Laws of Cyberspace, no way to stop private companies from making and implementing technological decisions that may have anti-democratic effects. Lessig's example at the time was AOL, which hard-coded a limit of 23 participants per chat channel; try staging a mass protest under those limits. Today's better example might be Facebook, which last week was accused of unfairly deleting the profiles of 51 anti-cuts groups and activists. (My personal guess is that Facebook's claim to have simply followed its own rules is legitimate; the better question might be who supplied Facebook with the list of profiles and why.) Whether or not Facebook is blameless on this occasion, there remains a legitimate question: at what point does a social network become so vital a part of public life that the rules it implements and the technological decisions it makes become matters of public policy rather than questions for it to consider on its own? Facebook, like almost all of the biggest Internet companies, is a US corporation, with its mores and internal culture largely shaped by its home country.

We have often accused large corporate rights holders of being the reason why we see the same proposals for tightening and extending copyright popping up all over the world in countries whose values differ greatly and whose own national interests are not necessarily best served by passing such laws. More recently written constitutions could consider such influences. To the best of my knowledge they haven't, although arguably this is less of an issue in places that aren't headquarters to so many of them and where they are therefore less likely to spend large amounts backing governments likely to be sympathetic to their interests.

What Wikileaks has exposed instead is the unpleasant specter of the US, which likes to think of itself as spreading democracy around the world, behaving internationally in a profoundly anti-democratic way. I suppose we can only be grateful they haven't sent Geist and other non-US copyright reform campaigners exploding cigars. Change Congress, indeed: what about changing the State Department?

It's my personal belief that the US is being short-sighted in pursuing these copyright policies. Yes, the US is currently the world's biggest exporter of intellectual property, especially in, but not limited to, the area of entertainment. But that doesn't mean it always will be. It is foolish to think that down the echoing corridors of time (to borrow a phrase from Jean Kerr) the US will never become a net importer of intellectual property. It is sheer fantasy - even racism - to imagine that other countries cannot write innovative software that Americans want to use or produce entertainment that Americans want to enjoy. Even if you dispute the arguments made by campaigning organizations such as the Electronic Frontier Foundation and the Open Rights Group that laws like "three strikes" unfairly damage the general public, it seems profoundly stupid to assume that the US will always enjoy the intellectual property hegemony it has now.

One of these days, the US policies exposed in these cables are going to bite it in the ass.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

April 1, 2011

Equal access

It is very, very difficult to understand the reasoning behind the not-so-secret plan to institute Web blocking. In a http://www.openrightsgroup.org/blog/2011/minister-confirms-voluntary-site-blocking-discussionsletter to the Open Rights Group, Ed Vaizey, the minister for culture, communications, and creative industries, confirmed that such a proposal emerged from a workshop to discuss "developing new ways for people to access content online". (Orwell would be so proud.)

We fire up Yes, Minister once again to remind everyone the four characteristics of proposals ministers like: quick, simple, popular, cheap. Providing the underpinnings of Web site blocking is not likely to be very quick, and it's debatable whether it will be cheap. But it certainly sounds simple, and although it's almost certainly not going to be popular among the 7 million people the government claims engage in illegal file-sharing - a number PC Pro has done a nice job of dissecting - it's likely to be popular with the people Vaizey seems to care most about, rights holders.

The four opposing kiss-of-death words are: lengthy, complicated, expensive, and either courageous or controversial, depending how soon the election is. How to convince Vaizey that it's these four words that apply and not the other four?

Well, for one thing, it's not going to be simple, it's going to be complicated. Web site blocking is essentially a security measure. You have decided that you don't want people to have access to a particular source of data, and so you block their access. Security is, as we know, not easy to implement and not easy to maintain. Security, as Bruce Schneier keeps saying, is a process, not a product. It takes a whole organization to implement the much more narrowly defined IWF system. What kind of infrastructure will be required to support the maintenance and implementation of a block list to cover copyright infringement? Self-regulatory, you say? Where will the block list, currently thought to be about 100 sites come from? Who will maintain it? Who will oversee it to ensure that it doesn't include "innocent" sites? ISPs have other things to do, and other than limiting or charging for the bandwidth consumption of their heaviest users (who are not all file sharers by any stretch) they don't have a dog in this race. Who bears the legal liability for mistakes?

The list is most likely to originate with rights holders, who, because they have shown over most of the last 20 years that they care relatively little if they scoop innocent users and sites into the net alongside infringing ones, no one trusts to be accurate. Don't the courts have better things to do than adjudicate what percentage of a given site's traffic is copyright-infringing and whether it should be on a block list? Is this what we should be spending money on in a time of austerity? Mightn't it be...expensive?

Making the whole thing even more complicated is the obvious (to anyone who knows the Internet) fact that such a block list will - according to Torrentfreak already has - start a new arms race.

And yet another wrinkle: among blocking targets are cyberlockers. And yet this is a service that, like search, is going mainstream: Amazon.com has just launched such a service, which it calls Cloud Drive and for which it retains the right to police rather thoroughly. Encrypted files, here we come.

At least one ISP has already called the whole idea expensive, ineffective, and rife with unintended consequences.

There are other obvious arguments, of course. It opens the way to censorship. It penalizes innocent uses of technology as well as infringing ones; torrent search sites typically have a mass of varied material and there are legitimate reasons to use torrenting technology to distribute large files. It will tend to add to calls to spy on Internet users in more intrusive ways (as Web blocking fails to stop the next generation of file-sharing technologies). It will tend to favor large (often American) services and companies over smaller ones. Google, as IsoHunt told the US Court of Appeals two weeks ago, is the largest torrent search engine. (And, of course, Google has other copyright troubles of its own; last week the court rejected the Google Books settlement.)

But the sad fact is that although these arguments are important they're not a good fit if the main push behind Web blocking is an entrenched belief that only way to secure economic growth is to extend and tighten copyright while restricting access to technologies and sites that might be used for infringement. Instead, we need to show that this entrenched belief is wrong.

We do not block the roads leading to car boot sales just because sometimes people sell things at them whose provenance is cloudy (at best). We do not place levies on the purchase of musical instruments because someone might play copyrighted music on them. We should not remake the Internet - a medium to benefit all of society - to serve the interests of one industrial group. It would make more sense to put the same energy and financial resources into supporting the games industry which, as Tom Watson (Lab - Bromwich) has pointed out has great potential to lift the British economy.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

March 25, 2011

Return to the red page district

This week's agreement to create a .xxx generic top-level domain (generic in the sense of not being identified with a particular country) seems like a quaint throwback. Ten or 15 years ago it might have made mattered. Now, for all the stories rehashing the old controversies, it seems to be largely irrelevant to anyone except those who think they can make some money out of it. How can it be a vector for censorship if there is no prohibition on registering pornography sites elsewhere? How can it "validate" the porn industry any more than printers and film producers did? Honestly, if it didn't have sex in the title, who would care?

I think it was about 1995 when a geekish friend said, probably at the Computers, Freedom, and Privacy conference, "I think I have the solution. Just create a top-level domain just for porn."

It sounded like a good idea at the time. Many of the best ideas are simple - with a kind of simplicity mathematicians like to praise with the term "elegant". Unfortunately, many of the worst ideas are also simple - with a kind of simplicity we all like to diss with the term "simplistic". Which this is depends to some extent on when you're making the judgement..

In 1995, the sense was that creating a separate pornography domain would provide an effective alternative to broad-brush filtering. It was the era of Time magazine's Cyberporn cover story, which Netheads thoroughly debunked and leading up to the passage of the Communications Decency Act in 1996. The idea that children would innocently stumble upon pornography was entrenched and not wholly wrong. At that time, as PC Magazine points out while outlining the adult entertainment industry's objections to the new domain, a lot of Web surfing was done by guesswork, which is how the domain whitehouse.com became famous.

A year or two later, I heard that one of the problems was that no one wanted to police domain registrations. Sure. Who could afford the legal liability? Besides, limiting who could register what in which domain was not going well: .com, which was intended to be for international commercial organizations, had become the home for all sorts of things that didn't fit under that description, while the .us country code domain had fallen into disuse. Even today, with organizations controlling every top-level domain, the rules keep having to adapt to user behavior. Basically, the fewer people interested in registering under your domain the more likely it is that your rules will continue to work.

No one has ever managed to settle - again - the question of what the domain name system is for, a debate that's as old as the system itself: its inventor, Paul Mockapetris, still carries the scars of the battles over whether to create .com. (If I remember correctly, he was against it, but finally gave on in that basis that: "What harm can it do?") Is the domain name system a directory, a set of mnemonics, a set of brands/labels, a zoning mechanism, or a free-for-all? ICANN began its life, in part, to manage the answers to this particular controversy; many long-time watchers don't understand why it's taken so long to expand the list of generic top-level domains. Fifteen years ago, finding a consensus and expanding the list would have made a difference to the development of the Net. Now it simply does not matter.

I've written before now that the domain name system has faded somewhat in importance as newer technologies - instant messaging, social networks, iPhone/iPad apps - bypass it altogether. And that is true. When the DNS was young, it was a perfect fit for the Internet applications of the day for which it was devised: Usenet, Web, email, FTP, and so on. But the domain name system enables email and the Web, which are typically the gateways through which people make first contact with those services (you download the client via the Web, email your friend for his ID, use email to verify your account).

The rise of search engines - first Altavista, then primarily Google - did away with much of consumers' need for a directory. Also a factor was branding: businesses wanted memorable domain names they could advertise to their customers. By now, though probably most people don't bother to remember more than a tiny handful of domain names now - Google, Facebook, perhaps one or two more. Anything else they either put into a search engine or get from either a bookmark or, more likely, their browser history.

Then came sites like Facebook, which take an approach akin to CompuServe in the old days or mobile networks now: they want to be your gateway to everything online (Facebook is going to stream movies now, in competition with NetFlix!) If they succeed, would it matter if you had - once - to teach your browser a user-unfriendly long, numbered address?

It is in this sense that the domain name system competes with Google and Facebook as the gateway to the Net. Of all the potential gateways, it is the only one that is intended as a public resource rather than a commercial company. That has to matter, and we should take seriously the threat that all the Net's entrances could become owned by giant commercial interests. But .xxx missed its moment to make history.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

March 18, 2011

Block party

When last seen in net.wars, the Internet Watch Foundation was going through the most embarrassing moment of its relatively short life: the time it blocked a Wikipedia page. It survived, of course, and on Tuesday this week it handed out copies of its latest annual report (PDF) and its strategic plan for the years 2011 to 2014 (PDF) in the Strangers Dining Room at the House of Commons.

The event was, more or less, the IWF's birthday party: in August it will be 15 years since the suspicious, even hostile first presentation, in 1996, of the first outline of the IWF. It was an uneasy compromise between an industry accused of facilitating child abuse, law enforcement threatening technically inept action, and politicians anxious to be seen to be doing something, all heightened by some of the worst mainstream media reporting I've ever seen.

Suspicious or not, the IWF has achieved traction. It has kept government out of the direct censorship business and politicians and law enforcement reasonably satisfied. Without - as was pointed out - cost to the taxpayer, since the IWF is funded from a mix of grants, donations, and ISPs' subscription fees.

And to be fair, it has been arguably successful at doing what it set out to do, which is to disrupt the online distribution of illegal pornographic images of children within the UK. The IWF has reported for some years now that the percentage of such images hosted within the UK is near zero. On Tuesday, it said the time it takes to get foreign-hosted content taken down has halved. Its forward plan includes more of the same, plus pushing more into international work by promoting the use its URL list abroad and developing partnerships.

Over at The Register Jane Fae Ozniek has done a good job of tallying up the numbers the IWF reported, and also of following up on remarks made by Culture Minister Ed Vaizey and Home Office Minister James Brokenshire that suggested the IWF or its methods might be expanded to cover other categories of material. So I won't rehash either topic here.

Instead, what struck me is the IWF's report that a significant percentage of its work now concerns sexual abuse images and videos that are commercially distributed. This news offered a brief glance into a shadowy world that is illegal for any of us to study since under UK law (and the laws of many other countries) it's illegal to access such material. If this is a correct assessment, it certainly follows the same pattern as the world of malware writing, which has progressed from the giggling, maladjusted teenager writing a bit of disruptive code in his bedroom to a highly organized, criminal, upside-down image of the commercial software world (complete, I'm told by experts from companies like Symantec and Sophos, with product trials, customer support, and update patches). Similarly, our, or at least my, image was always of like-minded amateurs exchanging copies of the things they managed to pick up rather like twisted stamp collectors.

The IWF report says it has identified 715 such commercial sources, 321 of which were active in 2010. At least 47.7 percent of the commercially branded material is produced by the top ten, and the most prolific of these brands used 862 URLs. The IWF has attempted to analyze these brands, and believes that they are operated in clusters by criminals. To quote the report:

Each of the webpages or websites is a gateway to hundreds or even thousands of individual images or videos of children being sexually abused, supported by layers of payment mechanisms, content sores, membership systems, and advertising frames. Payment systems may include pre-pay cards, credit cards, "virtual money" or e-payment systems, and may be carried out across secure webpages, text, or email.

This is not what people predicted when they warned at the original meeting that blocking access to content would drive it underground into locations that were harder to police. I don't recall anyone saying: it will be like Prohibition and create a new Mafia. How big a problem this is and how it relates to events like yesterday's shutdown of boylovers.net remains to be seen. But there's logic to it: anything that's scarce attracts a high price and anything high-priced and illegal attracts dedicated criminals. So we have to ask: would our children be safer if the IWF were less successful?

The IWF will, I think always be a compromise. Civil libertarians will always be rightly suspicious of any organization that has the authority and power to shut down access to content, online or off. Still, the IWF's ten-person board now includes, alongside the representatives of ISPs, top content sites, and academics, a consumer representative, and seems to be less dominated by repressive law enforcement interests. There's an independent audit in the offing, and while the IWF publishes no details of its block list for researchers to examine, it advocates transparency in the form of a splash screen that tells users a site that is blocked and why. They learned, the IWF's departing head, Peter Robbins, said in conversation, a lot from the Wikipedia incident.

My summary: the organization will know it has its balance exactly right when everyone on all sides has something to complain about.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

March 11, 2011

The ten-year count

My census form arrived the other day - 32 lavender and white pages of questions about who will have been staying overnight in my house on March 27, their religions, and whether they will be cosseted with central heating and their own bedroom.

I seem to be out of step on this one, but I've always rather liked the census. It's a little like finding your name in an old phone book: I was here. Reportedly, this, Britain's 21st national census, may be the last. Cabinet Office minister Francis Maude has complained that it is inaccurate and out of date by the time it's finished, and £482 million is expensive.

Until I read the Guardian article cited above, I had never connected the census to Thomas Malthus' 1798 prediction that the planet would run out of the resources necessary to support an ever-increasing human population. I blame the practice of separating science, history, and politics: Malthus is taught in science class, so you don't realize he was contemporaneous with the inclusion of the census in the US Constitution, which you learn about in civics class.

The census seems to be the one moment when attention really gets focused on the amount and types of data the government collects about all of us. There are complaints from all political sides that it's intrusive and that the government already has plenty of other sources.

I have - both here and elsewhere - written a great deal about privacy and the dangers of thoughtlessly surrendering information but I'm inclined to defend the census. And here's why: it's transparent. Of all the data-gathering exercises to which our lives are subject it's the only one that is. When you fill out the form you know exactly what information you are divulging, when, and to whom. Although the form threatens you with legal sanctions for not replying, it's not enforced.

And I can understand the purpose of the questions: asking the size and disposition of homes, the amount of time spent working and at what, racial and ethnic background, religious affiliation, what passports people hold and what languages they speak. These all make sense to me in the interests of creating a snapshot of modern Britain that is accurate enough for the decisions the government must make. How many teachers and doctors do we need in which areas who speak which languages? How many people still have coal fires? These are valid questions for a government to consider.

But most important, anyone can look up census data and develop some understanding of the demographics government decisions are based on.

What are the alternatives? There are certainly many collections of data for various purposes. There are the electoral rolls, which collect the names and nationalities of everyone at each address in every district. There are the council tax registers, which collect the householder's name and the number of residents at each address. Other public sector sources include the DVLA's vehicle and driver licensing data, school records, and the NHS's patient data. And of course there are many private sector sources, too: phone records, credit card records, and so on.

Here's the catch: every one of those is incomplete. Everyone does not have a phone or credit card; some people are so healthy they get dropped from their doctors' registers because they haven't visisted in many years; some people don't have an address; some people have five phones, some none. Most of those people are caught by the census, since it relies on counting everyone wherever they're staying on a single particular night.

Here's another catch: the generation of national statistics to determine the allocation of national resources is not among the stated purposes for which those data are gathered. That is of course fixable. But doing so might logically lead government to mandate that these agencies collect more data from us than they do now - and with more immediate penalties for not complying. Would you feel better about telling the DVLA or your local council your profession and how many hours you work? No one is punished for leaving a question blank on the census, but suppose leaving your religious affiliation blank on your passport application means not getting a passport until you've answered it?

Which leads to the final, biggest catch. Most of the data that is collected from us is in private hands or is confidential for one reason or another. Councils are pathological about disliking sharing data with the public; commercial organizations argue that their records are commercially sensitive; doctors are rightly concerned about protecting patient data. Despite the data protection laws we often do not know what data has been collected, how it's being used, or where it's being held. And although we have the right to examine and correct our own records we won't find it easy to determine the basis for government decisions: open season for lobbyists.

The census, by contrast, is transparent and accountable. We know what information we have divulged, we know who is responsible for it, and we can even examine the decisions it is used to support. Debate ways to make it less intrusive by all means, but do you really want to replace it with a black box?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

January 7, 2011

Scanning the TSA

There are, Bruce Schneier said yesterday at the Electronic Privacy Information Center mini-conference on the TSA (video should be up soon), four reasons why airport security deserves special attention, even though it directly affects a minority of the population. First: planes are a favorite terrorist target. Second: they have unique failure characteristics - that is, the plane crashes and everybody dies. Third: airlines are national symbols. Fourth: planes fly to countries where terrorists are.

There's a fifth he didn't mention but that Georgetown lawyer Pablo Molina and We Won't Fly founder James Babb did: TSAism is spreading. Random bag searches on the DC Metro and the New York subways. The TSA talking about expanding its reach to shopping malls and hotels. And something I found truly offensive, giant LED signs posted along the Maryland highways announcing that if you see anything suspicious you should call the (toll-free) number below. Do I feel safer now? No, and not just because at least one of the incendiary devices sent to Maryland state offices yesterday apparently contained a note complaining about those very signs.

Without the sign, if you saw someone heaving stones at the cars you'd call the police. With it, you peer nervously at the truck in front of you. Does that driver look trustworthy? This is, Schneier said, counter-productive because what people report under that sort of instruction is "different, not suspicious".

But the bigger flaw is cover-your-ass backward thinking. If someone tries to bomb a plane with explosives in a printer cartridge, missing a later attempt using the exact same method will get you roasted for your stupidity. And so we have a ban on flying with printer cartridges over 500g and, during December, restrictions on postal mail, something probably few people in the US even knew about.

Jim Harper, a policy scholar with the Cato Institute and a member of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee, outlined even more TSA expansion. There are efforts to create mobile lie detectors that measure physiological factors like eye movements and blood pressure.

Technology, Lillie Coney observed, has become "like butter - few things are not improved if you add it."

If you're someone charged with blocking terrorist attacks you can see the appeal: no one wants to be the failure who lets a bomb onto a plane. Far, far better if it's the technology that fails. And so expensive scanners roll through the nation's airports despite the expert assessment - on this occasion, from Schneier and Ed Luttwak, a senior associate with the Center for Strategic and International Studies - that the scanners are ineffective, invasive, and dangerous. As Luttwak said, the machines pull people's attention, eyes, and brains away from the most essential part of security: watching and understanding the passengers' behavior.

"[The machine] occupies center stage, inevitably," he said, "and becomes the focus of an activity - not aviation security, but the operation of a scanner."

Equally offensive in a democracy, many speakers argued, is the TSA's secrecy and lack of accountability. Even Meera Shankar, the Indian ambassador, could not get much of a response to her complaint from the TSA, Luttwak said. "God even answered Job." The agency sent no representative to this meeting, which included Congressmen, security experts, policy scholars, lawyers, and activists.

"It's the violation of the entire basis of human rights," said the Stanford and Oxford lawyer Chip Pitts around the time that the 112th Congress was opening up with a bipartisan reading of the US Constitution. "If you are treated like cattle, you lose the ability to be an autonomous agent."

As Libertarian National Committee executive director Wes Benedict said, "When libertarians and Ralph Nader agree that a program is bad, it's time for our government to listen up."

So then, what are the alternatives to spending - so far, in the history of the Department of Homeland Security, since 2001 - $360 billion, not including the lost productivity and opportunity costs to the US's 100 million flyers?

Well, first of all, stop being weenies. The number of speakers who reminded us that the US was founded by risk-takers was remarkable. More people, Schneier noted, are killed in cars every month than died on 9/11. Nothing, Ralph Nader said, is spent on the 58,000 Americans who die in workplace accidents every year or the many thousands more who are killed by pollution or medical malpractice.

"We need a comprehensive valuation of how to deploy resources in a rational manner that will be effective, minimally invasive, efficient, and obey the Constitution and federal law," Nader said

So: dogs are better at detecting explosives than scanners. Intelligent profiling can whittle down the mass of suspects to a more manageable group than "everyone" in a giant game of airport werewolf. Instead, at the moment we have magical thinking, always protecting ourselves from the last attack.

"We're constantly preparing for the rematch," said Lillie Coney. "There is no rematch, only tomorrow and the next day." She was talking as much about Katrina and New Orleans as 9/11: there will always, she said, be some disaster, and the best help in those situations is going to come from individuals and the people around them. Be prepared: life is risky.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

December 31, 2010

Good, bad, ugly...the 2010 that was

Every year deserves its look back, and 2010 is no exception. On the good side, the younger generation beginning to enter politics is bringing with it a little more technical sense than we've had in government before. On the bad side, the year's many privacy scandals reminded us all how big a risk we take in posting as much information online as we do. The ugly...we'd have to say the scary new trends in malware. Happy New Year.

By the numbers:

$5.3 billion: the Google purchase offer that Groupon turned down. Smart? Stupid? Shopping and social networks ought to mix combustibly (and could hit local newspapers and their deal flyers), but it's a labor-intensive business. The publicity didn't hurt: Groupon has now managed to raise half a billion dollars on its own. They aren't selling anything we want to buy, but that doesn't seem to hurt Wal-Mart or McDonalds.

$497 million: the amount Harvard scientists Tyler Moore and Benjamin Edelman estimate that Google is earning from "typosquatting". Pocket change, really: Google's 2009 revenues were $23 billion. But still.

15 million (estimated): number of iPads sold since its launch in May. It took three decades of commercial failures for someone to finally launch a successful tablet computer. In its short life the iPad has been hailed and failed as the savior of print publications, and halved Best Buy's laptop sales. We still don't want one - but we're keyboard addicts, hardly its target market.

250,000: diplomatic cables channeled to Wikileaks. We mention this solely to enter The Economist's take on Bruce Sterling's take into the discussion. Wikileaks isn't at all the crypto-anarchy that physicist Timothy C. May wrote about in 1992. May's essay imagined the dark uses of encrypted secrecy; Wikileaks is, if anything, the opposite of it.

500: airport scanners deployed so far in the US, at an estimated cost of $80 million. For 2011, Obama has asked for another $88 million for the next round of installations. We'd like fewer scanners and the money instead spent on...well, almost anything else, really. Intelligence, perhaps?

65: Percentage of Americans that Pew Internet says have paid for Internet content. Yeah, yeah, including porn. We think it's at least partly good news.

58: Number of investigations (countries and US states) launched into Google's having sniffed approximately 600Gb of data from open WiFi connections, which the company admitted in May. The progress of each investigation is helpfully tallied by SearchEngineLand. Note that the UK's ICO's reaction was sufficiently weak that MPs are complaining.

24: Hours of Skype outage. Why are people writing about this as though it were the end of Skype? It was a lot more shocking when it happened to AT&T in 1990 - in those days, people only had one phone number!

5: number of years I've wished Google would eliminate useless shopping aggregator sites from its search results listings. Or at least label them and kick them to the curb.

2: Facebook privacy scandals that seem to have ebbed leaving less behavorial change than we'd like in their wake. In January, Facebook founder and CEO Mark Zuckerberg opined that privacy is no longer a social norm; in May the revamped its privacy settings to find an uproar in response (and not for the first time). Still, the service had 400 million users at the beginning of 2010 and has more than 500 million now. Resistance requires considerable anti-social effort, though the cool people have, of course, long fled.

1: Stuxnet worm. The first serious infrastructure virus. You knew it had to happen.

In memoriam:

- Kodachrome. The Atlantic reports that December 30, 2010 saw the last-ever delivery of Kodak's famous photographic film. As they note, the specific hues and light-handling of Kodachrome defined the look of many decades of the 20th century. Pause to admire The Atlantic's selection of the 75 best pictures they could find: digital has many wonderful qualities, but these seem to have a three-dimensional roundness you don't see much any more. Or maybe we just forget to look.

- The 3.5in floppy disk. In April, Sony announced it would stop making the 1.4Mb floppy disk that defined the childhoods of today's 20-somethings. The first video clip I ever downloaded, of the exploding whale in Oregon (famed of Web site and Dave Barry column), required 11 floppy disks to hold it. You can see why it's gone.

- Altavista: A leaked internal memo puts Altavista on Yahoo!'s list of services due for closure. Before Google, Altavista was the best search engine by a long way, and if it had focused on continuing to improve its search algorithms instead of cluttering up its front page in line with the 1995 fad for portals it might be still. Google's overwhelming success had as much to do with its clean, fast-loading design as it did with its superior ability to find stuff. Altavista also pioneered online translation with its Babelfish (and don't you have to love a search engine that quotes Douglas Adams?).

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

December 10, 2010

Payback

A new word came my way while I was reviewing the many complaints about the Transportation Security Administration and its new scanner toys and pat-down procedures: "Chertoffed". It's how "security theater" (Bruce Schneier's term) has transformed the US since 2001.

The description isn't entirely fair to Chertoff, who was only the *second* head of the Bush II-created Department of Homeland Security and has now been replaced: he served from 2005-2009. But since he's the guy who began the scanner push and also numbers scanner manufacturers among the clients of his consultancy company, The Chertoff Group - it's not really unfair either.

What do you do after defining the travel experience of a generation? A little over a month ago, Chertoff showed up at London's RSA Data Security conference to talk about what he thought needed to happen in order to secure cyberspace. We need, he said, a doctrine to lay out the rules of the road for dealing with cyber attacks and espionage - the sort of thing that only governments can negotiate. The analogy he chose was to the doctrine that governed nuclear armament, which he said (at the press Q&A) "gave us a very stable, secure environment over the next several decades."

In cyberspace, he argued, such a thing would be valuable because it makes clear to a prospective attacker what the consequences will be. "The greatest stress on security is when you have uncertainty - the attacker doesn't know what the consequences will be and misjudges the risk." The kinds of things he wants a doctrine to include are therefore things like defining what is a proportionate response: if your country is on the receiving end of an attack from another country that's taking out the electrical power to hospitals and air traffic control systems with lives at risk, do you have the right to launch a response to take out the platform they're operating from? Is there a right of self-defence of networks?

"I generally take the view that there ought to be a strong obligation on countries, subject to limitations of practicality and legal restrictions, to police the platforms in their own domains," he said.

Now, there are all sorts of reasons many techies are against government involvement - or interference - in the Internet. First and foremost is time: the World Summit on the Information Society and its successor, the Internet Governance Forum, have taken years to do...no one's quite sure what, while the Internet's technology has gone on racing ahead creating new challenges. But second is a general distrust, especially among activists and civil libertarians. Chertoff even admitted that.

"There's a capability issue," he said, "and a question about whether governments put in that position will move from protecting us from worms and viruses to protecting us from dangerous ideas."

This was, of course, somewhat before everyone suddenly had an opinion about Wikileaks. But what has occurred since makes that distrust entirely reasonable: give powerful people a way to control the Net and they will attempt to use it. And the Net, as in John Gilmore's famous aphorism, "perceives censorship as damage and routes around it". Or, more correctly, the people do.

What is incredibly depressing about all this is watching the situation escalate into the kind of behavior that governments have quite reasonably wanted to outlaw and that will give ammunition to those who oppose allowing the Net to remain an open medium in which anyone can publish. The more Wikileaks defenders organize efforts like this week's distributed denial-of-service attacks, the more Wikileaks and its aftermath will become the justification for passing all kinds of restrictive laws that groups like the Electronic Frontier Foundation and the Open Rights Group have been fighting against all along.

Wikileaks itself is staying neutral on the subject, according to the statement on its (Swiss) Web site: Wikileaks spokesman Kristinn Hrafnsson said: "We neither condemn nor applaud these attacks. We believe they are a reflection of public opinion on the actions of the targets."

Well, that's true up to a point. It would be more correct to say that public opinion is highly polarized, and that the attacks are a reflection of the opinion of a relatively small section of the public: people who are at the angriest end of the spectrum and have enough technical expertise to download and install software to make their machines part of a botnet - and not enough sense to realize that this is a risky, even dangerous, thing to do. Boycotting Amazon.com during its busiest time of year to express your disapproval of its having booted Wikileaks off its servers would be an entirely reasonable protest. Vandalism is not. (In fact the announced attack on Amazon's servers seems not to have succeeded, though others have.

I have written about the Net and what I like to call the border wars between cyberspace and real life for nearly 20 years. Partly because it's fascinating, partly because when something is new you have a real chance to influence its development, and partly because I love the Net and want it to fulfill its promise as a democratic medium. I do not want to have to look back in another 20 years and say it's been "Chertoffed". Governments are already mad about the utterly defensible publication of the cables; do we have to give them the bullets to shoot us with, too?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

December 3, 2010

Open diplomacy

Probably most people have by now lived through the embarrassment of having a (it was intended to be) private communication made public. The email your fingers oopsishly sent to the entire office instead of your inamorata; the drunken Usenet postings scooped into Google's archive; the direct Tweet that wound up in the public timeline; the close friend your cellphone pocket-dialed while you were trashing them.

Most of these embarrassments are relatively short-lived. The personal relationships that weren't already too badly damaged recover, if slowly. Most of the people who get the misdirected email are kind enough to delete it and never mention it again. Even the stock market learns to forgive those drunken Usenet postings; you may be a CEO now but you were only a frat boy back then.

But the art of government-level diplomacy is creating understanding, tolerance, and some degree of cooperation among people who fundamentally distrust each other and whose countries may have substantial, centuries-old reasons why that is utterly rational. (Sometimes these internecine feuds are carried to extremes: would you buy from a store that filed Greek and Turkish DVDs in the same bin?) It's hardly surprising if diplomats' private conversations resemble those of Hollywood agents, telling each person what they want to hear about the others and maneuvering them carefully to get the desired result. And a large part of that desired result is avoiding mass destruction through warfare.

For that reason, it's hard to simply judge Wikileaks' behavior by the standard of our often-expressed goal of open data, transparency, accountability, and net.freedoms. Is there a line? And where do you draw it?

In the past, it was well-established news organizations who had to make this kind of decision - the New York Times and the Washington Post regarding the Pentagon Papers, for example. Those organizations, rooted in a known city in a single country, knew that mistakes would see them in court; they had reputations, businesses, and personal liberty to lose. As Jay Rosen: the world's first stateless news organization. (culture, laws, norms) - contract with those who have information that can submit - will encrypt to disguise source from us as well as others - and publish - can't subpoena because stateless. Failure of the watchdog press under George Bush and anxiety on part of press derived from denial of their own death.

Wikileaks wasn't *exactly* predicted by Internet pioneers, but it does have its antecedents and precursors. Before collaborative efforts - wikis - became commonplace on the Web there was already the notion of bypassing the nation-state to create stores of data that could not be subjected to subpoenas and other government demands. There was the Sealand data bunker. There was physicist Timothy May's Crypto Anarchist Manifesto, which posited that, "Crypto anarchy will allow national secrets to be trade freely and will allow illicit and stolen materials to be traded."

Note, however, that a key element of these ideas was anonymity. Julian Assange has told Guardian readers that in fact he originally envisioned Wikileaks as an anonymous service, but eventually concluded that someone must be responsible to the public.

Curiously, the strand of Internet history that is the closest to the current Wikileaks situation is the 1993-1997 wrangle between the Net and Scientology, which I wrote about for Wired in 1995. This particular net.war did a lot to establish the legal practices still in force with respect to user-generated content: notice and takedown, in particular. Like Wikileaks today, those posting the most closely guarded secrets of Scientology found their servers under attack and their material being taken down and, in response, replicated internationally on mirror sites to keep it available. Eventually, sophisticated systems were developed for locating the secret documents wherever they were hosted on a given day as they bounced from server to server (and they had to do all that without the help of Twitter. Today, much of the gist is on Wikipedia. At the time, however, calling it a "flame war with real bullets" wasn't far wrong: some of Scientology's fiercest online critics had their servers and/or homes raided. When Amazon removed Wikileaks from its servers because of "copyright", it operated according to practices defined in response to those Scientology actions.

The arguments over Wikileaks push at many other boundaries that have been hotly disputed over the last 20 years. Are they journalists, hackers, criminals, or heroes? Is Wikileaks important because, as NYU professor Jay Rosen points out, journalism has surrendered its watchdog role? Or because it is posing, as Techdirt says, the kind of challenge to governments that the music and film industries have already been facing? On a technical level, Wikileaks is showing us the extent to which the Internet can still resist centralised control.

A couple of years ago, Stefan Magdalinski noted the "horse-trading in a fairly raw form" his group of civic hackers discovered when they set out to open up the United Nations proceedings - another example of how people behave when they think no one is watching. Utimately governments will learn to function in a world in which they cannot trust that anything is secret, just as they had to learn to cope with CNN (PDF)

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

October 29, 2010

Wanted: less Sir Humphrey, more shark


Seventeen MPs showed up for Thursday's Backbenchers' Committee debate on privacy and the Internet, requested by Robert Halfon (Con-Harlow). They tell me this is a sell-out crowd. The upshot: Google and every other Internet company may come to rue the day that Google sent its Street View cars around Britain. It crossed a line.

That line is this: "Either your home is your castle or it's not." Halfon, talking about StreetView and email he had from a vastly upset woman in Cornwall whose home had been captured and posted on the Web. It's easy for Americans to forget how deep the "An Englishman's home is his castle" thing goes.

Halfon's central question: are we sleepwalking into a privatized surveillance society, and can we stop it? "If no one has any right to privacy, we will live in a Big Brother society run by private companies." StreetView, he said, "is brilliant - but they did it without permission." Of equal importance to Halfon is the curious incident of the silent Information Commissioner (unlike apparently his equivalent everywhere else in the world) and Google's sniffed wi-fi data. The recent announcement that the sniffed data includes contents of email messages, secure Web pages, and passwords has prompted the ICO to take another look.

The response of the ICO, Halfon said, "has been more like Sir Humphrey than a shark with teeth, which is what it should be."

Google is only one offender; Julian Huppert (LibDem-Cambridge) listed some of the other troubles, including this week's release of Firesheep, a Firefox add-on designed to demonstrate Facebook's security failings. Several speakers raised the issue of the secret BT/Phorm trials. A key issue: while half the UK's population choose to be Facebook users (!), and many more voluntarily use Google daily, no one chose to be included in StreetView; we did not ask to be its customers.

So Halfon wants two things. He wants an independent commission of inquiry convened that would include MPs with "expertise in civil liberties, the Internet, and commerce" to suggest a new legal framework that would provide a means of redress, perhaps through an Internet bill of rights. What he envisions is something that polices the behavior of Internet companies the way the British Medical Association or the Law Society provides voluntary self-regulation for their fields. In cases of infringement, fines, perhaps.

In the ensuing discussion many other issues were raised. Huppert mentioned "chilling" (Labour) government surveillance, and hoped that portions of the Digital Economy Act might be repealed. Huppert has also been asking Parliamentary Questions about the is-it-still-dead? Interception Modernization Programme; he is still checking on the careful language of the replies. (Asked about it this week, the Home Office told me they can't speculate in advance about the details will that be provided "in due course"; that what is envisioned is a "program of work on our communications abilities"; that it will be communications service providers, probably as defined in RIPA Section 2(1), storing data, not a government database; that the legislation to safeguard against misuse will probably but not certainly, be a statutory instrument.)

David Davis (Con-Haltemprice and Howden) wasn't too happy even with the notion of decentralized data held by CSPs, saying these would become a "target for fraudsters, hackers and terrorists". Damien Hinds (Con-East Hampshire) dissected Google's business model (including £5.5 million of taxpayers' money the UK government spent on pay-per-click advertising in 2009).

Perhaps the most significant thing about this debate is the huge rise in the level of knowledge. Many took pains to say how much they value the Internet and love Google's services. This group know - and care - about the Internet because they use it, unlike 1995, when an MP was about as likely to read his own email as he was to shoot his own dog.

Not that I agreed with all of them. Don Foster (LibDem-Bath) and Mike Weatherley (Con-Hove) were exercised about illegal file-sharing (Foster and Huppert agreed to disagree about the DEA, and Damian Collins (Con-Folkestone and Hythe complained that Google makes money from free access to unauthorized copies). Nadine Dorries (Con-Mid Bedfordshire) wanted regulation to young people against suicide sites.

But still. Until recently, Parliament's definition of privacy was celebrities' need for protection from intrusive journalists. This discussion of the privacy of individuals is an extraordinary change. Pressure groups like PI, , Open Rights Group, and No2ID helped, but there's also a groundswell of constituents' complaints. Mark Lancaster (Con-Milton Keynes North) noted that a women's refuge at a secret location could not get Google to respond to its request for removal and that the town of Broughton formed a human chain to block the StreetView car. Even the attending opposition MP, Ian Lucas (Lab-Wrexham), favored the commission idea, though he still had hopes for self-regulation.

As for next steps, Ed Vaizey (Con-Wantage and Didcot), the Minister for Communication, Culture, and the Creative Industries, said he planned to convene a meeting with Google and other Internet companies. People should have a means of redress and somewhere to turn for mediation. For Halfon that's still not enough. People should have a choice in the first place.

To be continued...

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

October 23, 2010

An affair to remember

Politicians change; policies remain the same. Or if, they don't, they return like the monsters in horror movies that end with the epigraph, "It's still out there..."

Cut to 1994, my first outing to the Computers, Freedom, and Privacy conference. I saw: passionate discussions about the right to strong cryptography. The counterargument from government and law enforcement and security service types was that yes, strong cryptography was a fine and excellent thing at protecting communications from prying eyes and for that very reason we needed key escrow to ensure that bad people couldn't say evil things to each other in perfect secrecy. The listing of organized crime, terrorists, drug dealers, and pedophiles as the reasons why it was vital to ensure access to cleartext became so routine that physicist Timothy May dubbed them "The Four Horsemen of the Infocalypse". Cypherpunks opposed restrictions on the use and distribution of strong crypto; government types wanted at the very least a requirement that copies of secret cryptographic keys be provided and held in escrow against the need to decrypt in case of an investigation. The US government went so far as to propose a technology of its own, complete with back door, called the Clipper chip.

Eventually, the Clipper chip was cracked by Matt Blaze, and the needs of electronic commerce won out over the paranoia of the military and restrictions on the use and export of strong crypto were removed.

Cut to 2000 and the run-up to the passage of the UK's Regulation of Investigatory Powers Act. Same Four Horsemen, same arguments. Eventually RIPA passed with the requirement that individuals disclose their cryptographic keys - but without key escrow. Note that it's just in the last couple of months that someone - a teenager - has gone to jail in the UK for the first time for refusing to disclose their key.

It is not just hype by security services seeking to evade government budget cuts to say that we now have organized cybercrime. Stuxnet rightly has scared a lot of people into recognizing the vulnerabilities of our infrastructure. And clearly we've had terrorist attacks. What we haven't had is a clear demonstration by law enforcement that encrypted communications have impeded the investigation.

A second and related strand of argument holds that communications data - that is traffic data such as email headers and Web addresses - must be retained and stored for some lengthy period of time, again to assist law enforcement in case an investigation is needed. As the Foundation for Information Policy Research and Privacy International have consistently argued for more than ten years, such traffic data is extremely revealing. Yes, that's why law enforcement wants it; but it's also why the American Library Association has consistently opposed handing over library records. Traffic data doesn't just reveal who we talk to and care about; it also reveals what we think about. And because such information is of necessity stored without context, it can also be misleading. If you already think I'm a suspicious person, the fact that I've been reading proof-of-concept papers about future malware attacks sounds like I might be a danger to cybersociety. If you know I'm a journalist specializing in technology matters, that doesn't sound like so much of a threat.

And so to this week. The former head of the Department of Homeland Security, Michael Chertoff, at the RSA Security Conference compared today's threat of cyberattack to nuclear proliferation. The US's Secure Flight program is coming into effect, requiring airline passengers to provide personal data for the US to check 72 hours in advance (where possible). Both the US and UK security services are proposing the installation of deep packet inspection equipment at ISPs. And language in the UK government's Strategic Defence and Security Review (PDF) review has led many to believe that what's planned is the revival of the we-thought-it-was-dead Interception Modernisation Programme.

Over at Light Blue Touchpaper, Ross Anderson links many of these trends and asks if we will see a resumption of the crypto wars of the mid-1990s. I hope not; I've listened to enough quivering passion over mathematics to last an Internet lifetime.

But as he says it's hard to see one without the other. On the face of it, because the data "they" want to retain is traffic data and note content, encryption might seem irrelevant. But a number of trends are pushing people toward greater use of encryption. First and foremost is the risk of interception; many people prefer (rightly) to use secured https, SSH, or VPN connections when they're working over public wi-fi networks. Others secure their connections precisely to keep their ISP from being able to analyze their traffic. If data retention and deep packet inspection become commonplace, so will encrypted connections.

And at that point, as Anderson points out, the focus will return to long-defeated ideas like key escrow and restrictions on the use of encryption. The thought of such a revival is depressing; implementing any of them would be such a regressive step. If we're going to spend billions of pounds on the Internet infrastructure - in the UK, in the US, anywhere else - it should be spent on enhancing robustness, reliability, security, and speed, not building the technological infrastructure to enable secret, warrantless wiretapping.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

October 15, 2010

The elected dictatorship

I wish I had a nickel for every time I had the following conversation with some British interlocutor in the 1970s and 1980s:

BI: You should never have gotten rid of Nixon.

wg: He was a crook.

BI: They're all crooks. He was the best foreign policy president you ever had.

As if it were somehow touchingly naïve to expect that politicians should be held to standards of behaviour in office. (Look, I don't care if they have extramarital affairs; I care if they break the law.)

It is, however, arguable that the key element of my BIs' disapproval was that Americans had the poor judgment and bad taste to broadcast the Watergate hearings live on television. (Kids, this was 1972. There was no C-Span then.) If Watergate had happened in the UK, it's highly likely no one would ever have heard about it until 50 or however many years later the Public Records Office opened the archives.

Around the time I founded The Skeptic, I became aware of the significant cultural difference in how people behave in the UK versus the US when they are unhappy about something. Britons write to their MP. Americans...make trouble. They may write letters, but they are equally likely to found an organization and create a campaign. This do-it-yourself ethic is completely logical in a relatively young country where democracy is still taking shape.

Britain, as an older - let's be polite and call it mature - country, operates instead on a sort of "gentlemen's agreement" ethos (vestiges of which survive in the US Constitution, to be sure). You can get a surprising amount done - if you know the right people. That system works perfectly for the in-group, and so to effect change you either have to become one of them (which dissipates your original desire for change) or gate-crash the party. Sometimes, it takes an American...

This was Heather Brooke's introduction to English society. The daughter of British parents and the wife of a British citizen, burned out from years of investigative reporting on murders and other types of mayhem in the American South, she took up residence in Bethnal Green with her husband. And became bewildered when repeated complaints to the council and police about local crime produced no response. Stonewalled, she turned to writing her book Your Right to Know, which led her to make her first inquiries about viewing MPs' expenses. The rest is much-aired scandal.

In her latest book, The Silent State, Brooke examines the many ways that British institutions are structured to lock out the public. The most startling revelation: things are getting worse, particularly in the courts, where the newer buildings squeeze public and press into cramped, uncomfortable spaces but the older buildings. Certainly, the airport-style security that's now required for entry into Parliament buildings sends the message that the public are both unwelcome and not to be trusted (getting into Thursday's apComms meeting required standing outside in the chill and damp for 15 minutes while staff inspected and photographed one person at a time).

Brooke scrutinizes government, judiciary, police, and data-producing agencies such as the Ordnance Survey, and each time finds the same pattern: responsibility for actions cloaked by anonymity; limited access to information (either because the information isn't available or because it's too expensive to obtain); arrogant disregard for citizens' rights. And all aided by feel-good, ass-covering PR and the loss of independent local press to challenge it. In a democracy, she argues, it should be taken for granted that citizens should have a right to get an answer when they ask the how many violent attacks are taking place on their local streets, take notes during court proceedings or Parliamentary sessions, or access and use data whose collection they paid for. That many MPs seem to think of themselves as members of a private club rather than public servants was clearly shown by the five years of stonewalling Brooke negotiated in trying to get a look at their expenses.

In reading the book, I had a sudden sense of why electronic voting appeals to these people. It is yet another mechanism for turning what was an open system that anyone could view and audit - it doesn't take an advanced degree to be able to count pieces of paper - into one whose inner workings can effectively be kept secret. That its inner workings are also not understandable to MPs =themselves apparently is a price they're willing to pay in return for removing much of the public's ability to challenge counts and demand answers. Secrecy is a habit of mind that spreads like fungus.

We talk a lot about rolling back newer initiatives like the many databases of Blair's and Brown's government, data retention, or the proliferation of CCTV cameras. But while we're trying to keep citizens from being run down by the surveillance state we should also be examining the way government organizes its operations and block the build-out of further secrecy. This is a harder and more subtle thing to do, but it could make the lives of the next generation of campaigners easier.

At least one thing has changed in the last 30 years, though: people's attitudes. In 2009, when the scandal over MPs' expenses broke, you didn't hear much about how other qualities meant we should forgive MPs. Britain wanted *blood*.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

September 17, 2010

Science is vital

"Should I burn the check or eat it?" a broke friend with with bank account difficulties asked once.

Deciding what you can do without in a financial crisis is always tough, whether you're an individual or a government. Do you cut cold weather payments to the elderly? Dump pre-school programs? Sell off nationalized industries, pocket the debt, and use the cash as if it were income instead of irreplaceable capital? Slash arts funding knowing that you will be attacked by every high-profile actor and creator as a philistine? Flood prevention. Investment in new technologies to combat climate change. Police. Every group has its own set of arguments about why it shouldn't bear the brunt of government cuts. Everyone is special.

That may in fact be why the coalition government warned at the outset that slashing budgets would be across the board and that everyone would feel the chill. The UK Film Council, Becta, public sector...

And science research, spending on which is due to be reviewed next month. Even Harris, the former LibDem MP for Oxford West and Abingdon, has argued that science research is the foundation of future economic growth; Professor Brian Cox has compared the possibility of mothballing the expensive particle accelerator projects Diamond and Isis to "building the Olympic stadium and then not using it". (Not building the Olympic stadium - not winning the Olympics - not *bidding* on the Olympics would all have been fine with me, but this is the problem with trying to balance interest groups.)

At first glance, it's easy to see why business secretary Vince Cable would think it's a good idea for scientists to become more commercial: get industry to provide more funding and discontinue work that is "neither commercially useful nor theoretically outstanding", as the Guardian has him saying. While we've all heard the jokes about Drunken Goldfish and Other Irrelevant Scientific Research, the thing is that science - especially basic research - isn't so neatly categorized. When it is - when commercial interests take over too strongly - the underlying fundamental advances are lost, taking with them the next generation of new ideas.

Twenty years ago, when I first started doing technology journalism, I was told there were three great corporate research labs in the US: Xerox PARC, IBM Watson, and Bell Labs. Bell Labs was broken up along with its parent company, AT&T; PARC is not the force it was. Only IBM is still making news with its research. A lot of talent is now congregating at Google. In any event, over the last two decades most corporate research has in general become much more tightly focused on producing results the funding companies can use right away. That was a major reason why MIT's Media Lab was so successful at attracting funding from so many companies: it offered them a way to back less specifically focused research for relatively modest sums.

But basic research is the real blue-sky stuff, where you don't know what you have until some time later. In its heyday, IBM did both: it invented dye lasers, which had relatively little impact within the company but much more outside it, as well as DRAM and disk drives, which more obviously benefited the company itself. James McGroddy, then director of IBM research, told me in 1991 (for Personal Computer World) that even apparently irrelevant scientific research did have benefits for IBM even if they couldn't be easily quantified. For example, the company can more easily take advantage of advances if the people who made them are in its employ. Plus, expertise can cross disciplines: he cited the example of IBM mathematicians who find hard problems to work on within IBM customer needs (such as how to optimize airline schedules). More subtly, the production of Nobel prize-winning work made IBM the kind of place that the best people wanted to be.

All these points are relevant to national research programs, too, and lead directly to points Harris and others have made: that if you remove the facilities that allow scientists to work they will perforce go elsewhere. It is unfortunate but true that highly educated, very talented, creative people - and that is what scientists are - have choices about these things. And once you start to lose this generation of scientists, the next generation will follow of necessity because the way you become a great scientist is to be trained by and work with great scientists during your developmental years. The decisions made in this area today will make the difference between the UK's continuing to be a country that punches well above its weight in terms of size, population, and natural resources and the UK's becoming the third world country the Pope's aide already thinks it is (although hasn't anyone who's had to take one of those buses from plane to jetway thought the same thing?).

There must be some way of balancing the finances such that we do not throw away the future to pay for the present. Julian Huppert has tabled an Early Day Motion in Parliament, and there are demonstrations brewing. Imagine: Sheldon is marching.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

August 27, 2010

Trust the data, not the database

"We're advising people to opt out," said the GP, speaking of the Summary Care Records that are beginning to be uploaded to what is supposed to be eventually a nationwide database used by the NHS. Her reasoning goes this way. If you don't upload your data now you can always upload it later. If you do upload it now - or sit passively by while the National Health Service gets going on your particular area - and live to regret it you won't be able to get the data back out again.

You can find the form here, along with a veiled hint that you'll be missing out on something if you do opt out - like all those great offers of products and services companies always tell you you'll get if you sign up for their advertising, The Big Opt-Out Web site has other ideas.

The newish UK government's abrupt dismissal of the darling databases of last year has not dented the NHS's slightly confusing plans to put summary care records on a national system that will move control over patient data from your GP, who you probably trust to some degree, to...well, there's the big question.

In briefings for Parliamentarians conducted by the Open Rights Group in 2009, Emma Byrne, a researcher at University College, London who has studied various aspects of healthcare technology policy, commented that the SCR was not designed with any particular use case in mind. Basic questions that an ordinary person asks before every technology purchase - who needs it? for what? under what circumstances? to solve what problem? - do not have clear answers.

"Any clinician understands the benefits of being able to search a database rather than piles of paper records, but we have to do it in the right way," Fleur Fisher, the former head of ethics, science, and information for the British Medical Association said at those same briefings. Columbia University researcher Steve Bellovin, among others, has been trying to figure out what that right way might look like.

As comforting as it sounds to say that the emergency care team looking after you will be able to look up your SCR and find out that, for example, you are allergic to penicillin and peanuts, in practice that's not how stuff happens - and isn't even how stuff *should* happen. Emergency care staff look at the patient. If you're in a coma, you want the staff to run the complete set of tests, not look up in a database, see you're a diabetic and assume it's a blood sugar problem. In an emergency, you want people to do what the data tells them, not what the database tells them.

Databases have errors, we know this. (Just last week, a database helpfully moved the town I live in from Surrey to Middlesex, for reasons best known to itself. To fix it, I must write them a letter and provide documentation.) Typing and cross-matching blood drawn by you from the patient in front of you is much more likely to have you transfusing the right type of blood into the right patient.

But if the SCR isn't likely to be so much used by the emergency staff we're all told would? might? find it helpful, it still opens up much broader possibilities of abuse. It's this part of the system that the GP above was complaining about: you cannot tell who will have access or under what circumstances.

GPs do, in a sense, have a horse in this race, in that if patient data moves out of their control they have lost an important element of their function as gatekeepers. But given everything we know about how and why large government IT projects fail, surely the best approach is small, local projects that can be scaled up once they're shown to be functional and valuable. And GPs are the people at the front lines who will be the first to feel the effects of a loss of patient trust.

A similar concern has kept me from joining at study whose goals I support, intended to determine if there is a link between mobile phone use and brain cancer. The study is conducted by an ultra-respectable London university; they got my name and address from my mobile network operator. But their letter notes that participation means giving them unlimited access to my medical records for the next 25 years. I'm 56, about the age of the earliest databases, and I don't know who I'll be in 25 years. Technology is changing faster than I am. What does this decision mean?

There's no telling. Had they said I was giving them permission for five years and then would be asked to renew, I'd feel differently about it. Similarly, I'd be more likely to agree had they said that under certain conditions (being diagnosed with cancer, dying, developing brain disease) my GP would seek permission to release my records to them. But I don't like writing people blank checks, especially with so many unknowns over such a long period of time. The SCR is a blank check.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series

August 13, 2010

Pirate flags

Wednesday's Future Human - The Piracy Panacea event missed out on a few topics, among them network neutrality, an issue I think underlies many net.wars debates: content control, privacy, security. The Google-Verizon proposals sparked much online discussion this week. I can only reiterate my belief that net neutrality should be seen as an anti-trust issue. A basic principle of anti-trust law (Standard Oil, the movie studios) is that content owners should not be allowed to own the means of distribution, and I think this readily applies to cable companies that own TV stations and telephone companies that are carriers for other people's voice services.

But the Future Human event was extraordinary enough without that. Imagine: more than 150 people squished into a hot, noisy pub, all passionately interested in...copyright! It's only a few years ago that entire intellectual property law school classes would fit inside a broom cupboard. The event's key question: does today's "piracy" point the way to future innovation?

The basis of that notion seemed to be that historically pirates have forced large imperial powers to change and weren't just criminals. The event's light-speed introduction whizzed through functionally democratic pirate communities and pirate radio, and a potted history of authorship from Shakespeare and Newton to Lady Gaga. There followed mock trials of a series of escalating copyright infringements in which it became clear that the audience was polarized and more or less evenly divided.

There followed our panel: me, theoretically representing the Open Rights Group; Graham Linehan, creator of Father Ted and The IT Crowd; Jamie King, writer and director of Steal This Film; and economist Thierry Rayna. Challenged, of course, by arguers from the audience, one of whom declined to give her affiliation on the grounds that she'd get lynched (I doubt this). Partway through the panel someone complained on Twitter that we weren't answering the question the event had promised to tackle: how can the creative industries build on file-sharing and social networks to create the business models of the future?

It seems worth trying to answer that now.

First, though, I think it's important to point out that I don't think there's much that's innovative about downloading a TV show or MP3. The people engaged in downloading unauthorized copies of mainstream video/audio, I think, are not doing anything particularly brave. The people on the front lines are the ones running search engines and services. These people are indeed innovators, and some of them are doing it at substantial personal risk. And they cannot, in general, get legal licenses from rights holders, a situation that could be easily changed by the rights holders. Napster, which kicked the copyright wars into high gear and made digital downloads a mainstream distribution method, is now ten years ago. Yet rights holders are still trying to implement artificial scarcity (to replace real scarcity) and artificial geography (to replace real geography). The death of distance, as Economist writer Frances Cairncross called it in 1997, changes everything, and trying to pretend it doesn't is absurd. The download market has been created by everyone *but* the record companies, who should have benefited most.

Social networks - including the much-demonized P2P networks - provide the greatest mechanism for word of mouth in the history of human culture. And, as we all know, word of mouth is the most successful marketing available, at least for entertainment.

It also seems obvious that P2P and social networks are a way for companies to gauge the audience better before investing huge sums. It was obvious from day one, for example, that despite early low official ratings and mixed reviews, Gossip Girl was a hit. Why? Because tens of thousands of people were downloading it the instant it came online after broadcast. Shouldn't production company accountants be all over this? Use these things as a testbed instead of having the fall pilots guessed on by a handful of the geniuses who commissioned Cavemen and the US version of Coupling and cancelled Better Off Ted. They could have a lot clearer picture of what kind of audience a show might find and how quickly.

Trying to kill P2P and other technologies just makes them respawn like the Hydra. The death of Napster (central server) begat Gnutella and eDonkey (central indexes), lawsuits against whose software developers begat the even more decentralized BitTorrent. When millions and tens of millions of people are flocking to a new technology rights holders should be there, too.

The real threat is always going to be artists taking their business into their own hands. For every Lady Gaga there are thousands of artists who, given some basic help can turn their work into the kind of living wage that allows them to pursue their art full-time and professionally. I would think there is a real business in providing these artists with services - folksingers, who've never had this kind of help, have produced their own recordings for decades, and having done it myself I can tell you it's not easy. This was the impulse behind the foundation of CDBaby, and now of Jamie King's VoDo. In the long run, things like this are the real game-changers.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

August 6, 2010

Bride of Clipper

"It's the Clipper chip," said Ross Anderson, or more or less, "risen out of its grave trailing clanking chains and covered in slime." Anderson was talking about the National Strategy for Trusted Identities in Cyberspace, a plan hatched in the US and announced by cybersecurity czar Howard Schmidt in June.

The Clipper chip was the net.war in progress when I went to my first Computers, Freedom, and Privacy conference, the 1994 edition, held in Chicago. The idea behind Clipper was kind of cute: the government, in the form of the NSA, had devised a cryptographic chip that could be installed in any telecommunications device to encrypt and decrypt any communications it transmitted or received. The catch: the government would retain a master key to allow it to decrypt anything it wanted whenever it felt the need. Privacy advocates and civil libertarians and security experts joined to fight a battle royal against its adoption as a government standard. We'll never know how that would have come out because while passions were still rising a funny thing happened: cryptographer Matt Blaze discovered he could bypass the government's back door (PDF) and use the thing to send really encrypted communications. End of Clipper chip.

At least, as such.

The most important element of the Clipper chip, however - key escrow - stayed with us a while longer. It means what it sounds like: depositing a copy of your cryptographic key, which is supposed to be kept secret, with an authority. During the 1990s run of fights over key escrow (the US and UK governments wanted it; technical experts, civil libertarians, and privacy advocates all thought it was a terrible idea) such authorities were referred to as "trusted third parties" (TTPs). At one event Privacy International organised to discuss the subject, government representatives made it clear their idea of TTPs were banks. They seemed astonished to discover that in fact people don't trust their banks that much. By the time the UK's Regulation of Investigatory Powers Act was passed in 2000, key escrow had been eliminated.

But it is this very element - TTPs and key escrow - that is clanking along to drip slime on the NSTIC. The proposals are, of course, still quite vague, as the Electronic Frontier Foundation has pointed out. But the proposals do talk of "trusted digital identities" and "identity providers" who may be from the public or private sectors. They talk less, as the Center for Democracy and Technology has pointed out, about the kind of careful user-centric, role-specific, transactional authentication that experts like Jan Camenisch and Stefan Brands have long advocated. (Since I did that 2007 interview with him, Brands' company, Credentica, has been bought by Microsoft and transformed into its new authentication technology, U-Prove.) Have an identity ecosystem, by all means, but the key to winning public trust - the most essential element of any such system - will be ensuring that identity providers are not devised as Medium-sized Brothers-by-proxy.

Blaze said at the time that the Feds were pretty grown-up about the whole thing. Still, I suppose it was predictable that it would reappear. Shortly after the 9/11 attacks Jack Straw, then foreign minister, called those of us who opposed key escrow in the 1990s "very naïve". The rage over that kicked off the first net.wars column.

The fact remains that if you're a government and you want access to people's communications and those people encrypt those communications there are only two approaches available to you. One: ban the technology. Two: install systems that let you intercept and decode the communications at will. Both approaches are suddenly vigorously on display with respect to Blackberry devices, which offer the most secure mobile email communications we have (which is why businesses and governments love them so much for their own use).

India wants to take the second approach, but will settle for the first if Research in Motion doesn't install a server in India, where it can be "safely" monitored. The UAE, as everyone heard this week, wants to ban it starting on October 11. (I was on Newsnight Tuesday to talk about this with Kirsty Wark and Alan West.)

No one, not CDT, PI, or EFF, not even me, disputes that there are cases where intercepting and reading communications - wiretapping - is necessary in the interest of protecting innocent lives. But what key escrow and its latter variants enables, as Susan Landau, a security researcher and co-author of Privacy on the Line: The Politics of Wiretapping and Encryption, has noted, is covert wiretapping. Or, choose your own favorite adjective: covert, warrantless, secret, unauthorized, illegal... It would be wonderful to be able to think that all law enforcement heroes are noble, honorable, and incapable of abusing the power we give them. But history says otherwise: where there is no oversight, abuse follows. Judicial oversight of wiretapping requests is our bulwark against mass surveillance.

CDT, EFF, and others are collecting ideas for improving NSTIC, starting with extending the period for public comments, which was distressingly short (are we seeing a pattern develop here?). Go throw some words at the problem.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

July 30, 2010

Three-legged race

"If you are going to do this damn silly thing, don't do it in this damn silly way," Sir Humphrey Appleby tells Jim Hacker in a fit of unaccustomed straight talking.

We think of this often these days, largely because it seems as though lawmakers, having been belittled by impatient and malcontent geeks throughout the 1990s for being too slow to keep up with Internet time, are trying to speed through the process of creating legislation by eliminating thought, deliberation, and careful drafting. You can see why they'd want to get rid of so many civil servants, who might slow this process down.

In that particular episode of Yes, Minister, "The Writing on the Wall" (S1e05), Appleby and Hacker butt heads over who will get the final say over the wording of a draft proposal on phased Civil Service reductions (today's civil servants and ministers might want to watch episode S1e03, "The Economy Drive", for what their lives will soon be like). Hacker wins that part of the battle only to discover that his version, if implemented, will shut down his own department. Oops.

Much of the Digital Economy Act (2010) was like this: redrafted at the last minute in all sorts of unhelpful ways. But the devil is always in the details, and it was not unreasonable to hope that Ofcom, charging with defining and consulting on those details, would operate in a more measured fashion. But apparently not, and so we have a draft code of practice that's so incomplete that it could be a teenager's homework.

Both Consumer Focus and the Open Rights Group have analyses of the code's non-compliance with the act and a helpful <"a href=http://e-activist.com/ea-campaign/clientcampaign.do?ea.client.id=1422&ea.campaign.id=7268">online form should you wish to submit your opinions. The consultation closes today, so run, do not walk, to add your comments.

What's more notable is when it opened: May 28, only three days after the State Opening of the post-election parliamentary session, three weeks after the election, and six weeks after the day that Gordon Brown called the election. Granted, civil servants do not down pencils while the election is proceeding. But given that the act went through last-second changes and then was nodded through the House of Commons in the frantic dash to get home to start campaigning, the most time Ofcom can have had to draft this mish-mash was about six weeks. Which may explain the holes and inadequacies, but then you have to ask: why didn't they take their time and do it properly?

The Freedom bill, which is to repeal so many of the items on our wish list, is mute on the subject of the Digital Economy Act, despite a number of appearances on the Freedom bill's ideas site. (Big Brother Watch has some additional wish list items.)

The big difficulty for anyone who hates the copyright protectionist provisions in the act - the threat to open wi-fi, the disconnection or speed-limitation of Internet access ("technical measures") to be applied to anyone who is accused of copyright infringement three times ("three-strikes", or HADOPI, after the failed French law attempting to do the same) - is that what you really want is for the act to go away. Preferably back where it came from, some copyright industry lobbyist's brain. A carefully drafted code of practice that pays attention to ensuring that the evidentiary burden on copyright holders is strong enough to deter the kind of abuse seen in the US since the passage of the Digital Millennium Copyright Act (1998) is still not a good scenario, merely a least-worst one.

Still, ORG and Consumer Focus are not alone in their unhappiness. BT and TalkTalk have expressed their opposition, though for different reasons. TalkTalk is largely opposed to the whole letter-writing and copyright infringement elements; but both ISPs are unhappy about Ofcom's decision to limit the code to fixed-line ISPs with more than 400,000 customers. In the entire UK, there are only seven: TalkTalk, BT, Post Office, Virgin, Sky, Orange, and O2. Yet it makes sense to exclude mobile ISPs for now: at today's prices it's safe to guess that no one spends a lot of time downloading music over them. For the rest...these ISPs can only benefit if unauthorised downloading on their services decreases, don't all ISPs want the heaviest downloaders to leech off someone else's service?

LINX, the largest membership organisation for UK Internet service providers has also objected (PDF) to the Act's apportionment of costs: ISPs, LINX's Malcolm Hutty argues, are innocent third parties, so rather than sharing the costs of writing letters and retaining the data necessary to create copyright infringement reports ISPs should be reimbursed for not only the entire cost of implementing the necessary systems but also opportunity costs. It's unclear, LINX points out, how much change Ofcom has time to make to the draft code and still meet its statutory timetable.

So this is law on Internet time: drafted for, if not by, special interests, undemocratically rushed through Parliament, hastily written, poorly thought-out, unfairly and inequitably implemented in direct opposition to the country's longstanding commitment to digital inclusion. Surely we can do better.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

July 16, 2010

Music tax

According to various press write-ups Music Education in the 21st Century in the United Kingdom, published yesterday, worries that older forms of music like brass bands, classical, and folk music could become extinct. Despite the fact that you can put any kind of music you want on an iPod, kids just aren't hearing anything but pop, rock, hip-hop, and rap.

This is in the same week that the Performing Rights Society for Music released a paper proposing to levy fees on ISPs in proportion to the amount of copyrighted material being illegally downloaded via their networks.

These are connected issues.

There are so many problems with the "music tax" proposal that you barely know where to start. The paper describes ISPs as "next-generation broadcasters" and unlicensed media consumption as providing value to ISPs; and proposes using Detica's deep packet inspection to analyze traffic and track "plausibly illicit file sharing".

ISPs are infrastructure providers. A few, mostly cable companies, are broadcasters - Virgin in the UK and Comcast in the US - whose core business is providing TV. But most are phone companies, landline or mobile - BT, Verizon, Vodafone, T-Mobile. To ISPs serving the mass market heavy downloaders who soak up their bandwidth are pariahs who don't pay proportionately for their usage. Finally, the belief that it's easy to tell identify illicit data streams is laughable.

And that's without considering the civil liberties implications of having a private company snoop on everyone's downloads at the behest of a single industry sector.

But we've been through what's wrong with this type of proposal before. What may not be obvious is the connection between the decay we began with of older musical forms and the enactment of policies that make the recording industry happy. Brass band music varies considerably in its provenance, but if there's one thing almost all classical music and traditional folk music have in common besides holding an important place in British cultural heritage it's this: they're out of copyright. Policies enacted at the behest of the copyright industries - for example the Digital Economy Act (which BT and TalkTalk| want to challenge, by the way) - do nothing for these types of music and their performers.

The 2003 Licensing Act brought in a requirement for pubs and other locations that have long hosted small music events to get entertainment licenses. The upshot: it's easier and cheaper for pubs to have a television or recorded music playing than it is to allow live musicians to sit in a corner and play folk music, even though acoustic music is typically less likely to annoy the neighbors with noise overspill. There have been consultationsa bout changing this and there is currently a bill in the House of Lords, but in the meantime dozens of small folk clubs and acoustic sessions have ended for lack of a welcoming venue. Most of those could have been saved by the exemptions proposed in the bill: audiences of under 200, acoustic music only, ending before midnight, and so on. These issues have been much discussed on the Usenet newsgroup uk.music.folk, and the Live Music Forum delivered a petition with 17,000 signatures to number 10 Downing Street on July 8.

It's particularly ironic that this has happened at a time when the folk scene has had the best influx of energizing young performers for several decades: John Spiers and Jon Boden, Bellowhead, Faustus, the Emily and Hazel Askew, and many others (as a general rule, anything involving Tim Van Eyken is good). These are fresh, high-energy reinterpretations of English folk music created by superb, passionate musicians, not at all the dying, airless flatness of academia some might imagine. The fact that most folk performers consider a turnout of 200 a great night doesn't mean they're - it is to laugh! - less competent than Lady Gaga.

But a lot of the point of folk music - like the open-source software movement - is that it's participatory (If you can sing, then you can write a song, sings my friend Bill Steele, writer of "Garbage!", the song made famous by Pete Seeger). Music, like sports, software coding, and scientific exploration, is something that people need to believe they can do themselves - and of all the genres folk is probably the most accessible in that regard. It would certainly suit the recording business for music to become a black box like a mobile phone or a game console, something people pay to use without looking inside it. But society as a whole would be poorer for it. Government and education should be encouraging kids to play, learn, and experiment, to be fellow creators, not consumers.

So, Messrs Cameron and Clegg: if you want to do something for music and musicians, amend the Licensing Act to encourage live performance by live musicians in small venues. Amend contract law so that musicians aren't forced into giving away all rights in perpetuity with no reversion. Require the new owners of failed record labels to pay royalties on the back catalogues they've acquired instead of allowing them to take the assets and dump the liabilities. Music is bigger than just those four big labels, y'know.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of the earlier columns in this series.

June 11, 2010

Bonfire of the last government's vanities

"We have no hesitation in making the national identity card scheme an unfortunate footnote in history. There it should remain - a reminder of a less happy time when the Government allowed hubris to trump civil liberties," the Home Secretary, Theresa May, told the House of Commons at the second reading of the Identity Documents Bill 2010, which will erase the 2006 act introducing ID cards and the National Identity Register. "This will not be a literal bonfire of the last Government's vanities, but it will none the less be deeply satisfying." Estimated saving: £86 million over the next four years.

But not so fast...

An "unfortunate footnote" sounds like the perfect scrapheap on which to drop the National Identity Register and its physical manifestation, ID cards, but if there's one thing we know about ID cards it's that, like the monster in horror movies, they're always "still out there".

In 2005, Lilian Edwards, then at the Centre for Research in Intellectual Property and Law at the University of Edinburgh, invited me to give a talkIdentifying Risks, on the history of ID cards, an idea inspired by a comment from Ross Anderson. The gist: after the ID card was scrapped in 1952 at the end of World War II, attempts to bring it back an ID card were made, on average, about every two or three years. (Former cabinet minister Peter Lilley, speaking at Privacy International's 2002 conference, noted that every new IT minister put the same set of ID card proposals before the Cabinet.)

The most interesting thing about that history is that the justification for bringing in ID cards varied so much; typically, it drew on the latest horrifying public event. So, in 1974 it was the IRA bombings in Guildford and Birmingham. In 1988, football hooliganism and crime. In 1989, social security fraud. In 1993, illegal immigration, fraud, and terrorism.

Within the run of just the 2006 card, the point varied. The stated goals began with blocking benefit fraud, then moved on to include preventing terrorism and serious crime, stopping illegal immigration, and needing to comply with international standards that require biometric features in passports. It is this chameleon-like adaptation to the troubles of the day that makes ID cards so suspect as the solution to anything.

Immediately after the 9/11 attacks, Tony Blair rejected the idea of ID cards (which he had actively opposed in 1995, when John Major's government issued a green paper). But by mid-2002 a consultation paper had been published and by 2004 Blair was claiming that the civil liberties objections had vanished.

Once the 2006 ID card was introduced as a serious set of proposals in 2002, events unfolded much as Simon Davies predicted they would at that 2002 meeting. The government first clothed the ID card in user-friendly obfuscation: an entitlement card. The card's popularity in the polls, at first favourable (except, said David Blunkett for a highly organised minority), slid inexorably as the gory details of its implementation and costs became public. Yet the (dear, departed) Labour government clung to the proposals despite admitting, from time to time, their utter irrelevance for preventing terrorism.

Part of the card's sliding popularity has been due to people's increased understanding of the costs and annoyance it would impose. Their apparent support for the card was for the goals of the card, not the card itself. Plus, since 2002 the climate has changed: the Iraq war is even less popular and even the 2005 "7/7" London attacks did not keep acceptance of the "we are at war" justification for increased surveillance from declining. And the economic climate since 2008 makes large expenditure on bureaucracy untenable.

Given the frequency with which the ID card has resurfaced in the past, it seems safe to say that the idea will reappear at some point, though likely not during this coalition government. The LibDems always opposed it; the Conservatives have been more inconsistent, but currently oppose large-scale public IT projects.

Depending how you look at it, ID cards either took 54 years to resurface (from their withdrawal in1952 to the 2006 Identity Cards Act), or the much shorter time to the first proposals to reinstate them. Australia might be a better guide. In 1985, Bob Hawke made the "Australia card" a central plank of his government. He admitted defeat in 1987, after widespread opposition fueled by civil liberties groups. ID card proposals resurfaced in Australia in 2006, to be withdrawn again at the end of 2007. That's about 21 years - or a generation.

In 2010 Britain, it's as important that much of the rest of the Labour government's IT edifice, such as the ContactPoint database, intended to track children throughout their school years, is being scrapped. Left in place, it might have taught today's generation of children to perceive state tracking as normal. The other good news is that many of today's tireless campaigners against the 2006 ID card will continue to fight the encroachment of the database state. In 20 years - or sooner, if (God forbid) some catastrophe makes it politically acceptable - when or if an ID card comes back, they will still be young enough to fight it. And they will remember how.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of the earlier columns in this series.

June 4, 2010

Return to the hacker crackdown

Probably many people had forgotten about the Gary McKinnon case until the new government reversed their decision to intervene in his extradition. Legal analysis is beyond our expertise, but we can outline some of the historical factors at work.

By 2001, when McKinnon did his breaking and entering into US military computers, hacking had been illegal in the UK for just over ten years - the Computer Misuse Act was passed in 1990 after the overturned conviction of Robert Schifreen and Steve Gold for accessing Prince Philip's Prestel mailbox.

Early 1990s hacking (earlier, the word meant technological cleverness) was far more benign than today's flat-out crimes of identity fraud, money laundering, and raiding bank accounts. The hackers of the era - most famously Kevin Mitnick were more the cyberspace equivalent of teenaged joyriders: they wandered around the Net rattling doorknobs and playing tricks to get passwords, and occasionally copied some bit of trophy software for bragging rights. Mitnick, despite spending four and a half years in jail awaiting trial, was not known to profit from his forays.

McKinnon's claim that he was looking for evidence that the US government was covering up information about alternative energy and alien visitations seems to me wholly credible. There was and is a definite streak of conspiracy theorists - particularly about UFOs - among the hacker community.

People seemed more alarmed by those early-stage hackers than they are by today's cybercriminals: the fear of new technology was projected onto those who seemed to be its masters. The series of 1990 "Operation Sundown" raids in the US, documented in Bruce Sterling's book , inspired the creation of the Electronic Frontier Foundation. Among other egregious confusions, law enforcement seized game manuals from Steven Jackson Games in Austin, Texas, calling them hacking instruction books.

The raids came alongside a controversial push to make hacking illegal around the world. It didn't help when police burst in at the crack of dawn to arrest bright teenagers and hold them and their families (including younger children) at gunpoint while their computers and notebooks were seized and their homes ransacked for evidence.

"I think that in the years to come this will be recognized as the time of a witch hunt approximately equivalent to McCarthyism - that some of our best and brightest were made to suffer this kind of persecution for the fact that they dared to be creative in a way that society didn't understand," 21-year-old convicted hacker Mark Abene ("Phiber Optik") told filmmaker Annaliza Savage for her 1994 documentary, Unauthorized Access (YouTube).

Phiber Optik was an early 1990s cause célèbre. A member of the hacker groups Legion of Doom and Masters of Deception, he had an exceptionally high media profile. In January 1990, he and other MoD members were raided on suspicion of having caused the AT&T crash of January 15, 1990, when more than half of the telephone network ceased functioning for nine hours. Abene and others were eventually charged in 1991, with law enforcement demanding $2.5 million in fines and 59 years in jail. Plea agreements reduced that a year in prison and 600 hours of community service. The company eventually admitted the crash was due to its own flawed software upgrade.

There are many parallels between these early days of hacking and today's copyright wars. Entrenched large businesses (then AT&T; now RIAA, MPAA, BPI, et al) perceive mostly young, smart Net users as dangerous enemies and pursue them with the full force of the law claiming exaggeratedly large-figure sums in damages. Isolated, often young, targets were threatened with jail and/or huge sums in damages to make examples of them to deter others. The upshot in the 1990s was an entrenched distrust of and contempt for law enforcement on the part of the hacker community, exacerbated by the fact that back then so few law enforcement officers understood anything about the technology they were dealing with. The equivalent now may be a permanent contempt for copyright law.

In his 1990 essay Crime and Puzzlement examining the issues raised by hacking, EFF co-founder John Perry Barlow wrote of Phiber Optik, whom he met on the WELL: "His cracking impulses seemed purely exploratory, and I've begun to wonder if we wouldn't also regard spelunkers as desperate criminals if AT&T owned all the caves."

When McKinnon was first arrested in March 2002 and then indicted in a Virginia court in October 2002 for cracking into various US military computers - with damage estimated at $800,000 - all this history will still fresh. Meanwhile, the sympathy and good will toward the US engendered by the 9/11 attacks had been dissipated by the Bush administration's reaction: the PATRIOT Act (passed October 2001) expanded US government powers to detain and deport foreign citizens, and the first prisoners arrived at Guantanamo in January 2002. Since then, the US has begun fingerprinting all foreign visitors and has seen many erosions to civil liberties. The 2005 changes to British law that made hacking into an extraditable offense were controversial for precisely these reasons.

As McKinnon's case has dragged on through extradition appeals this emotional background has not changed. McKinnon's diagnosis with Asperger's Syndrome in 2008 made him into a more fragile and sympathetic figure. Meanwhile, the really dangerous cybercriminals continue committing fraud, theft, and real damage, apparently safe from prosecution.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

May 7, 2010

Wish list

It's 2am on election night, so of course no one can think about anything except the returns. Reported so far: 57 of 650 seats. Swing from Labour to Conservative: 4 percent.

The worst news of the night so far is that people have been turned away from polling stations because the queues couldn't be processed fast enough to get everyone through before the official closing time of 10pm. Creative poll workers locked the unvoted inside the station and let them vote. Uncreative ones sent them home, or tried to - I'm glad to see there were angry protests and, in some cases, sit-ins. Incredibly, some people couldn't vote because their stations ran out of ballot papers. In one area, hundreds of postal ballots are missing. It's an incredible shambles considering Britain's centuries of experience of running elections. Do not seize on this mess as an excuse to bring in electronic voting, something almost every IT security expert warns is a very bad idea. Print some more ballot papers, designate more polling stations, move election day to Saturday.

Reported: 69 Swing: 3.8 percent: Both Conservatives and LibDems have said they will scrap the ID card. Whether they'll follow through remains to be seen. My sense from interviews with Conservative spokespeople for articles in the last year is that they want to scrap large IT projects in favor of smaller, more manageable ones undertaken in partnership with private companies. That should spell death for the gigantic National Identity Register database and profound change for the future of NHS IT; hopefully smaller systems should give individuals more control. It does raise the question of handing over data to private companies in, most likely, other countries. The way LibDem peers suddenly switched sides on the Digital Economy Act last month dinged our image of the LibDems as the most sensible on net.wars issues of all the parties. Whoever gets in, yes, please, scrap the National Identity Register and stick to small, locally grown IT projects that serve their users. That means us, not the Whitehall civil service.

Reported: 82. Swing: 3.6 percent: Repeal the Digital Economy Act and take time out for a rethink and public debate. The copyright industries are not going to collapse without three-strikes and disconnection notices. Does the UK really want laws that France has rejected?

Reported: 104. Swing: 4.1 percent: Coincidentally, today I received today a letter "inviting" me to join a study on mobile phones and brain cancer; I would be required to answer periodic surveys about my phone use. The explanatory leaflet notes: "Imperial College will review your health directly through routine medical and other health-related records" using my NHS number, name, address, and date of birth - for the next 20 to 30 years. Excuse me? Why not ask me to report relevant health issues, and request more detailed access only if I report something relevant? This Labour government has fostered this attitude of We Will Have It All. I'd participate in the study if I could choose what health information I give; I'm not handing over untrammeled right of access. New government: please cease to regard our health data as yours to hand over "for research purposes" to whomever you feel like. Do not insult our intelligence and knowledge by claiming that anonymizing data protects our privacy; such data can often be very easily reidentified.

Reported: 120. Swing: 3.9 percent: Reform libel law. Create a public interest defense for scientific criticism, streamline the process, and lower costs for defendants. Re-allocate the burden of proof to the plaintiff. Stop hearing cases with little or no connection to the UK.

Reported: 149. Swing: 4.3 percent: While you're reforming legal matters, require small claims court to hear cases in which photographers (and other freelances) pursue publishers who have infringed their copyright. Photographers say these courts typically kick such "specialist" cases up to higher levels, making it impracticably expensive to get paid.

Reported: 231. Swing: 4.8 percent: Any government that's been in power as long as Labour currently has is going to seem tired and in need of new ideas. But none of the complaints above - the massive growth in surveillance, the lack of regard for personal privacy, the sheer cluelessness about IT - knocked Labour down. Even lying about the war didn't do it. It was, as Clinton's campaign posted on its office walls, the economy. Stupid.

Reported: 327. Swing: 5 percent: Scrap ContactPoint, the (expensive, complicated) giant database intended to track children through their school days to adulthood - and, by the time they get there, most likely beyond. Expert reports the government commissioned and paid for advised against taking the risk of data breaches. Along with it modernize data protection instead of data retention.

Reported: 626. Swing: 5.3 percent:
A hung Parliament (as opposed to hanging chad). Good. For the last 36 years Britain has been ruled by an uninterrupted elected dictatorship. It is about time the parties were forced to work together again. Is anyone seriously in doubt that the problems the country has are bigger than any one party's interests? Bring on proportional representation. Like they have in Scotland.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

April 2, 2010

Not bogus!


"If I lose £1 million it's worth it for libel law reform," the science writer Simon Singh was widely reported as saying this week. That was even before yesterday's ruling in the libel case brought against him by the British Chiropractic Association.

Going through litigation, I was told once, is like having cancer. It is a grim, grueling, rollercoaster process that takes over your life and may leave you permanently damaged. In the first gleeful WE-WON! moments following yesterday's ruling it's easy to forget that. It's also easy to forget that this is only one stage in a complex series.

Yesterday's judgment was the ruling in Singh's appeal (heard on February 22) against the ruling of Justice David Eady last May, which itself was only a preliminary ruling on the meaning of the passage in dispute, with the dispute itself to be resolved in a later trial. In October Singh won leave to appeal Eady's ruling; February's hearing and today's judgment constituted that appeal and its results. It is now two years since the original article appeared, and the real case is yet to be tried. Are we at the beginning of Jarndyce and Jarndyce or SCO versus Everyone?

The time and costs of all this are why we need libel law reform. English libel cases, as Singh frequently reminds us, cost 144 times as much as similar cases in the rest of the EU.

But the most likely scenario is that Singh will lose more than that million pounds. It's not just that he will have to pay the costs of both sides if he loses whatever the final round of this case eventually turns out to be (even if he wins the costs awarded will not cover all his expenses). We must also count what businesses call "opportunity costs".

A couple of weeks ago, Singh resigned from his Guardian column because the libel case is consuming all his time. And, he says, he should have started writing his next book a year ago but can't develop a proposal and make commitments to publishers because of the uncertainty. These withdrawals are not just his loss; we all lose by not getting to read what he'd write next. At a time when politicians can be confused enough to worry that an island can tip over and capsize, we need our best popular science educators to be working. Today's adults can wait, perhaps; but I did some of my best science reading as a teenager: The Microbe Hunters; The Double Helix (despite its treatment of Rosalind Franklin); Isaac Asimov's The Human Body: Its Structure and Operation; and the pre-House true medical detection stories of Berton Roueché. If Singh v BCA takes five years that's an entire generation of teenagers.

Still, yesterday's ruling, in which three of the most powerful judicial figures in the land agreed - eloquently! - with what we all thought from the beginning deserves to be celebrated, not least for its respect for scientific evidence,

Some favorite quotes from the judgment, which makes fine reading:

Accordingly this litigation has almost certainly had a chilling effect on public debate which might otherwise have assisted potential patients to make informed choices about the possible use of chiropractic.

A similar situation, of course, applies to two other recent cases that pitted libel law against the public interest in scientific criticism. First, Swedish academic Francisco Lacerda, who criticized the voice risk analysis principles embedded in lie detector systems (including one bought by the Department of Work and Pensions at a cost of £2.4 million). Second, British cardiologist Peter Wilmshurst is defending charges of libel and slander over comments he made regarding a clinical trial in which he served as a principal investigator. In all three cases, the public interest is suffering. Ensuring that there is a public interest defense is accordingly a key element of the libel law reform campaign's platform.

The opinion may be mistaken, but to allow the party which has been denounced on the basis of it to compel its author to prove in court what he has asserted by way of argument is to invite the court to become an Orwellian ministry of truth.

This was in fact the gist of Eady's ruling: he categorized Singh's words as fact rather than comment and would have required Singh to defend a meaning his article went on to say explicitly was not what he was saying. We must leave it for someone more English than I am to say whether that is a judicial rebuke.

We would respectfully adopt what Judge Easterbrook, now Chief Judge of the US Seventh Circuit Court of Appeals, said in a libel a2ction over a scientific controversy, Underwager v Salter: "[Plaintiffs] cannot, by simply filing suit and crying 'character assassination!', silence those who hold divergent views, no matter how adverse those views may be to plaintiffs' interests. Scientific controversies must be settled by the methods of science rather than by the methods of litigation.

What they said.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

March 19, 2010

Digital exclusion: the bill

The workings of British politics are nearly as clear to foreigners as cricket; and unlike the US there's no user manual. (Although we can recommend Anthony Trollope's Palliser novels and the TV series Yes, Minister as good sources of enlightenment on the subject.) But what it all boils down to in the case of the Digital Economy Bill is that the rights of an entire nation of Internet users are about to get squeezed between a rock and an election unless something dramatic happens.

The deal is this: the bill has completed all the stages in the House of Lords, and is awaiting its second reading in the House of Commons. Best guesses are that this will happen on or about March 29 or 30. Everyone expects the election to be called around April 8, at which point Parliament disbands and everyone goes home to spend three weeks intensively disrupting the lives of their constituency's voters when they're just sitting down to dinner. Just before Parliament dissolves there's a mad dash to wind up whatever unfinished business there is, universally known as the "wash-up". The Digital Economy Bill is one of those pieces of unfinished business. The fun part: anyone who's actually standing for election is of course in a hurry to get home and start canvassing. So the people actually in the chamber during the wash-up while the front benches are hastily agreeing to pass stuff thought on the nod are likely to be retiring MPs and others who don't have urgent election business.

"What we need," I was told last night, "is a huge, angry crowd." The Open Rights Group is trying to organize exactly that for this Wednesday, March 24.

The bill would enshrine three strikes and disconnection into law. Since the Lords' involvement, it provides Web censorship. It arguably up-ends at least 15 years of government policy promoting the Internet as an engine of economic growth to benefit one single economic sector. How would the disconnected vote, pay taxes, or engage in community politics? What happened to digital inclusion? More haste, less sense.

Last night's occasion was the 20th anniversary of Privacy International (Twitter: @privacyint), where most people were polite to speakers David Blunkett and Nick Clegg. Blunkett, who was such a front-runner for a second Lifetime Menace Big Brother Award that PI renamed the award after him, was an awfully good sport when razzed; you could tell that having his personal life hauled through the tabloid press in some detail has changed many of his views about privacy. Though the conversion is not quite complete: he's willing to dump the ID card, but only because it makes so much more sense just to make passports mandatory for everyone over 16.

But Blunkett's nearly deranged passion for the ID card was at least his own. The Digital Economy Bill, on the other hand, seems to be the result of expert lobbying by the entertainment industry, most especially the British Phonographic Industry. There's a new bit of it out this week in the form of the Building a Digital Economy report, which threatens the loss of 250,000 jobs in the UK alone (1.2 million in the EU, enough to scare any politician right before an election). Techdirt has a nice debunking summary.

A perennial problem, of course, is that bills are notoriously difficult to read. Anyone who's tried knows these days they're largely made up of amendments to previous bills, and therefore cannot be read on their own; and while they can be marked up in hypertext for intelligent Internet perusal this is not a service Parliament provides. You would almost think they don't really want us to read these things.

Speaking at the PI event, Clegg deplored the database state that has been built up over the last ten to 15 years, the resulting change in the relationship between citizen and state, and especially the omission that, "No one ever asked people to vote on giant databases." Such a profound infrastructure change, he argued, should have been a matter for public debate and consideration - and wasn't. Even Blunkett, who attributed some of his change in views to his involvement in the movie Erasing David (opening on UK cinema screens April 29), while still mostly defending the DNA database, said that "We have to operate in a democratic framework and not believe we can do whatever we want."

And here we are again with the Digital Economy Bill. There is plenty of back and forth among industry representatives. ISPs estimate the cost of the DEB's Web censorship provisions at up to £500 million. The BPI disagrees. But where is the public discussion?

But the kind of thoughtful debate that's needed cannot take place in the present circumstances with everyone gunning their car engines hoping for a quick getaway. So if you think the DEB is just about Internet freedoms, think again; the way it's been handled is an abrogation of much older, much broader freedoms. Are you angry yet?


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

February 12, 2010

Light year

This year is going to be the first British general election in which blogging is going to be a factor, someone said on Monday night at the event organized by the Westminster Skeptics on the subject of political blogging: does it make any difference? I had to stop and think: really? Things like the Daily Kos have been part of the American political scene for so long now - Kos was founded in 2002 - that they've been through two national elections already.

But there it was: "2005 was my big break," said Paul Staines, who blogs as Guido Fawkes. "I was the only one covering it. 2010 is going to be much tougher." To stand out, he went on to say, you're going to need a good story. That's what they used to tell journalists.

Due to the wonders of the Net, you can experience the debate for yourself. The other participants were Sunny Hundal (Liberal Conspiracy), Mick Fealty (Slugger O'Toole), Jonathan Isaby (Conservative Home), and the Observer journalist Nick Cohen, there to act as the token nay-sayer. (I won't use skeptic, because although the popular press like to see a "skeptic" as someone who's just there to throw brickbats, I use the term rather differently: skepticism is inquiry and skeptics ask questions and examine evidence.)

All four of political bloggers have a precise idea of what they're trying to do and who they're writing for. Jonathan Isaby, who claims he's the first British journalist to leave a full-time newspaper job (at the Telegraph) for new media, said he's read almost universally among Conservative candidates. Paul Staines aims Guido Fawkes at "the Westminster bubble". Mick Fealty uses Slugger O'Toole to address a "differentiated audience" that is too small for TV, radio, and newspapers. Finally, Sunny Hundal uses Liberal Conspiracy to try to "get the left wing to become a more coherent force".

Despite their various successes, Cohen's basic platform defended newspapers. Blogging, he said, is not replacing the essential core of journalism: investigation and reporting. He's right up to a point. But some do exactly that. Westminster Skeptics convenor David Allen Green, then standing approximately eight inches away, is one example. But it's probably true that for every blogger with sufficient curiosity and commitment to pick up a phone or bang on someone's door there are a couple of hundred more who write blog postings by draping a couple of hundred words of opinion around a link to a story that appeared in the mainstream media.

Of course, as Cohen didn't say, plenty of journalists\, through lack of funding, lack of time, or lack of training, find themselves writing news stories by draping a couple of hundred words of rewritten press release around the PR-provided quotes - and soul-destroying work it is, too. My answer to Cohen, therefore, is to say that commercial publishers have contributed to their own problems, and that one reason blogs have become such an entrenched medium is that they cover things that no newspaper will allow you to write about in any detail. And it's hard to argue with Cohen's claim that almost any blogger finding a really big story will do the sensible thing and sell it to a newspaper.

If you can. Arguably the biggest political story of 2009 was MPs' expenses. That material was released because of the relentless efforts of Heather Brooke, who took up the 2005 arrival into force of the UK's Freedom of Information Act as a golden opportunity. It took her nearly five years to force the disclosure of MPs' expenses - and when she finally succeeded the Telegraph wrote its own stories after poring over the details that were disclosed.

The fact is that political blogging has been with us for far longer than one five-year general election cycle. It's just that most of it does not take the same form as the "inside politics" blogs of the US or the traditional Parliamentary sketches in the British newspapers. The push for Libel reform began with Jack of Kent (David Allen Green); the push to get the public more engaged with their MPs began with MySociety's Fax Your MP. It was clear as long ago as 2006 that MPs were expert users of They Work For You: it's how they keep tabs on each other. MySociety's sites are not blogs - but they are the source material without which political blogging would be much harder work.

I don't find it encouraging to hear Isaby predict that in the upcoming election (expected in May) blogging "will keep candidates on their toes" because "gaffes will be more quickly reported". Isn't this the problem with US elections? That everyone gets hung up on calumnies such as that Al Gore claimed to have invented the Internet. Serious issues fall by the wayside, and good candidates can be severely damaged by biased reporting that happens to feed an eminently quotable sarcastic joke. Still: anything for a little light into the smoke-filled back rooms where British politics is still made. Even with smoking now banned, it's murky back there.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

January 22, 2010

Music night

Most corporate annual reports seek to paint a glowing picture of the business's doings for the previous year. By law they have to disclose anything really unfortunate - financial losses, management malfeasance, a change in the regulatory landscape. The International Federation of the Phonographic Industry was caught in a bind writing its Digital Music Report 2010 (PDF) (or see the press release). Paint too glowing a picture of the music business, and politicians might conclude no further legislation is needed to bolster the sector. Paint too gloomy a picture, and ministers might conclude theirs is a lost cause, and better to let dying business models die.

So IFPI's annual report veers between complaining about "competing in a rigged market" (by which they mean a market in which file-sharing exists) and stressing the popularity of music and the burgeoning success of legally sanctioned services. Yay, Spotify! Yay, Sky Songs! Yay, iTunes! You would have to be the most curmudgeonly of commentators to point out that none of these are services begun by music companies; they are services begun by others that music companies have been grudgingly persuaded to make deals with. (I say grudgingly; naturally, I was not present at contract negotiations. Perhaps the music companies were hopping up and down like Easter bunnies in their eagerness to have their product included. If they were, I'd argue that the existence of free file-sharing drove them to it. Without file-sharing there would very likely be no paid subscription services now; the music industry would still be selling everyone CDs and insisting that this was the consumer's choice.)

The basic numbers showed that song downloads increased by 10 percent - but total revenue including CDs fell by 12 percent in the first half of 2009. The top song download: Lady Gaga's "Poker Face".

All this is fair enough - an industry's gotta eat! - and it's just possible to read it without becoming unreasonable. And then you hit this gem:

Illegal file-sharing has also had a very significant, and sometimes disastrous, impact on investment in artists and local repertoire. With their revenues eroded by piracy, music companies have far less to plough back into local artist development. Much has been made of the idea that growing live music revenues can compensate for the fall-off in recorded music sales, but this is, in reality, a myth. Live performance earnings are generally more to the benefit of veteran, established acts, while it is the younger developing acts, without lucrative careers, who do not have the chance to develop their reputation through recorded music sales.
So: digital music is ramping up (mostly through the efforts of non-music industry companies and investors). Investment in local acts and new musicians is down. And overall sales are down. And we're blaming file-sharing? How about blaming at least the last year or so of declining revenues on the recession? How about blaming bean counters at record companies who see a higher profit margin in selling yet more copies of back catalogue tried-and-tested, pure-profit standards like Frank Sinatra and Elvis Presley than in taking risks on new music? At some point, won't everyone have all the copies of the Beatles albums they can possibly use? Er, excuse me, "consume". (The report has a disturbing tendency to talk about "consuming" music; I don't think people have the same relationship with music that they do with food. I'd also question IFPI's whine about live music revenues: all young artists start by playing live gigs, that's how they learn; *radio play* gets audiences in; live gigs *and radio play* sell albums, which help sell live gigs in a virtuous circle, but that's a topic for another day.)

It is a truth rarely acknowledged that all new artists - and all old artists producing new work - are competing with the accumulated back catalogue of the past decades and centuries.

IFPI of course also warns that TV, book publishing, and all other media are about to suffer the same fate as music. The not-so-subtle underlying message: this is why we must implement ferocious anti-file-sharing measures in the Digital Economy Bill, amendments to which, I'm sure coincidentally, were discussed in committee this week, with more to come next Tuesday, January 26.

But this isn't true, or not exactly. As a Dutch report on file-sharing (original in Dutch) pointed out last year, file-sharing, which it noted goes hand-in-hand with buying, does not have the same impact on all sectors. People listen to music over and over again; they watch TV shows fewer but still multiple times; if they don't reread books they do at least often refer back to them; they see most movies only once. If you want to say that file-sharing displaces sales, which is debatable, then clearly music is the least under threat. If you want to say that file-sharing displaces traditional radio listening, well, I'm with you there. But IFPI does not make that argument.

Still, some progress has been made. Look what IFPI says here, on page 4 in the executive summary right up front: "Recent innovations in the à-la-carte sector include...the rollout of DRM-free downloads internationally." Wha-hey! That's what we told them people wanted five years ago. Maybe five years from now they'll be writing how file-sharing helps promote artists who, otherwise, would never find an audience because no one would ever hear their work.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

November 27, 2009

Women and children first

The Irish author Tim Pat Coogan has commented that Ireland was colonized twice: once by the British, and once by the Catholic church. I was reminded of that yesterday when reading that the leader of the Irish Catholic church, Cardinal Sean Brady, the Irish government, and the commissioner of the Irish police have all apologized for decades of systematically covering up child abuse by Catholic priests, uncovered in the damning report of a three-year inquiry into the Archdiocese of Dublin from 1975 to 2004. It seems that the cover-up went, like Watergate, all the way to the top.

When I was living in Ireland in the late 1980s few people talked about abuse by priests. One who did was Frank Crummey, whom I interviewed for one of my first-ever published pieces, for the Guardian's women's page about the prosecution of the Irish Family Planning Association for giving away condoms at Virgin's Dublin Megastore. (Richard Branson funded the IFPA's defense, and flew in for the court hearing.) The chain of contacts led to Margaret Gaj, a veteran of contraceptive campaigns, and she sent me to Crummey.

He told me that his interest in contraception began as a campaign to redress the imbalance in subsidies between the Gaeltacht - Irish-language - and English-speaking agricultural areas. Working on that got him into the schools, where he saw that children were being abused - he mentioned in particular the Christian Brothers. But trying to engage their mothers on the issue failed: they were too poor and too dependent on their priests for help and charity to risk confrontation. Often, he told me, the priests would divulge even to abusive husbands what their wives said in the supposedly safe confessional. As the Irish writer Seán Mac Mathúna asked in one of his short stories, "Who'd be a woman in Ireland?" The situation with respect to child abuse seems not to have been much different: clergy and police cooperated to protect the guilty.

Unable to interest the authorities in the problems he was finding in the schools - a problem he encountered again, reportedly, in Ireland's industrial schools - Crummey concluded that the underlying problem was that too many children consigned them to poverty and powerlessness. That's when he began smuggling contraceptives into Ireland and, with his family's help, distributing them by post. The letters he got from desperate women telling their stories to beg for help, he said, were heart-rending.

It is hard to convey to anyone who didn't live in Ireland in or before the 1980s how deeply embedded the Church was. It owned 90 percent of the primary schools and most of the hospitals. The Irish Constitution, although it includes a US-like clause guaranteeing the separation of church and state clearly intended "freedom of religion" to mean "freedom to be Catholic". The late Leslie Shepard, editor of The Encyclopedia of Occultism and Parapsychology and an early supporter of The Skeptic frequently talked about the unique position of priests in rural villages in earlier times. Often, he noted, they were the only people who could read and write.

In fact, the village priest figured heavily in one of the topics covered in the early issues of The Skeptic (and revisited in the soon-to-be forthcoming Why Statues Weep: the Best of The Skeptic from Philosophy Press). The Trinity College Dublin professor David Berman had discovered new documents showing that the local priest was behind the Knock Apparitions. (Shepard always vehemently disputed that any village priest could be so deceptive.) I'm not sure a similar strategy will work now.

Noticeable change had begun while I was living there, often attributed to economic improvement that meant that many of Ireland's emigrants could afford to return, bringing with them experiences of life in other countries. A few of these founded the Campaign to Separate Church and State; others banded together to build non-denominational charter schools for their kids. In the 1990s, of course, then along came the technology boom which, at least for a time, charged the economy.

The Church was already in trouble before the scandals broke. Writing in Disillusioned Decades: Ireland 1966-1987 (Gill and Macmillan, 1987), Coogan noted that, "...though the presence of the church is all-pervasive there has been a diminution of the grip which it is able to maintain on an increasingly well-educated society. Increasing affluence (of a sort) and mobility mean that people can move in and out of the purview of the church without permitting it to have any great influence on their conduct (unless, of course, they want an abortion or a divorce)." From 1970 to 1985, the numbers entering the priesthood dropped by a quarter.

Now, according to the Independent, the abuse scandals have not only dramatically accelerated the already notable decline in numbers applying to enter the priesthood but is emptying the churches. For a country that only a little over 20 years ago could be persuaded through the power of the pulpit to vote down a constitutional amendment allowing divorce, it's staggering. The change may be less of a hard road for Ireland than it appears: one of the key messages the CSCS tried to impart in the late 1980s and early 1990s was that the church paid for less than people thought, since the religious-owned schools and hospitals had and have considerable State funding.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

November 20, 2009

Thou shalt not steal

As we're so fond of saying, technology moves fast, and law moves slowly. What we say far less often is that law should move slowly. It is not a sign of weakness to deliberate carefully about laws that affect millions of people's lives and will stay on the books for a long, long time. It's always seemed to me that the Founding Fathers very deliberately devised the US system to slow things down - and to ensure that the further-reaching the change the more difficult it is to enact.

Cut to today's Britain. The Internet may perceive censorship as damage and route around it, but politicians seem increasingly to view due and accountable legal process as an unnecessary waste of time and try to avoid it. Preventing this is, of course, what we have constitutions for; democracy is a relatively mature technology.

Today's Digital Economy bill is loaded with provisions for enough statutory instruments to satisfy the most frustrated politician's desire to avoid all that fuss and bother of public debate and research. Where legislation requires draft bills, public consultations, and committee work, a statutory instrument can pass both houses of Parliament on the nod. For minor regulatory changes - such as, for example, the way money is paid to pensioners (1987) - limiting the process to expert discussion and a quick vote makes sense. But when it comes to allowing the Secretary of State to change something as profound and far-reaching in impact as copyright law with a minimum of public scrutiny, it's an outrageous hijack of the democratic process.

Here is the relevant quote from the bill, talking about the Copyright, Designs, and Patents Act 1988:

The Secretary of State may by order amend Part 1 or this Part for the purpose of preventing or reducing the infringement of copyright by means of the internet, if it appears to the Secretary of State appropriate to do so having regard to technological developments that have occurred or are likely to occur.

Lower down, the bill does add that:

Before making any order under this section the Secretary of State must consult such persons who the Secretary of State thinks likely to be affected by the order, or who represent any of those persons, as the Secretary of State thinks fit.

Does that say he (usually) has to consult the public? I don't think so; until very recently it was widely held that the only people affected by copyright law were creators and rights holders - these days rarely the same people even though rights holders like, for public consumption, to pretend otherwise (come contract time, it's a whole different story). We would say that everyone now has a stake in copyright law, given the enormously expanded access to the means to create and distribute all sorts of media, but it isn't at all clear that the Secretary of State would agree or what means would be available to force him to do so. What we do know is that the copyright policies being pushed in this bill come directly from the rights holders.

Stephen Timms, talking to the Guardian, attempted to defend this provision this way:

The way that this clause is formed there would be a clear requirement for full public consultation [before any change] followed by a vote in favour by both houses of Parliament."

This is, put politely, disingenuous: this government has, especially lately - see also ID cards - a terrible record of flatly ignoring what public consultations are telling them, even when the testimony submitted in response to such consultations comes from internationally recognized experts.

Timms' comments are a very bad joke to anyone who's followed the consultations on this particular bill's provisions on file-sharing and copyright, given that everyone from Gowers to Dutch economists are finding that loosening copyright restrictions has society-wide benefits, while Finland has made 1Mb broadband access a legal right and even France's courts see Internet access as a fundamental human right (especially ironic given that France was the first place three strikes actually made it into law).

In creating the Digital Economy bill, not only did this government ignore consultation testimony from everyone but rights holders, it even changed its own consultation mid-stream, bringing back such pernicious provisions as three-strikes-and-you're-disconnected even after agreeing they were gone. This government is, in fact, a perfect advertisement for the principle that laws that are enacted should be reviewed with an eye toward what their effect will be should a government hostile to its citizenry come to power.

Here is some relevant outrage from an appropriately native British lawyer specializing in Net issues, Lilian Edwards:

So clearly every time things happen fast and the law might struggle to keep up with them, in future, well we should just junk ordinary democratic safeguards before anyone notices, and bow instead to the partisan interests who pay lobbyists the most to shout the loudest?

Tell me to "go home if you don't like it here" because I wasn't born in the UK if you want to, but she's a native. And it's the natives who feel betrayed that you've got to watch out for.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of the earlier columns in this series. Readers are welcome to post here, follow on , or send email to netwars@skeptic.demon.co.uk.

October 30, 2009

Kill switch

There's an old sort-of joke that goes, "What's the best way to kill the Internet?" The number seven answer, according to Simson Garfinkel, writing for HotWired in 1997: "Buy ten backhoes." Ba-boom.

The US Senate, never folks to avoid improving a joke, came up with a new suggestion: install a kill switch. They published this little gem (as S.773) on April 1. It got a flurry of attention and then forgotten until the last week or two. (It's interesting to look back at Garfinkel's list of 50 ways to kill the Net and notice that only two are government actions, and neither is installing a "kill switch").

To be fair, "kill switch" is an emotive phrase for what they have in mind, which is that the president:

may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network
.

Now, there's a lot of wiggle room in a vague definition like "critical infrastructure system". That could be the Federal government's own servers. Or the electrical grid, the telephone network, the banking system, the water supply, or even, arguably, Google. (It has 64+ percent of US search queries, and if you can't find things the Internet might as well be dead.) But what this particular desire of the Senate's sounds most like is those confused users who think they can catch a biological virus from their computers.

Still, for the media, calling the Senate's idea a "kill switch" is attention-getting political genius. We don't call the president's power to order the planes out of the sky, as happened on 9/11 a "crash switch", but imagine the outcry against it if we did.

Technically, the idea that there's a single off switch waiting to be implemented somewhere, is of course ridiculous.

The idea is also administrative silliness: Obama, we hope, is kind of busy. The key to retaining sanity when you're busy is to get other people to do all the things they can without your input. We would hope that the people running the various systems powering the federal government's critical infrastructure could make their own, informed decisions - faster than Obama can - about when they need to take down a compromised server.

Despite wishful thinking, John Gilmore's famous aphorism, "The Net perceives censorship as damage and routes around", doesn't really apply here. For one thing, even a senator knows - probably - that you can't literally shut down the entire Internet from a single switch sitting in the President's briefcase (presumably next to the nuclear attack button). Much of the Internet is, after all, outside the US; much of it is in private ownership. (Perhaps the Third Amendment could be invoked here?)

For another, Gilmore's comment really didn't apply to individual Internet-linked computer networks; Google's various bits of outages this year ought to prove that it's entirely possible for those to be down without affecting the network at large. No, the point was that if you try to censor the Net its people will stop you by putting up mirror servers and passing the censored information around until everyone has a copy. The British Chiropractic Association (quacklash!) and Trafigura are the latest organizations to find out what Gilmore knew in 1993. He also meant, I suppose, that the Internet protocols were designed for resilience and to keep trying by whatever alternate routes are available if data packets don't get through.

Earlier this week another old Net hand, Web inventor Tim Berners-Lee, gave some rather sage advice to the Web 2.0 conference. One key point: do not build your local laws into the global network. That principle would not, unfortunately, stop the US government from shutting off its own servers (to spite its face?), but it does nix the idea of, say, building the network infrastructure to the specification of any one particular group - the MPAA or the UK government, in defiance of the increasingly annoyed EU. In the same talk, Berners-Lee also noted (according to CNET): "I'm worried about anything large coming in to take control, whether it's large companies or government."

Threats like these were what he set up W3C to protect against. People talk with reverence of Berners-Lee's role as inventor, but many fewer understand that the really big effort is the 30 years since the aha! moment of creation, during which Berners-Lee has spent his time and energy nurturing the Web and guiding its development. Without that, it could easily have been strangled by competing interests, both corporate and government. As, of course, it still could be, depending on the outcome of the debates over network neutrality rules.

Dozens of decisions like Berners-Lee's were made in creating the Internet. They have not made it impossible to kill - I'm not sure how many backhoes you'd need now, but I bet it's still a surprisingly finite number - but they have made it a resilient and robust network. A largely democratic medium, in fact, unlike TV and radio, at least so far. The Net was born free; the battles continue over whether it should be in chains.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or by email to netwars@skeptic.demon.co.uk.

October 23, 2009

The power of Twitter

It was the best of mobs, it was the worst of mobs.

The last couple of weeks have really seen the British side of Twitter flex its 140-character muscles. First, there was the next chapter of the British Chiropractic Association's ongoing legal action against science writer Simon Singh. Then there was the case of Jan Moir, who wrote a more than ordinarily Daily Mailish piece for the Daily Mail about the death of Boyzone's Stephen Gately. And finally, the shocking court injunction that briefly prevented the Guardian from reporting on a Parliamentary question for the first time in British history.

I am on record as supporting Singh, and I, too, cheered when, ten days ago, Singh was granted leave to appeal Justice Eady's ruling on the meaning of Singh's use of the word "bogus". Like everyone, I was agog when the BCA's press release called Singh "malicious". I can see the point in filing complaints with the Advertising Standards Authority over chiropractors' persistent claims, unsupported by the evidence, to be able to treat childhood illnesses like colic and ear infections.

What seemed to edge closer to a witch hunt was the gleeful take-up of George Monbiot's piece attacking the "hanging judge", Justice Eady. Disagree with Eady's ruling all you want, but it isn't hard to find libel lawyers who think his ruling was correct under the law. If you don't like his ruling, your correct target is the law. Attacking the judge won't help Singh.

The same is not true of Twitter's take-up of the available clues in the Guardian's original story about the gag to identify the Parliamentary Question concerned and unmask Carter-Ruck, the lawyers who served it and their client, Trafigura. Fueled by righteous and legitimate anger at the abrogation of a thousand years of democracy, Twitterers had the PQ found and published thousands of times in practically seconds. Yeah!

Of course, this phenomenon (as I'm so fond of saying) is not new. Every online social medium, going all the way back to early text-based conferencing systems like CIX, the WELL, and, of course, Usenet, when it was the Internet's town square (the function in fact that Twitter now occupies) has been able to mount this kind of challenge. Scientology versus the Net was probably the best and earliest example; for me it was the original net.war. The story was at heart pretty simple (and the skirmishes continue, in various translations into newer media, to this day). Scientology has a bunch of super-secrets that only the initiate, who have spent many hours in expensive Scientology training, are allowed to see. Scientology's attempts to keep those secrets off the Net resulted in their being published everywhere. The dust has never completely settled.

Three people can keep a secret if two of them are dead, said Mark Twain. That was before the Internet. Scientology was the first to learn - nearly 15 years ago - that the best way to ensure the maximum publicity for something is to try to suppress it. It should not have been any surprise to the BCA, Trafigura, or Trafigura's lawyers. Had the BCA ignored Singh's article, far fewer people would know now about science's dim view of chiropractic. Trafigura might have hoped that a written PQ would get lost in the vastness that is Hansard; but they probably wouldn't have succeeded in any case.

The Jan Moir case, and the demonstration outside Carter-Ruck's offices are, however rather different. These are simply not the right targets. As David Allen Green (Jack of Kent) explains, there's no point in blaming the lawyers; show your anger to the client (Trafigura) or to Parliament.

The enraged tweets and Facebook postings about Moir's article helped send a record number of over 25,000 complaints to the Press Complaints Commission, whose Web site melted down under the strain. Yes, the piece was badly reasoned and loathsome, but isn't that what the Daily Mail lives for? Tweets and links create hits and discussion. The paper can only benefit. In fact, it's reasonable to suppose that in the Trafigura and Moir cases both the Guardian and the Daily Mail manipulated the Net perfectly to get what they wanted.

But the stupid part about let's-get-Moir is that she does not *matter*. Leave aside emotional reactions, and what you're left with is someone's opinion, however distasteful.

This concerted force would be more usefully turned to opposing the truly dangerous. See for example, the AIDS denialism on parade by Fraser Nelson at The Spectator. The "come-get-us" tone e suggests that they saw attention New Humanist got for Caspar Melville's mistaken - and quickly corrected - endorsement of the film House of Numbers and said, "Let's get us some of that." There is no more scientific dispute about whether HIV causes AIDS than there is about climate change or evolutionary theory.

If we're going to behave like a mob, let's stick to targets that matter. Jan Moir's column isn't going to kill anybody. AIDS denialism will. So: we'll call Trafigura a win, chiropractic a half-win, and Moir a loser.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

August 28, 2009

Develop in haste, lose the election at leisure

Well, this is a first: returning to last week's topic because events have already overtaken it.

Last week, the UK government was conducting a consultation on how to reduce illegal file-sharing by 70 percent within a year. We didn't exactly love the proposals, but we did at least respect the absence of what's known as "three strikes" - as in, your ISP gets three complaints about your file-sharing habit and kicks you offline. The government's oh-so-English euphemism for this is "technical measures". Activists opposed to "technical measures" often call them HADOPI, after the similar French law that was passed in May (and whose three strikes portions were struck down in June); HADOPI is the digital rights agency that law created.

This week, the government - or more precisely, the Department for Business, Innovation, and Skills - suddenly changed its collective mind and issued an addendum to the consultation (PDF) that - wha-hey! - brings back three strikes. Its thinking has "developed", BIS says. Is it so cynical to presume that what has "developed" in the last couple of months is pressure from rights holders? Three strikes is a policy the entertainment industry has been shopping around from country to country like an unwanted refugee. Get it passed in one place and use that country a lever to make all the others harmonize.

What the UK government has done here is entirely inappropriate. At the behest of one business sector, much of it headquartered outside Britain, it has hijacked its own consultation halfway through. It has issued its new-old proposals a few days before the last holiday weekend of the summer. The only justification it's offered: that its "new ideas" (they aren't new; they were considered and rejected earlier this year, in the Digital Britain report (PDF)) couldn't be implemented fast enough to meet its target of reducing illicit file-sharing by 70 percent by 2012 if they aren't included in this consultation. There's plenty of protest about the proposals, but even more about the government's violating its own rules for fair consultations.

Why does time matter? No one believes that the Labour government will survive the next election, due by 2010. The entertainment industries don't want to have to start the dance all over again, fine: but why should the rest of us care?

As for "three strikes" itself, let's try some equivalents.

Someone is caught speeding three times in the effort to get away from crimes they've committed, perhaps a robbery. That person gets points on their license and, if they're going fast enough, might be prohibited from driving for a length of time. That system is administered by on-the-road police but the punishment is determined by the courts. Separately, they are prosecuted for the robberies, and may serve jail time - again, with guilt and punishment determined by the courts.

Someone is caught three times using their home telephone to commit fraud. They would be prosecuted for the fraud, but they would not be banned from using the telephone. Again, the punishment would be determined by the courts after a prosecution requiring the police to produce corroborating evidence.

Someone is caught three times gaming their home electrical meter so that they are able to defraud the electrical company and get free electricity. (It's not so long since in parts of the UK you could achieve this fairly simply just by breaking into the electrical meter and stealing back the coins you fed it with. You would, of course, be caught at the next reading.) I'm not exactly sure what happens in these cases, but if Wikipedia is to be believed, when caught such a customer would be switched to a higher tariff.

It seems unlikely that any court would sentence such a fraudster to live without an electricity supply, especially if they shared their home, as most people do, with other family members. The same goes for the telephone example. And in the first case, such a person might be banned from driving - but not from riding in a car, even the getaway car, while someone else drove it, or from living in a house where a car was present.

Final analogy: millions of people smoke marijuana, which remains illegal. Marijuana has beneficial uses (relieving the nausea from chemotherapy, remediating glaucoma) as well as recreational ones. We prosecute the drug dealers, not the users.

So let's look again at these recycled-reused proposals. Kicking someone offline after three (or however many) complaints from rights holders:

1- Affects everyone in their household. Kids have to go to the library to do homework, spouses/'parents can't work at home or socialize online. An entire household is dropped down the wrong side of the Digital Divide. As government functions such as filing taxes, providing information about public services, and accepting responses to consultations all move online, this household is now also effectively disenfranchised.

2- May in fact make both the alleged infringer and their spouse unemployable.

3- Puts this profound control over people's lives, private and public, personal and financial into the hands of ISPs, rights holders, and Ofcom, with no information about how or whether the judicial process would be involved. Not that Britain's court system really has the capacity to try the 10 percent of the population that's estimated to engage in file-sharing. (Licit, illicit, who can tell?)

All of these effects are profoundly anti-democratic. Whose government is it, anyway?


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

August 21, 2009

This means law

You probably aren't aware of this, but there's a consultation going on right now about what to do about illegal peer-to-peer file-sharing; send in comments by September 15. Tom Watson, the former minister for digital engagement, has made some sensible suggestions for how to respond in print and blog.

This topic has been covered pretty regularly in net.wars, but this is different and urgent: this means law.

Among the helpful background material provided with the consultation document are an impact assessment and a financial summary. The first of these explains that there were two policy options under consideration: 1) Do nothing. 2) (Preferred) legislate to reduce illegal downloading "by making it easier and cheaper for rightsholders to bring civil actions against suspected illegal file-sharers". Implementing that requires ISPs to cooperate by notifying their subscribers. There will be a code of practice (less harsh than this one, we trust) including options such as bandwidth capping and traffic shaping, which Ofcom will supervise, at least for now (there may yet be a digital rights agency).

The document is remarkably open about who it's meant to benefit - and it's not artists.

Government intervention is being proposed to address the rise in unlawful P2P file-sharing which can reduce the incentive for the creative industries to invest in the development, production and distribution of new content. Implementation of the proposed policy will allow right [sic] holders to better appropriate returns on their investment.

The included financial assessment, which in this case is the justification for the entire exercise (p 40), lays out the expected benefits: BERR expects rightsholders to pick up £1,700 million by "recovering displaced sales", at a cost to ISPs and mobile network operators of £250 to £500 million over ten years. Net benefit: £1.2 billion. Wha-hey!

My favorite justification for all this is the note that because that are an estimated 6.5 million file-sharers in the UK there are *too many* of us to take us all to court, rightsholders' preferred deterrence method up until now. Rightsholders have marketing experts working for them; shouldn't they be getting some message from these numbers?

There are some things that are legitimately classed as piracy and that definitely cost sales. Printing and selling counterfeit CDs and DVDs is one such. Another is posting unreleased material online without the artist's or rightsholder's permission; that is pre-empting their product launch, and whether you wind up having done them a favor or not, there's no question that it's simply wrong. The answer to the first of these is to shut down pirate pressing operations; the answer to the second is to get the industry to police its own personnel and raise the penalties for insider leaks. Neither can be solved by harassing file-sharers.

It's highly questionable whether file-sharing costs sales; the experience of most of us who have put our work online for free is that sales increase. However, there is no doubt in my mind that there are industries file-sharing hurts. Two good examples in film are the movie rental business and the pay TV broadcasters, especially the premium TV movie channels.

As against that, however, the consultation notes but dismisses the cost to consumers: it estimates that ISPs' costs, when passed on to consumers, will reduce the demand for broadband by 10,000 to 40,000 subscribers, representing lost revenue to ISPs of between £2 and £9 million a year (p50). The consultatation goes on to note that some consumers will cease consuming content altogether and that therefore the policy will exacerbate existing inequality since those on the lowest incomes will likely lose the most.

It is not possible to estimate such welfare loss with current data availability, but estimates for the US show that this welfare loss could be twice as large as the benefit derived from reducing the displacement effect to industry revenues.

Shouldn't this be incorporated into the financial analysis?

We must pause to admire the way the questions are phrased. Sir Bonar would be proud: ask if your proposals are implementing what you want to do in the right way. In other words, ask if three is the right number of warning letters to send infringers before taking stronger action (question 9), or whether it's a good idea to leave exactly how costs are to be shared between rightsholders and ISPs flexible rather than specifying (question 6). The question I'd ask, which has not figured in any of the consultations I've seen would be: is this the best way to help artists navigate the new business models of the digital age?

Like Watson, my answer would be no.

Worse, the figures do not take into account the cost to the public, analyzed last year in the Netherlands.

And the assumptions seem wrong. The consultation document claims that research shows that approximately 70 percent of infringers stop when they receive a warning letter, at least in the short term. But do they actually stop? Or do they move their file-sharing to different technologies? Does it just become invisible to their ISP?

So far, file-sharers have responded to threats by developing new technologies better at obfuscating users' activities. Napster...Gnutella...eDonkey...BitTorrent. Next: encrypted traffic that looks just like a VPN connection.

I remain convinced that if the industry really wants to deter file-sharing it should spend its time and effort on creating legal, reliable alternatives. Nothing less will save it. Oh, yeah, and it would be a really good idea for them to be nice to artists, too. Without artists, rightsholders are nothing.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on , or send email to netwars@skeptic.demon.co.uk.

August 14, 2009

We love the NHS

All wars have unexpected casualties; in the US, the rhetorical war on anything that smacks of nationalized health insurance briefly took out Stephen Hawking's citizenship. It is, as Bugs Bunny said, to laugh:

People such as scientist Stephen Hawking wouldn't have a chance in the U.K. where the National Health Service would say the quality of life of this brilliant man, because of his physical handicaps, is essentially worthless.

Language Log's Geoffrey K. Pullum surmised that the problem is that Hawking's speech synthesizer doesn't sound British. (Pullum may not be aware that American film critic Roger Ebert's voice synthesizer does have a British accent, one so fluidly and emolliently English that Ebert and his wife refer to the synthesizer as "Sir Larry". Maybe Ebert and Hawking should swap.)

IBD has admitted the error, and slightly recast its original point, claiming now that Hawking's fame means the NHS treats him differently, and look, see, his own Web site says he has 24-hour care paid for by foundations. We were right all along: the NHS is bad! Three points. First: Hawking was diagnosed with ALS when he was 21, and had many years of care before he became famous. Two: rich, famous people get the best of every health system ever invented. See also the Royal Family. Third: what does IBD imagine Hawking's situation would be were he American?

Hawking was a bystander. The real ire, astoundingly, has been saved for, of all things, the British National Health Service, surely the least likely organization to be tasked with providing health care for Americans. Why is an economic model for providing health care being evaluated as if it were about issuing axes to doctors with orders to use them on anyone over 80?

The rhetoric - one hesitates to call it a debate - over Obama's health care plan - reminds me of the 1985 campaign against legalizing divorce in the Republic of Ireland ("Divorce hurts women and children. Vote NO.")

So some US opponents of national health insurance claim Obama wants to bring in death panels, and that the quality of health care will plummet. Whereas, the reality is that even if you dispute the 47 million figure, increasing millions of Americans have no health insurance, that the majority of American bankruptcies are due to medical bills, and that more than half of those had health insurance. The reality is also that the ongoing replacement of full-time jobs with benefits with part-time jobs and "permatemps" mean that increasing numbers of what used to be the middle class will not be covered at all. Improve the detail of Obama's plan, by all means. But does anyone seriously think the problem has not grown since Hilary Rodham Clinton's plan failed? Does anyone think that fighting over things that aren't in the plan will help matters?

For people to react this viscerally to insurance proposals says there's more going on than rational opposition (and even more rational lobbying by insurance and pharmaceutical companies spouting the evils of "socialism"). This reaction is, I believe, American Dream interruptus. It is the worst side of the pioneer spirit: the US is the land of opportunity; anyone can have access to superb treatment if they work hard enough. You make your own life, you "take care of yourself", government interference will only steal from you. You can see echoes of this in Esther Dyson's "Health 2.0" piece for the FT this week, in which she seems to suggest that better information will revolutionize health care. net.wars covered the self-quantifying movement in October 2008, and better monitoring may well help many people, but it will not solve the question of how to pay for MRIs, cancer drugs, or Alzheimers care..

Americans who genuinely believe the NHS is a bad thing are, I think, making the same mistake I made in the 1970s: they read the complaints about waiting lists, geographically uneven care, and rationed treatments, and think it must be bad. Whereas the reality is that British people complain about the post yet expect letters to arrive within 24 hours, the public transport yet juggle multiple routes across London in their heads, and the weather, which by any reasonable standard is mild, even friendly.

I have learned better.

Among all the thousands of people I have met in the UK, not one has ever said they would scrap the NHS. None has ever suggested the UK would be better off with a US-style health insurance market. To be sure, some have supplemental private insurance. But everyone agrees: for catastrophic health care you can't beat the NHS. Friends of sick US friends raise funds so they don't have to choose between drugs and food; sick UK friends do not spend their limited energy fighting through insurance company paperwork and begging insurance companies for treatment. People do not go bankrupt in the UK because of medical bills. Many of my American friends now envy me my access to the NHS - for which I pay in taxes.

The NHS may be the most democratic institution ever created: it is a rational way to share an expensive resource as well as a social compact. Because sooner or later, no matter how hard you work and how pure a lifestyle you lead, health problems will come for you, too.

Yes, we love the NHS. Millions of us.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on , or send email to netwars@skeptic.demon.co.uk.

July 24, 2009

Security for the rest of us


Many governments, faced with the question of how to improve national security, would do the obvious thing: round up the usual suspects. These would be, of course, the experts - that is, the security services and law enforcement. This exercise would be a lot like asking the record companies and film studios to advise on how to improve copyright: what you'd get is more of the same.

This is why it was so interesting to discover that the US National Academies of Science was convening a workshop to consult on what research topics to consider funding, and began by appointing a committee that included privacy advocates and usability experts, folks like Microsoft researcher Butler Lampson, Susan Landau, co-author of books on privacy and wiretapping, and Donald Norman, author of the classic book The Design of Everyday Things. Choosing these people suggests that we might be approaching a watershed like that of the late 1990s, when the UK and the US governments were both forced to understand that encryption was not just for the military any more. The peace-time uses of cryptography to secure Internet transactions and protect mobile phone calls from casual eavesdropping are much broader than crypto's war-time use to secure military communications.

Similarly, security is now everyone's problem, both individually and collectively. The vulnerability of each individual computer is a negative network externality, as NYU economist Nicholas Economides pointed out. But, as many asked, how do you get people to understand remote risks? How do you make the case for added inconvenience? Each company we deal with makes the assumption that we can afford the time to "just click to unsubscribe" or remember one password, without really understanding the growing aggregate burden on us. Norman commented that door locks are a trade-off, too: we accept a little bit of inconvenience in return for improved security. But locks don't scale; they're acceptable as long as we only have to manage a small number of them.

In his 2006 book, Revolutionary Wealth, Alvin Toffler comments that most of us, without realizing it, have a hidden third, increasingly onerous job, "prosumer". Companies, he explained, are increasingly saving money by having us do their work for them. We retrieve and print out our own bills, burn our own CDs, provide unpaid technical support for ourselves and our families. One of Lorrie Cranor's students did the math to calculate the cost in lost time and opportunities if everyone in the US read annually the privacy policy of each Web site they visited once a month. Most of these things require college-level reading skills; figure 244 hours per year per person, $3,544 each...$781 billion nationally. Weren't computers supposed to free us of that kind of drudgery? As everything moves online, aren't we looking at a full-time job just managing our personal security?

That, in fact, is one characteristic that many implementations of security share with welfare offices - and that is becoming pervasive: an utter lack of respect for the least renewable resource, people's time. There's a simple reason for that: the users of most security systems are deemed to be the people who impose it, not the people - us - who have to run the gamut.

There might be a useful comparison to information overload, a topic we used to see a lot about ten years back. When I wrote about that for ComputerActive in 1999, I discovered that everyone I knew had a particular strategy for coping with "technostress" (the editor's term). One dealt with it by never seeking out information and never phoning anyone. His sister refused to have an answering machine. One simply went to bed every day at 9pm to escape. Some refused to use mobile phones, others to have computers at home..

But back then, you could make that choice. How much longer will we be able to draw boundaries around ourselves by, for example, refusing to use online banking, file tax returns online, or participate in social networks? How much security will we be able to opt out of in future? How much do security issues add to technostress?

We've been wandering in this particular wilderness a long time. Angela Sasse, whose 1999 paper Users Are Not the Enemy talked about the problems with passwords at British Telecom, said frankly, "I'm very frustrated, because I feel nothing has changed. Users still feel security is just an obstacle there to annoy them."

In practice, the workshop was like the TV game Jeopardy: the point was to generate research questions that will go into a report, which will be reviewed and redrafted before its eventual release. Hopefully, eventually, it will all lead to a series of requests for proposals and some really good research. It is a glimmer of hope.

Unless, that is, the gloominess of the beginning presentations wins out. If you listened to Lampson, Cranor, and to Economides, you got the distinct impression that the best thing that could happen for security is that we rip out the Internet (built to be open, not secure), trash all the computers (all of whose operating systems were designed in the pre-Internet era), and start over from scratch. Or, like the old joke about the driver who's lost and asking for directions, "Well, I wouldn't start from here".

So, here's my question: how can we make security scale so that the burden stays manageable?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or send email to netwars@skeptic.demon.co.uk.

July 10, 2009

The public interest

It's not new for journalists to behave badly. Go back to 1930s plays-turned-movies like The Front Page (1931) or Mr Smith Goes to Washington (1939), and you'll find behavior (thankfully, fictional) as bad as this week's Guardian story that the News of the World paid out £1 million to settle legal cases that would have revealed that its staff journalists were in the habit of hiring private investigators to hack into people's phone records and voice mailboxes.

The story's roots go back to 2006, when the paper's Royal editor, Clive Goodman, was jailed for illegally intercepting phone calls. The paper's then editor, Andy Coulson, resigned and the Press Complaints Commission concluded the paper's executives did not know what Goodman was doing. Five months later, Coulson became the chief of communications for the Tory party.

There are so many cultural failures here that you almost don't know where to start counting. The first and most obvious is the failure of a newsroom to obey the dictates of common sense, decency, and the law. That particular failure is the one garnering the most criticism, and yet it seems to me the least surprising, especially for one of Britain's most notorious tabloids. Journalists have competed for stories big enough to sell papers since the newspaper business was founded; the biggest rewards generally go to the ones who expose the stories their subjects least wanted exposed. It's pretty sad if any newspaper's journalists think the public interest argument is as strong for listening to Gwyneth Paltrow's voice mail as it was to exposing MPs' expenses, but that leads to the second failure: celebrity culture.

This one is more general: none of this would happen if people didn't flock to buy stories about intimate celebrity details. And newspapers are desperate for sales.

The third failure is specific to politicians: under the rubric of "giving people a second chance" Tory leader David Cameron continues to defend Coulson, who continues to claim he didn't know what was going on. Either Coulson did know, in which case he was condoning it, or he didn't, in which case he had only the shakiest grasp of his newsroom. The latter is the same kind of failure that at other papers and magazines has bred journalistic fraud: surely any editor now ought to be paying attention to sourcing. Either way, Coulson does not come off well and neither does Cameron. It would be more tolerable if Cameron would simply say outright that he doesn't care whether Coulson is honorable or not because he's effective at the job Cameron is paying him for.

The fourth failure is of course the police, the Press Complaints Commission, and the Information Commissioner, all of whom seem to have given up rather easily in 2007.

The final failure is also general: the problem that more and more intimate information about each of us is held in databases whose owners may have incentives (legal, regulatory, commercial) for keeping them secured but which are of necessity accessible by minions whose risks and rewards are different. The weakest link in security is always the human factor, and the problem of insiders who can be bribed or conned into giving up confidential information they shouldn't is as old as the hills, whether it's a telephone company employee, a hotel chambermaid, or a former Royal nanny. Seemingly we have learned little or nothing since Kevin Mitnick pioneered the term "social engineering" some 20 years ago or since Squidgygate, when various Royals' private phone conversations were published. At least some ire should be directed at the phone companies involved, whose staff apparently find it easy to refuse to help legitimate account holders by citing the Data Protection Act but difficult to resist illegitimate blandishments.

This problem is exacerbated by what University College of London security researcher Angela Sasse calls "security fatigue". Gaining access to targets' voice mail was probably easier than you think if you figure that many people never change the default PIN on their phones. Either your private investigator turned phone hacker tries the default PIN or, as Sophos senior fellow Graham Cluley suggests, convinces the phone company to reset the PIN to the default. Yes, it's stupid not to change the default password on your phone. But with so many passwords and PINs to manage and only so much tolerance for dealing with security, it's an easy oversight. Sasse's paper (PDF) fleshing out this idea proposes that companies should think in terms of a "compliance budget" for employees. But this will be difficult to apply to consumers, since no one company we interact with will know the size of the compliance burden each of us is carrying.

Get the Press Complaints Commission to do its job properly by all means. And stop defending the guy who was in charge of the newsroom while all this snooping was going on. Change a culture that thinks that "the public interest" somehow expands to include illegal snooping just because someone is famous.

But bear in mind that, as Privacy International has warned all along, this kind of thing is going to become endemic as Britain's surveillance state continues to develop. The more our personal information is concentrated into large targets guarded by low-paid staff, the more openings there will be for those trying to perpetrate identity fraud or blackmail, snoop on commercial competitors, sell stories about celebrities and politicians, and pry into the lives of political activists.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on Twitter, or email netwars@skeptic.demon.co.uk.

July 3, 2009

What's in an assigned name?

There's a lot I didn't know at the time about the founding of the Internet Corporation for Assigned Names and Numbers, but I do remember the spat that preceded it. Until 1998, the systems for assigning domain names (DNS) and assigning Internet numbers (IANA) were both managed by one guy, Jon Postel, who by all accounts and records was a thoughtful and careful steward and an important contributor to much of the engineering that underpins the Internet even now. Even before he died in October 1998, however, plans were underway to create a successor organization to take over the names and numbers functions.

The first proposal was to turn these bits of management over to the International Telecommunications Union, and a memorandum of understanding was drawn up that many, especially within the ITU, assumed would pass unquestioned. Instead, there was much resentment and many complaints that important stakeholders (consumers, most notably) had been excluded. Eventually, ICANN was created under the auspices of the US Department of Commerce intended to become independent once it had fulfilled certain criteria. We're still waiting.

As you might expect, the US under Bush II wasn't all that interested in handing off control. The US government had some support in this, in part because many in the US seem to have difficulty accepting that the Internet was not actually built by the US alone. So alongside the US government's normal resistance to relinquishing control was an endemic sense that it would be "giving away" something the US had created.

All that aside, the biggest point of contention was not ICANN's connection to the US government, as desirable as that might be to those outside the US. Nor was it the assignment of numbers, which, since numbers are the way the computers find each other, is actually arguably the most important bit of the whole thing. It wasn't even, or at least not completely, the money (PDF), as staggering as it is that ICANN expects to rake in $61 million in revenue this year as its cut of domain name registrations. No, of course it was the names that are meaningful to people: who should be allowed to have what?

All this background is important because on September 30 the joint project agreement with DoC under which ICANN operates expires, and all these debates are being revisited. Surprisingly little has changed in the arguments about ICANN since 1998. Michael Froomkin argued in 2000 (PDF) that ICANN bypassed democratic control and accountability. Many critics have argued in the intervening years that ICANN needs to be reined in: its mission kept to a narrow focus on the DNS, and its structure designed to be transparent and accountable, and kept free of not only US government inteference but that of other governments as well.

Last month, the Center for Democracy and Technology published its comments to that effect. Last year, and in 2006, former elected ICANN board member Karl Auerbach">argued similarly, with much more discussion of ICANN's finances, which he regards as a "tax". Perhaps even more than might have been obvious then: ICANN's new public dashboard has revealed that the company lost $4.6 million on the stock market last year, an amount reporter John Levine equates to the 20-cent fee from 23 million domain name registrations. As Levine asks, if they could afford to lose that amount then they didn't need the money - so why did they collect it from us? There seems to be no doubt that ICANN can keep growing in size and revenues by creating more top-level domains, especially as it expands into long-mooted non-ASCII names (iDNs).

Arguing about money aside, the fact is that we have not progressed much, if at all, since 1998. We are asking the same questions and having the same arguments. What is the DNS for? Should it be a directory, a handy set of mnemonics, a set of labels, a zoning mechanism, or a free-for-all? Do languages matter? Early discussions included the notion that there would be thousands, even tens of thousands of global top-level domains. Why shouldn't Microsoft, Google, or the Electronic Frontier Foundation operate their own registries? Is managing the core of the Internet an engineering, legal, or regulatory problem? And, latterly, given the success and central role of search engines, do we need DNS at all? Personally, I lean toward the view that the DNS has become less important than it was, as many services (Twitter, instant messaging, VOIP) do not require it. Even the Web needs it less than it did. But if what really matters about the DNS is giving people names they can remember, then from the user point of view it matters little how many top-level domains there are. The domain info.microsoft is no less memorable than microsoft.info or microsoft.com.

What matters is that the Internet continues to function and that anyone can reach any part of it. The unfortunate thing is that none of these discussions have solved the problems we really have. Four years after the secured version of DNS (DNSsec) was developed to counteract security threats such as DNS cache poisoning that had been mooted for many more years than that, it's still barely deployed.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, follow on , or send email to netwars@skeptic.demon.co.uk.

March 13, 2009

Threat model

It's not about Phorm, it's about snooping. At Wednesday morning's Parliamentary roundtable, "The Internet Threat", the four unhappy representatives I counted from Phorm had a hard time with this. Weren't we there to trash them and not let them reply? What do you mean the conversation isn't all about them?

We were in a committee room many medieval steps up unside the House of Lords. The gathering, was convened by Baroness Miller of Chilthorne Domer with the idea of helping Parliamentarians understand the issues raised not only by Phorm but also by the Interception Modernisation Programme, Google, Microsoft, and in fact any outfit that wants to collect huge amounts of our data for purposes that won't be entirely clear until later.

Most of the coverage of this event has focused on the comments of Sir Tim Berners-Lee, the indefatigable creator of the 20-year-old Web (not the Internet, folks!), who said categorically, "I came here to defend the integrity of the Internet as a medium." Using the Internet, he said, "is a fundamental human act, like the act of writing. You have to be able to do it without interference and/or snooping." People use the Internet when they're in crisis; even just a list of URLs you've visited is very revealing of sensitive information.

Other distinguished speakers included Professor Wendy Hall, Nicholas Bohm representing the Foundation for Information Policy Research, the Cambridge security research group's Richard Clayton, the Open Rights Group's new executive director, Jim Killock, and the vastly experienced networking and protocol consultant Robb Topolski.

The key moment, for me, was when one of the MPs the event was intended to educate asked this: "Why now?" Why, in other words, is deep packet inspection suddenly a problem?

The quick answer, as Topolski and Clayton explained, is "Moore's Law." It was not, until a couple-three years ago, possible to make a computer fast enough to sit in the middle of an Internet connection and not only sniff the packets but examine their contents before passing them on. Now it is. Plus, said Clayton, "Storage."

But for Kent Ertegrul, Phorm's managing director, it was all about Phorm. The company had tried to get on the panel and been rejected. His company's technology was being misrepresented. Its system makes it impossible for browsing habits to be tracked back to people. Tim Berners-Lee, of all people, if he understood their system, would appreciate the elegance of what they've actually done.

Berners-Lee was calm, but firm. "I have not at all criticized behavioral advertising," he pointed out. "What I'm saying is a mistake is snooping on the Internet."

Right on.

The Internet, Berners-Lee and Topolski explained, was built according to the single concept that all the processing happens at the ends, and that the middle is just a carrier medium. That design decision has had a number of consequences, most of them good. For example, it's why someone can create the new application of the week and deploy it without getting permission. It's why VOIP traffic flows across the lines of the telephone companies whose revenues it's eating. It is what network neutrality is all about.

Susan Kramer, saying she was "the most untechie person" (and who happens to be my MP), asked if anyone could provide some idea of what lawmakers can actually do. The public, she said, is "frightened about the ability to lose privacy through these mechanisms they don't understand".

Bohm offered the analogy of water fluoridation: it's controversial because we don't expect water flowing into our house to have been tampered with. In any event, he suggested that if the law needs to be made clearer it is in the area of laying down the purposes for which filtering, management, and interference can be done. It should, he said, be "strictly limited to what amounts to matters of the electronic equivalent of public health, and nothing else."

Fluoridation of water is a good analogy for another reason: authorities are transparent about it. You can, if you take the trouble, find out what is in your local water supply. But one of the difficulties about a black-box-in-the-middle is that while we may think we know what it does today - because even if you trust, say, Richard Clayton's report on how Phorm works (PDF) there's no guarantee of how the system will change in the future. Just as, although today's government may have only good intentions in installing a black box in every ISP that collects all traffic data, the government of ten years hence may use the system in entirely different ways for which today's trusting administration never planned. Which is why it's not about Phorm and isn't even about behavioural advertising; Phorm was only a single messenger in a bigger problem.

So the point is this: do we want black boxes whose settings we don't know and whose workings we don't understand sitting at the heart of our ISPs' networks examining our traffic? This was the threat Baroness Miller had in mind - a threat *to* the Internet, not the threat *of* the Internet beloved of the more scaremongering members of the press. Answers on a postcard...


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML)

February 6, 2009

Forty-five years

This week the EU's legal affairs committee, JURI, may vote - again - on term extension in sound recordings. As of today, copyright is still listed on the agenda.

Opposing term extension was a lot simpler at the national level in the UK; the path from proposal to legislation is well-known, well trodden, and well-watched by the national media. At the EU level, JURI is only one of four committees involved in proposing and amending term extension on behalf of the European Parliament - and then even after the Parliament votes it's the Commission who makes the final decision. The whole thing drags on for something close to forever, which pretty much guarantees that only the most obsessed stay in touch through the whole process. If you had designed a system to ensure apathy except among lobbyists who like good food, you'd have done exactly this.

There are many reasons to oppose term extension, most of which we've covered before. Unfortunately, these seem invisible to some politicians. As William Patry blogs, the harm done by term extension is diffuse and hard to quantify while easily calculable benefits accrue to a small but wealthy and vocal set of players.

What's noticeable is how many independent economic reviews agree with what NGOs like the Electronic Frontier Foundation and the Open Rights Group have said all along.

According to a joint report from several European intellectual property law centers (PDF), the Commission itself estimates that 45 extra years of copyright protection will hand the European music industry between €44 million and €843 million - uncertain by a factor of 20! The same report also notes that term extension will not net performers additional broadcast revenue; rather, the same pot will be spread among a larger pool of musicians, benefiting older musicians at the expense of young incomers. The report also notes that performers don't lose control over their music when the term of copyright ends; they lose it when they sign recording contracts (so true).

Other reports are even less favorable. In 2005, for example, the Dutch Institute for Information Law concluded that copyright in sound recordings has more in common with design rights and patents than with other areas of copyright, and it would be more consistent to reduce the term rather than extend it. More recently, an open letter from Bournemouth University's Centre for Intellectual Property Policy Management questioned exactly where those estimated revenues were going to come from, and pointed out the absurdity of the claim that extension would help performers.

And therein is the nub. Estimates are that the average session musician will benefit from term extension in the amount of €4 to €58 (there's that guess-the-number-within-a-factor-of-20 trick again). JURI's draft opinion puts the number of affected musicians at 7,000 per large EU member state, less in the rest. Call it 7,000 in all 27 and give each musician €20; that's €3.78 million, hardly enough for a banker's bonus. We could easily hand that out in cash, if handouts to aging performers are the purpose of the exercise.

Benefiting performers is a lobbyists' red herring that cynically plays on our affection for our favorite music and musicians; what term extension will do, as the Bournemouth letter points out, is benefit recording companies. Of that wackily wide range of estimated revenues in the last paragraph, 90 percent, or between €39 million and €758 million will go to record producers, even according to the EU's own impact assessment (PDF), based on a study carried out by PriceWaterhouseCooper.

If you want to help musicians, the first and most important thing you should do is improve the industry's standard contracts and employment practices. We protect workers in other industries from exploitation; why should we make an exception for musicians? No one is saying - not even Courtney Love - that musicians deserve charity. But we could reform UK bankruptcy law so that companies acquiring defunct labels are required to shoulder ongoing royalty payment obligations as well as the exploitable assets of the back catalogue. We could put limits on what kind of clauses a recording company is allowed to impose on first-time recording artists. We could set minimums for what is owed to session musicians. And we could require the return of rights to the performers in the event of a recording's going out of print. Any or all of those things would make far more difference to the average musician's lifetime income than an extra 45 years of copyright.

Current proposals seem to focus on this last idea as a "use it or lose it" clause that somehow makes the rest of term extension all right. Don Foster, the conservative MP who is shadow minister for the Department of Culture, Media, and Sport, for example, has argued for it repeatedly. But by itself it's not enough of a concession to balance the effect of term extension and the freezing of the public domain.

If you want to try to stop term extension, this is a key moment. Lobby your MEP and the members of the relevant committees. Remind them of the evidence. And remind them that it's not just the record companies and the world's musicians who have an interest in copyright; it's the rest of us, too.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

January 2, 2009

No rest for 2009

It's been a quiet week, as you'd expect. But 2009 is likely to be a big year in terms of digital rights.

Both the US and the UK are looking to track non-citizens more closely. The UK has begun issuing foreigners with biometric ID cards. The US, which began collecting fingerprints from visiting tourists two years ago says it wants to do the same with green card holders. In other words, you can live in the US for decades, you can pay taxes, you can contribute to the US economy - but you're still not really one of us when you come home.

The ACLU's Barry Steinhardt has pointed out, however, that the original US-VISIT system actually isn't finished: there's supposed to be an exit portion that has yet to be built. The biometric system is therefore like a Roach Motel: people check in but they never leave.

That segues perfectly into the expansion of No2ID's "database state". The UK is proceeding with its plan for a giant shed to store all UK telecommunications traffic data. Building the data shed is a lot like saying we're having trouble finding a few needles in a bunch of haystacks so the answer is to build a lot bigger haystack.

Children in the UK can also look forward to ContactPoint (budget £22.4 million) going live at the end of January, only the first of several. The conservativers apparently have pledged to scrap ContactPoint in favor of a less expensive system that would track only children deemed to be at risk. If the conservatives don't get their chance to scrap it - probably even if they do - the current generation may be the last that doesn't get to grow up taking for granted that their every move is being tracked. Get 'em young, as the Catholic church used to say, and they're yours for life.

The other half of that is, of course, the National Identity Register. Little has been heard of the ID card in recent months; although the Home Office says 1,000 people have actually requested one. Since these have begun rolling out to foreigners, it's probably best to keep an eye on them.

On January 19, look for the EU to vote on copyright term extension in sound recordings. They have now: 50 years. They want: 95 years. The problem: all the independent reviewers agree it's a bad idea economically. Why does this proposal keep dogging us? Especially given that even the UK government accepts that recording contracts mean that little of the royalties will go to the musicians the law is supposedly trying to help, why is the European Parliament even considering it? Write your MEP. Meanwhile, the economic downturn reaches Cliff Richards; his earliest recordings begin entering the public domain...oh, look - yesterday, January 1, 2009.

Those interested in defending file-sharing technology, the public domain, or any other public interest in intellectual property will find themselves on the receiving end of a pack of new laws and initiatives out to get them.

The RIAA recently announced it would cease suing its customers in the US. It plans to "work with ISPs". Anyone who's been around the UK and France in recent months should smell the three-strikes policy that the Open Rights Group has been fighting against. ORG's going to find it a tougher battle, now that the govermment is considering a stick and carrot approach: make ISPs liable for their users' copyright infringement, but give them a slice of the action for legal downloads. One has to hope that even the most cash-strapped ISPs have more sense.

Last year's scare over the US's bald statement that customs authorities have the right to search and impound computers and other electronic equipment carried by travellers across the national borders will probably be followed up with lengthy protest over new rules known as the Anti-Counterfeiting Trade Agreement and being negotiated by the US, EU, Japan, and other countries. We don't know as much as we'd like about what the proposals actually are, though some information escaped last June. Negotiations are expected to continue in 2009.

The EU has said that it has no plans to search individual travellers, which is a relief; in fact, in most cases it would be impossible for a border guard to tell whether files on a computer were copyright violations. Nonetheless, it seems likely that this and other laws will make criminals of most of us; almost everyone who owns an MP3 player has music on it that technically infringes the copyright laws (particularly in the UK, where there is as yet no exemption for personal copying).

Meanwhile, Australia's new $44 million "great firewall" is going ahead despiteknown flaws in the technology. Nearer home, British Culture Secretary Andy Burnham would like to rate the Web, lest it frighten the children.

It's going to be a long year. But on the bright side, if you want to make some suggestions for the incoming Obama administration, head over to Change.org and add your voice to those assembling under "technology policy".

Happy new year!

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

December 5, 2008

Saving seeds

The 17 judges of the European Court of Human Rights ruled unanimously yesterday that the UK's DNA database, which contains more than 3 million DNA samples, violates Article 8 of the European Convention on Human Rights. The key factor: retaining, indefinitely, the DNA samples of people who have committed no crime.

It's not a complete win for objectors to the database, since the ruling doesn't say the database shouldn't exist, merely that DNA samples should be removed once their owners have been acquitted in court or the charges have been dropped. England, the court said, should copy Scotland, which operates such a policy.

The UK comes in for particular censure, in the form of the note that "any State claiming a pioneer role in the development of new technologies bears special responsibility for striking the right balance..." In other words, before you decide to be the first on your block to use a new technology and show the rest of the world how it's done, you should think about the consequences.

Because it's true: this is the kind of technology that makes surveillance and control-happy governments the envy of other governments. For example: lacking clues to lead them to a serial killer, the Los Angeles Police Department wants to copy Britain and use California's DNA database to search for genetic profiles similar enough to belong to a close relative .The French DNA database, FNAEG, was proposed in 1996, created in 1998 for sex offenders, implemented in 2001, and broadened to other criminal offenses after 9/11 and again in 2003: a perfect example of function creep. But the French DNA database is a fiftieth the size of the UK's, and Austria's, the next on the list, is even smaller.

There are some wonderful statistics about the UK database. DNA samples from more than 4 million people are included on it. Probably 850,000 of them are innocent of any crime. Some 40,000 are children between the ages of 10 and 17. The government (according to the Telegraph) has spent £182 million on it between April 1995 and March 2004. And there have been suggestions that it's too small. When privacy and human rights campaigners pointed out that people of color are disproportionately represented in the database, one of England's most experienced appeals court judges, Lord Justice Sedley, argued that every UK resident and visitor should be included on it. Yes, that's definitely the way to bring the tourists in: demand a DNA sample. Just look how they're flocking to the US to give fingerprints, and how many more flooded in when they upped the number to ten earlier this year. (And how little we're getting for it: in the first two years of the program, fingerprinting 44 million visitors netted 1,000 people with criminal or immigration violations.)

At last week's A Fine Balance conference on privacy-enhancing technologies, there was a lot of discussion of the key technique of data minimization. That is the principle that you should not collect or share more data than is actually needed to do the job. Someone checking whether you have the right to drive, for example, doesn't need to know who you are or where you live; someone checking you have the right to borrow books from the local library needs to know where you live and who you are but not your age or your health records; someone checking you're the right age to enter a bar doesn't need to care if your driver's license has expired.

This is an idea that's been around a long time - I think I heard my first presentation on it in about 1994 - but whose progress towards a usable product has been agonizingly slow. IBM's PRIME project, which Jan Camenisch presented, and Microsoft's purchase of Credentica (which wasn't shown at the conference) suggest that the mainstream technology products may finally be getting there. If only we can convince politicians that these principles are a necessary adjunct to storing all the data they're collecting.

What makes the DNA database more than just a high-tech fingerprint database is that over time the DNA stored in it will become increasingly revealing of intimate secrets. As Ray Kurzweil kept saying at the Singularity Summit, Moore's Law is hitting DNA sequencing right now; the cost is accordingly plummeting by factors of ten. When the database was set up, it was fair to characterize DNA as a high-tech version of fingerprints or iris scans. Five - or 15, or 25, we can't be sure - years from now, we will have learned far more about interpreting genetic sequences. The coded, unreadable messages we're storing now will be cleartext one day, and anyone allowed to consult the database will be privy to far more intimate information about our bodies, ourselves than we think we're giving them now.

Unfortunately, the people in charge of these things typically think it's not going to affect them. If the "little people" have no privacy, well, so what? It's only when the powers they've granted are turned on them that they begin to get it. If a conservative is a liberal who's been mugged, and a liberal is a conservative whose daughter has needed an abortion, and a civil liberties advocate is a politician who's been arrested...maybe we need to arrest more of them.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

June 27, 2008

Mistakes were made

This week we got the detail on what went wrong at Her Majesty's Revenue and Customs that led to the loss of those two CDs full of the personal details of 25 million British households last year with the release of the Poynter Review (PDF). We also got a hint of how and whether the future might be different with the publication yesterday of Data Handling: Proecures in Government (PDF), written by Sir Gus O'Donnell and commissioned by the Prime Minister after the HMRC loss. The most obvious message of both reports: government needs to secure data better.

The nicest thing the Poynter review said was that HMRC has already made changes in response to its criticisms. Otherwise, it was pretty much a surgical demonstration of "institutional deficiencies".

The chief points:


- Security was not HMRC's top priority.

- HMRC in fact had the technical ability to send only the selection of data that NAO actually needed, but the staff involved didn't know it.

- There was no designated single point of contact between HMRC and NAO.

- HMRC used insecure methods for data storage and transfer.

- The decision to send the CDs to the NAO was taken by junior staff without consulting senior managers - which under HMRC's own rules they should have done.

- The reason HMRC's junior staff did not consult managers was that they believed (wrongly) that NAO had absolute authority to access any and all information HMRC had.

- The HMRC staffer who dispatched the discs incorrectly believed the TNT Post service was secure and traceable, as required by HMRC policy. A different TNT service that met those requirements was in fact available.

- HMRC policies regarding information security and the release of data were not communicated sufficiently through the organization and were not sufficiently detailed.

- HMRC failed on accountability, governance, information security...you name it.

The real problem, though, isn't any single one of these things. If junior staff had consulted senior staff, it might not have mattered that they didn't know what the policies were. If HMRC used proper information security and secure methods for data storage (that is, encryption rather than simple password protection), they wouldn't have had access to send the discs. If they'd understood TNT's services correctly, the discs wouldn't have gotten lost - or at least been traceable if they had.

The real problem was the interlocking effect of all these factors. That, as Nassim Nicholas Taleb might say, was the black swan.

For those who haven't read Taleb's The Black Swan: The Impact of the Highly Improbable, the black swan stands for the event that is completely unpredictable - because, like black swans until one was spotted in Australia, no such thing has ever been seen - until it happens. Of course, data loss is pretty much a white swan; we've seen lots of data breaches. The black swan, really, is the perfectly secure system that is still sufficiently open for the people who need to use it.

That challenge is what O'Donnell's report on data handling is about and, as he notes, it's going to get harder rather than easier. He recommends a complete rearrangement of how departments manage information as well as improving the systems within individual departments. He also recommends greater openness about how the government secures data.

"No organisation can guarantee it will never lose data," he writes, "and the Government is no exception." O'Donnell goes on to consider how data should be protected and managed, not whether it should be collected or shared in the first place. That job is being left for yet another report in progress, due soon.

It's good to read that some good is coming out of the HMRC data loss: all departments are, according to the O'Donnell report, reviewing their data practices and beginning the process of cultural change. That can only be a good thing.

But the underlying problem is outside the scope of these reports, and it's this government's fondness for creating giant databases: the National Identity Register, ContactPoint, the DNA database, and so on. If the government really accepted the principle that it is impossible to guarantee complete data security, what would they do? Logically, they ought to start by cancelling the data behemoths on the understanding that it's a bad idea to base public policy on the idea that you can will a black swan into existence.

It would make more sense to create a design for government use of data that assumes there will be data breaches and attempts to limit the adverse consequences for the individuals whose data is lost. If my privacy is compromised alongside 50 million other people's and I am the victim of identity theft does it help me that the government department that lost the data knows which staff member to blame?

As Agatha Christie said long ago in one of her 80-plus books, "I know to err is human, but human error is nothing compared to what a computer can do if it tries." The man-machine combination is even worse. We should stop trying to breed black swans and instead devise systems that don't create so many white ones.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

May 30, 2008

Ten

It's easy to found an organization; it's hard to keep one alive even for as long as ten years. This week, the Foundation for Information Policy Research celebrated its tenth birthday. Ten years is a long time in Internet terms, and even longer when you're trying to get government to pay attention to expertise in a subject as difficult as technology policy.

My notes from the launch contain this quote from FIPR's first director, Caspar Bowden, which shows you just how difficult FIPR's role was going to be: "An educational charity has a responsibility to speak the truth, whether it's pleasant or unpleasant." FIPR was intended to avoid the narrow product focus of corporate laboratory research and retain the traditional freedoms of an academic lab.

My notes also show the following list of topics FIPR intended to research: the regulation of electronic commerce; consumer protection; data protection and privacy; copyright; law enforcement; evidence and archiving; electronic interaction between government, businesses, and individuals; the risks of computer and communications systems; and the extent to which information technologies discriminate against the less advantaged in society. Its first concern was intended to be researching the underpinnings of electronic commerce, including the then recent directive launched for public consultation by the European Commission.

In fact, the biggest issue of FIPR's early years was the crypto wars leading up to and culminating in the passage of the Regulation of Investigatory Powers Act (2000). It's safe to say that RIPA would have been a lot worse without the time and energy Bowden spent listening to Parliamentary debates, decoding consultation papers, and explaining what it all meant to journalists, politicians, civil servants, and anyone else who would listen.

Not that RIPA is a fountain of democratic behavior even as things are. In the last couple of weeks we've seen the perfect example of the kind of creeping functionalism that FIPR and Privacy International warned about at the time: the Poole council using the access rules in RIPA to spy on families to determine whether or not they really lived in the right catchment area for the schools their children attend.

That use of the RIPA rules, Bowden said at at FIPR's half-day anniversary conference last Wednesday, sets a precedent for accessing traffic data for much lower level purposes than the government originally claimed it was collecting the data for. He went on to call the recent suggestion that the government may be considering a giant database, updated in real time, of the nation's communications data "a truly Orwellian nightmare of data mining, all in one place."

Ross Anderson, FIPR's founding and current chair and a well-known security engineer at Cambridge, noted that the same risks adhere to the NHS database. A clinic that owns its own data will tell police asking for the names of all its patients under 16 to go away. "If," said Anderson, "it had all been in the NHS database and they'd gone in to see the manager of BT, would he have been told to go and jump in the river? The mistake engineers make too much is to think only technology matters."

That point was part of a larger one that Anderson made: that hopes that the giant databases under construction will collapse under their own weight are forlorn. Think of developing Hulk-Hogan databases and the algorithms for mining them as an arms race, just like spam and anti-spam. The same principle that holds that today's cryptography, no matter how strong, will eventually be routinely crackable means that today's overload of data will eventually, long after we can remember anything we actually said or did ourselves, be manageable.

The most interesting question is: what of the next ten years? Nigel Hickson, now with the Department of Business, Enterprise, and Regulatory Reform, gave some hints. On the European and international agenda, he listed the returning dominance of the large telephone companies on the excuse that they need to invest in fiber. We will be hearing about quality of service and network neutrality. Watch Brussels on spectrum rights. Watch for large debates on the liability of ISPs. Digital signatures, another battle of the late 1990s, are also back on the agenda, with draft EU proposals to mandate them for the public sector and other services. RFID, the "Internet for things" and the ubiquitous Internet will spark a new round of privacy arguments.

Most fundamentally, said Anderson, we need to think about what it means to live in a world that is ever more connected through evolving socio-technological systems. Government can help when markets fail; though governments themselves seem to fail most notoriously with large projects.

FIPR started by getting engineers, later engineers and economists, to talk through problems. "The next growth point may be engineers and psychologists," he said. "We have to progressively involve more and more people from more and more backgrounds and discussions."

Probably few people feel that their single vote in any given election really makes a difference. Groups like FIPR, PI, No2ID, and ARCH remind us that even a small number of people can have a significant effect. Happy birthday.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).


May 23, 2008

The haystack conundrum

Early this week the news broke that the Home Office wants to create a giant database in which will be stored details of all communications sent in Britain. In other words, instead of data retention, in which ISPs, telephone companies, and other service providers would hang onto communications data for a year or seven in case the Home Office wanted it, everything would stream to a Home Office data center in real time. We'll call it data swallowing.

Those with long memories - who seem few and far between in the national media covering this sort of subject - will remember that in about 1999 or 2000 there was a similar rumor. In the resulting outraged media coverage it was more or less thoroughly denied and nothing had been heard of it since, though privacy advocates continued to suspect that somewhere in the back of a drawer the scheme lurked, dormant, like one of those just-add-water Martians you find in the old Bugs Bunny cartoons. And now here it is again in another leak that the suspicious veteran watcher of Yes, Minister might think was an attempt to test public opinion. The fact that it's been mooted before makes it seem so much more likely that they're actually serious.

This proposal is not only expensive, complicated, slow, and controversial/courageous (Yes, Minister's Fab Four deterrents), but risk-laden, badly conceived, disproportionate, and foolish. Such a database will not catch terrorists, because given the volume of data involved trying to use it to spot any one would-be evil-doer will be the rough equivalent of searching for an iron filing in a haystack the size of a planet. It will, however, make it possible for anyone trawling the database to make any given individual's life thoroughly miserable. That's so disproportionate it's a divide-by-zero error.

The risks ought to be obvious: this is a government that can't keep track of the personal details of 25 million households, which fit on a couple of CDs. Devise all the rules and processes you want, the bigger the database the harder it will be to secure. Besides personal information, the giant communications database would include businesses' communication information, much of likely to be commercially sensitive. It's pretty good going to come up with a proposal that equally offends civil liberties activists and businesses.

In a short summary of the proposed legislation, we find this justification: "Unless the legislation is updated to reflect these changes, the ability of public authorities to carry out their crime prevention and public safety duties and to counter these threats will be undermined."

Sound familiar? It should. It's the exact same justification we heard in the late 1990s for requiring key escrow as part of the nascent Regulation of Investigatory Powers Act. The idea there was that if the use of strong cryptography to protect communications became widespread law enforcement and security services would be unable to read the content of the messages and phone calls they intercepted. This argument was fiercely rejected at the time, and key escrow was eventually dropped in favor of requiring the subjects of investigation to hand over their keys under specified circumstances.

There is much, much less logic to claiming that police can't do their jobs without real-time copies of all communications. Here we have real analogies: postal mail, which has been with us since 1660. Do we require copies of all letters that pass through the post office to be deposited with the security services? Do we require the Royal Mail's automated sorting equipment to log all address data?

Sanity has never intervened in this government's plans to create more and more tools for surveillance. Take CCTV. Recent studies show that despite the millions of pounds spent on deploying thousands of cameras all over the UK, they don't cut crime, and, more important, the images help solve crime in only 3 percent of cases. But you know the response to this news will not be to remove the cameras or stop adding to their number. No, the thinking will be like the scheme I once heard for selling harmless but ineffective alternative medical treatments, in which the answer to all outcomes is more treatment. (Patient gets better - treatment did it. Patient stays the same - treatment has halted the downward course of the disease. Patient gets worse - treatment came too late.)

This week at Computers, Freedom, and Privacy, I heard about the Electronic Privacy Information Center's work on fusion centers, relatively new US government efforts to mine many commercial and public sources of data. EPIC is trying to establish the role of federal agencies in funding and controlling these centers, but it's hard going.

What do these governments imagine they're going to be able to do with all this data? Is the fantasy that agents will be able to sit in a control room somewhere and survey it all on some kind of giant map on which criminals will pop up in red, ready to be caught? They had data before 9/11 and failed to collate and interpret it.

Iron filing; haystack; lack of a really good magnet.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

April 18, 2008

Like a Virgin

Back in November 2005 the CEO of AT&T, Ed Whitacre, told Business Week that he was tired of big Internet sites like Google and Yahoo! using "my pipes" "for free". With those words he launched the issue of network neutrality onto the front pages and into the public consciousness. At the time, it seemed like what one of my editors used to grandly dismiss as an "American issue". (One such issue, it's entertaining to remember now, was spam. That was in 1997.) The only company dominant enough and possessed of sufficient infrastructure to impose carriage charges on content providers in the UK was BT - and if BT had tried anything like that Ofcom would - probably - have stomped all over it.

But what starts in America usually winds up here a few years later, and this week, the CEO of Virgin Media, Neil Berkett, threatened that video providers who don't pay for faster service may find their traffic being delivered in slow "bus lanes". Network neutrality, he said, was "a load of bollocks".

His PR people recanted - er, clarified a day or two later. We find it hard to see how a comment as direct as "a load of bollocks" could be taken out of context. However. Let's say he was briefly possessed by the spirt of Whitacre, who most certainly meant what he said.

The recharacterization of Berkett's comments: the company isn't really going to deliberately slow down YouTube and the BBC's iPlayer. Instead, it "could offer content providers deals to upgrade their provisioning." I thought this sounded like the wheeze where you're not charged more for using a credit card, you're given a discount for paying cash. But no: what they say they have in mind is direct peering, in which no money changes hands, which they admit could be viewed as a "non-neutral" solution.

But, says Keith Mitchell, a fellow member of the Open Rights Group advisory board, "They are in for a swift education in the way the global transit/peering market works if they try this." Virgin seems huge in the context of the UK, where its ownership of the former ntl/Telewest combine gives it a lock on the consumer cable market - but in the overall scheme of things it's "a very small fish in the pond compared to the Tier 1 transit providers, and the idea that they can buck this model single-handedly is laughable."

Worse, he says, "If Virgin attempts to cost recover for interconnects off content providers on anything other than a sender-keeps-all/non-settlement basis, they'll quickly find themselves in competition with the transit providers, whose significantly larger economies of scale put them in a position to provide a rather cheaper path from the content providers."

What fun. In other words, if you're, say, the BBC, and you're faced with paying extra in some form to get your content out to the Net you'd choose to pay the big trucking company with access to all the best and fastest roads and the international infrastructure rather than the man-with-a-van who roams your local neighborhood.

ISPs versus the iPlayer seems likely to run and run. It's clear, for example, that streaming is growing at a hefty clip. Obviously, within the UK the iPlayer is the biggest single contributor to this; viewers are watching a million programs a week online, sopping up 3 to 5 percent of all Internet traffic in Britain.

We've seen exactly this sort of argument before: file-sharing (music, not video!), online gaming, binary Usenet newsgroups. Why (ancient creaking voice) I remember when the big threat was the advent of the graphical Web, which nearly did kill the Net (/ancient creaking voice). The difference this time is that there is a single organization with nice, deep, taxpayer-funded pockets to dig into. Unlike the voracious spider that was Usenet, the centipede that is file-sharing, or the millipedes who were putting up Web sites, YouTube and the BBC make up an easily manageable number of easily distinguished targets for a protection racket. At the same time, the consolidation of the consumer broadband market from hundreds of dial-up providers into a few very large broadband providers means competition is increasingly mythical.

But the iPlayer is only one small piece of the puzzle. Over the next few years we're going to see many more organizations offering streaming video across the Net. For example, a few weeks ago I signed up for an annual pass for the streaming TV service for the nine biggest men's tennis tournaments of the year. The economics make sense: $70 a year versus £20 a month for Sky Sports - and I have no interest in any of Sky's other offerings - or pay nothing and "watch" really terrible low-resolution video over a free Chinese player offering rebroadcasts of uncertain legality.

The real problem, as several industry insiders have said to me lately, is pricing. "You have a product," said one incredulously, "that people want more and more of, and you can't make any money selling it?" When companies like O2 are offering broadband for £7.50 a month as a loss-leading add-on to mobile phone connections, consumers don't see why they should pay any more than that. Jerky streaming might be just the motivator to fix that.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

April 11, 2008

My IP address, my self

Some years back when I was writing about the data protection directive, Simon Davies, director of Privacy International, predicted a trade war between the US and Europe over privacy laws. It didn't happen, or at least it hasn't happened yet.

The key element to this prediction was the rule in the EU's data protection laws that prohibited sending data on for processing to countries whose legal regimes aren't as protective as those of the EU. Of course, since then we've seen the EU sell out on supplying airline passenger data to the US. Even so, this week the Article 29 Data Protection Working Party made recommendations about how search engines save and process personal data that could drive another wedge between the US and Europe.

The Article 29 group is one of those arcane EU phenomena that you probably don't know much about unless you're a privacy advocate or paid to find out. The short version: it's a sort of think tank of data protection commissioners from all over Europe. The UK's Information Commissioner, Richard Thomas, is a member, as are his equivalents in countries from France to Lithuania.

The Working Party (as it calls itself) advises and recommends policies based on the data protection principles enshrined in the EU Data Protection Directive. It cannot make law, but both its advice to the European Commission and the Commission's action (or lack thereof) are publicly reported. It's arguable that in a country like the UK, where the Information Commissioner operates with few legal teeth to bite with, the existence of such a group may help strengthen the Commissioner's hand.

(Few legal teeth, at least in respect of government activities: the Information Commissioner has issued an opinion about Phorm indicating that the service must be opt-in only. As Phorm and the ISPs involved are private companies, if they persisted with a service that contravened data protection law, the Information Commissioner could issue legal sanctions. But while the Information Commissioner can, for example, rule that for an ISP to retain users' traffic data for seven years is disproportionate, if the government passes a law saying the ISP must do so then within the UK's legal system the Information Commissioner can do nothing about it. Similarly, the Information Commissioner can say, as he has, that he is "concerned" about the extent of the information the government proposes to collect and keep on every British resident, but he can't actually stop the system from being built.)

The group's key recommendation: search engines should not keep personally identifiable search histories for longer than six months, and it specifically includes search engines whose headquarters are based outside the EU. The group does not say which search engines it studied, but it was reported to be studying Google as long ago as last May. The report doesn't look at requirements to keep traffic data under the Data Retention Directive, as it does not apply to search engines.

Google's shortening the life of its cookies and anonymizing its search history logs after 18 months turns out to have a significance I didn't appreciate when, at the time, I dismissed it as insultingly trivial (which it was): it showed the Article 29 working group that the company doesn't really need to keep all that data for so long. In

One of the key items the Article 29 group had to decide in writing its report on data protection issues related to search engines (PDF) is this: are IP addresses personal information? It sounds like one of those bits of medieval sophistry, like asking how many angels can dance on the head of a pin. In the dial-up days, it might not have mattered, at least in Britain, where local phone charges forced limited usage, so users were assigned a different IP address every time they logged in. But in the world of broadband, where even the supposedly dynamic IP addresses issued by cable suppliers may remain with a single subscriber for years on end. Being able to track your IP address's activities is increasingly like being able to track your library card, your credit card, and your mobile phone all at the same time. Fortunately, the average ISP doesn't have the time to be that interested in most of its users.

The fact is that any single piece of information that identifies your activities over a long period and can be mapped to your real-life identity has to be considered personal information or the data protection laws make no sense. The libertarian view, of course, would be that there are other search engines. You do not actually have to use Google, Gmail, or even YouTube. But if all search engines adopted Google's habits the choice would be more apparent than real. Time was when the US was the world's policeman. With respect to data, it seems that the EU has taken on this role. It will be interesting to see whether this decision has any impact on Google's business model and practices. If it does, that trade war could finally be upon us. If not, then Google was building up a vast data store just because we can.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

March 7, 2008

Techitics

This year, 2008, may go down in history as the year geeks got politics. At etech this week I caught a few disparaging references to hippies' efforts to change politics. Which, you know, seemed kind of unfair, for two reasons. First: the 1960s generation did change an awful lot of things, though not nearly as many as they hoped. Second: a lot of those hippies are geeks now.

But still. Give a geek something that's broken and he'll itch to fix it. And one thing leads to another. Which is why on Wednesday night Lawrence Lessig explained in an hour-long keynote that got a standing ovation how he plans to fix what's wrong with Congress.

No, he's not going to run. Some 4,500 people on Facebook were trying to push him into it, and he thought about it, but preliminary research showed that his chances of beating popular Silicon Valley favorite, Jackie Speier, were approximately zero.

"I wasn't afraid of losing," he said, noting ruefully that in ten years of copyfighting he's gotten good at it. Instead, the problem was that Silicon Valley insiders would have known that no one was going to beat Jackie Speier. But outsiders would have pointed, laughed, and said, "See? The idea of Congressional reform has no legs." And on to business as usual. So, he said, counterproductive to run.

Instead, he's launching Change Congress. "Obama has taught us that it's possible to imagine many people contributing to real change."

The point, he said, will be to provide a "signalling function". Like Creative Commongs, Change Congress will give candidates an easy way to show what level of reform they're willing to commit tto. The system will start with three options: 1) refusing money from lobbyists and political action committees (private funding groups); 2) ban earmarks (money allocated to special projects in politicians' home states); 3) commit to public financing for campaigns. Candidates can then display the badge generated from those choices on their campaign materials.

From there, said Lessig, layer something like Emily's List on top, to help people identify candidates they're willing to suppot with monthly donations, thereby subsidizing reform.

Money, he admitted, isn't the entire problem. But, like drinking for an alcoholic, it's the first problem you must solve to be able to tackle any of the others with any hope of success.

In a related but not entirely similar vein, the guys who brought us They Work For You nearly four years ago are back with UN democracy, an attempt to provide a signalling function to the United Nations> by making it easy to find out how your national representatives are voting in UN meetings. The driving force behind UNdemocracy.com is Liverpool's Julian Todd, who took the UN's URL obscurantism as a personal challenge. Since he doesn't fly, presenting the new service were Tom Loosemore, Stefan Mogdalinski, and Danny O'Brien, who pointed out that when you start looking at the decisions and debates you start to see strange patterns: what do the US and Israel have in common with Palau and Micronesia?

The US Congress and the British Parliament are all, they said, now well accustomed to being televised, and their behaviour has adapted to the cameras. At the UN, "They don't think they're being watched at all, so you see horse trading in a fairly raw form."

The meta-version they believe can be usefully and widely applied: 1) identify broken civic institution; 2) liberate data from said institution. There were three more ingredients, but they vanished the slide too quickly. But Mogdalinski noted that where in the past they have said "Ask forgiveness, not permission", alluding to the fact that most institutions if approached will behave as though they own the data. He's less inclined to apologise now. After all, isn't it *our* data that's being released in the public interest?

Data isn't everything. But the Net community has come a long way since the early days, when the prevailing attitude was that technological superiority would wash away politics-as-usual by simply making an end run around any laws governments tried to pass. Yes, technology can change the equation a whole lot. For example, once PGP escaped laws limiting the availability of strong encryption were pretty much doomed to fail (though not without a lot of back-and-forth before it became official). Similarly, in the copyright wars it's clear that copyrighted material will continue to leak out no matter how hard they try to protect it.

But those are pretty limited bits of politics. Technology can't make such an easy end run around laws that keep shrinking the public domain. Nor can it by itself solve policies that deny the reality of global climate change or that, in one of Lessig's examples, back government recommendations off from a daily caloric intake of 10 percent sugar to one of 25 percent. Or that, in another of his examples, kept then Vice-President Al Gore from succeeding with a seventh part to the 1996 Communications Act deregulating ADSL and cable because without anything to regulate what would Congressmen do without the funds those lobbyists were sending their way? Hence, the new approach.

"Technology," Lessig said, "doesn't solve any problems. But it is the only tool we have to leverage power to effect change."

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

February 22, 2008

Strikeout

There is a certain kind of mentality that is actually proud of not understanding computers, as if there were something honorable about saying grandly, "Oh, I leave all that to my children."

Outside of computing, only television gets so many people boasting of their ignorance. Do we boast how few books we read? Do we trumpet our ignorance of other practical skills, like balancing a cheque book, cooking, or choosing wine? When someone suggests we get dressed in the morning do we say proudly, "I don't know how"?

There is so much insanity coming out of the British government on the Internet/computing front at the moment that the only possible conclusion is that the government is made up entirely of people who are engaged in a sort of reverse pissing contest with each other: I can compute less than you can, and see? here's a really dumb proposal to prove it.

How else can we explain yesterday's news that the government is determined to proceed with Contactpoint even though the report it commissioned and paid for from Deloitte warns that the risk of storing the personal details of every British child under 16 can only be managed, not eliminated? Lately, it seems that there's news of a major data breach every week. But the present government is like a batch of 20-year-olds who think that mortality can't happen to them.

Or today's news that the Department of Culture, Media, and Sport has launched its proposals for "Creative Britain", and among them is a very clear diktat to ISPs: deal with file-sharing voluntarily or we'll make you do it. By April 2009. This bit of extortion nestles in the middle of a bunch of other stuff about educating schoolchildren about the value of intellectual property. Dare we say: if there were one thing you could possibly do to ensure that kids sneer at IP, it would be to teach them about it in school.

The proposals are vague in the extreme about what kind of regulation the DCMS would accept as sufficient. Despite the leaks of last week, culture secretary Andy Burnham has told the Financial Times that the "three strikes" idea was never in the paper. As outlined by Open Rights Group executive director Becky Hogge in New Statesman, "three strikes" would mean that all Internet users would be tracked by IP address and warned by letter if they are caught uploading copyrighted content. After three letters, they would be disconnected. As Hogge says (disclosure: I am on the ORG advisory board), the punishment will fall equally on innocent bystanders who happen to share the same house. Worse, it turns ISPs into a squad of private police for a historically rapacious industry.

Charles Arthur, writing in yesterday's Guardian, presented the British Phonographic Institute's case about why the three strikes idea isn't necessarily completely awful: it's better than being sued. (These are our choices?) ISPs, of course, hate the idea: this is an industry with nanoscale margins. Who bears the liability if someone is disconnected and starts to complain? What if they sue?

We'll say it again: if the entertainment industries really want to stop file-sharing, they need to negotiate changed business models and create a legitimate market. Many people would be willing to pay a reasonable price to download TV shows and music if they could get in return reliable, fast, advertising-free, DRM-free downloads at or soon after the time of the initial release. The longer the present situation continues the more entrenched the habit of unauthorized file-sharing will become and the harder it will be to divert people to the legitimate market that eventually must be established.

But the key damning bit in Arthur's article (disclosure: he is my editor at the paper) is the BPI's admission that they cannot actually say that ending file-sharing would make sales grow. The best the BPI spokesman could come up with is, "It would send out the message that copyright is to be respected, that creative industries are to be respected and paid for."

Actually, what would really do that is a more balanced copyright law. Right now, the law is so far from what most people expect it to be - or rationally think it should be - that it is breeding contempt for itself. And it is about to get worse: term extension is back on the agenda. The 2006 Gowers Review recommended against it, but on February 14, Irish EU Commissioner Charlie McCreevy (previously: champion of software patents) has announced his intention to propose extending performers' copyright in sound recordings from the current 50-year term to 95 years. The plan seems to go something like this: whisk it past the Commission in the next two months. Then the French presidency starts and whee! new law! The UK can then say its hands are tied.

That change makes no difference to British ISPs, however, who are now under the gun to come up with some scheme to keep the government from clomping all over them. Or to the kids who are going to be tracked from cradle to alcopop by unique identity number. Maybe the first target of the government computing literacy programs should be...the government.


Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

February 8, 2008

If you have ID cards, drink alcohol


One of the key identifiers of an addiction is that indulgence in it persists long after all the reasons for doing it have turned from good to bad.

A sobered-up Scottish alcoholic once told me the following examplar of alcoholic thinking. A professor is lecturing to a class of alcoholics on the evils of drinking. To make his point, he takes two glasses, one filled with water, the other with alcohol. Into each glass he drops a live worm. The worm in the glass of water lives; the worm in the glass of alcohol dies.

"What," the professor asks, "can we learn from this?"

One of the alcoholics raises his hand. "If you have worms, drink alcohol."

In alcoholic thinking, of course, there is no circumstance in which the answer isn't "Drink alcohol."

So, too, with the ID card. The purpose as mooted between 2001 and 2004 was preventing benefit fraud and making life more convenient for UK citizens and residents. The plan promised perfect identification via the combination of a clean database (the National Identity Register) and biometrics (fingerprints and iris scans). The consultation document made a show of suggesting the cheaper alternative of a paper card with minimal data collection, but it was clear what they really wanted: the big, fancy stuff that would make them the envy of other major governments.

Opponents warned of the UK's poor track record with large IT projects, the privacy-invasiveness, and the huge amount such a system was likely to cost. Government estimates, now at £5.4 billion, have been slowly rising to meet Privacy International's original estimate of £6 billion.

By 2006, when the necessary legislation was passed, the government had abandoned the friendly "entitlement card" language and was calling it a national ID card. By then, also, the case had changed: less entitlement, more crime prevention.

It's 2008, and the wheels seem to be coming off. The government's original contention that the population really wanted ID cards has been shredded by the leaked documents of the last few weeks. In these, it's clear that the government knows the only way it will get people to adopt the ID card is by coercion, starting with the groups who are least able to protest by refusal: young people and foreigners.

Almost every element deemed important in the original proposal is now gone - the clean database populated through interviews and careful documentation (now the repurposed Department of Work and Pensions database); the iris scans (discarded); probably the fingerprints (too expensive except for foreigners). The one element that for sure remains is the one the government denied from the start: compulsion.

The government was always open about its intention for non-registration to become increasingly uncomfortable and eventually to make registration compulsory. But if the card is coming at least two years later than they intended, compulsion is ahead of schedule.

Of course, we've always maintained that the key to the project is the database, not the card. It's an indicator of just how much of a mess the project is that the Register, the heart of the system, was first to be scaled back because of its infeasibility. (I mean, really, guys. Interview and background-check the documentation of every one of 60 million people in any sort of reasonable time scale?)

The project is even fading in popularity with the very vendors who want to make money supplying the IT for it. How can you specify a system whose stated goals keep changing?

The late humorist and playwright Jean Kerr (probably now best known for her collection of pieces about raising five boys with her drama critic husband in a wacky old house in Larchmont, NY, Please Don't Eat the Daisies) once wrote a piece about the trials and tribulations of slogging through the out-of-town openings of one of her plays. In these pre-Broadway trial runs, lines get cut and revised; performances get reshaped and tightened. If the play is in trouble, the playwright gets no sleep for weeks. And then, she wrote, one day you look up at the stage, and, yes, the play is much better, and the performances are much better, and the audience seems to be having a good time. And yet - the play you're seeing on the stage isn't the play you had in mind at all.

It's one thing to reach that point in a project and retain enough perspective to be honest about it. It may be bad - but it isn't insane - to say, "Well, this play isn't what I had in mind, but you know, the audience is having a good time, and it will pay me enough to go away and try again."

But if you reach the point where the project you're pushing ahead clearly isn't any more the project you had in mind and sold hard, and yet you continue to pretend to yourself and everyone else that it is - then you have the kind of insanity problem where you're eating worms in order to prove you're not an alcoholic.

The honorable thing for the British government to do now is say, "Well, folks, we were wrong. Our opponents were right: the system we had in mind is too complicated, too expensive, and too unpopular because of its privacy-invasiveness. We will think again." Apparently they're so far gone that eating worms looks more sensible.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

November 23, 2007

Road block

There are many ways for a computer system to fail. This week's disclosure that Her Majesty's Revenue and Customs has played lost-in-the-post with two CDs holding the nation's Child Benefit data is one of the stranger ones. The Child Benefit database includes names, addresses, identifying numbers, and often bank details, on all the UK's 25 million families with a child under 16. The National Audit Office requested a subset for its routine audit; the HMRC sent the entire database off by TNT post.

There are so many things wrong with this picture that it would take a village of late-night talk show hosts to make fun of them all. But the bottom line is this: when the system was developed no one included privacy or security in the specification or thought about the fundamental change in the nature of information when paper-based records are transmogrified into electronic data. The access limitations inherent in physical storage media must be painstakingly recreated in computer systems or they do not exist. The problem with security is it tends to be inconvenient.

With paper records, the more data you provide the more expensive and time-consuming it is. With computer records, the more data you provide the cheaper and quicker it is. The NAO's file of email relating to the incident (PDF) makes this clear. What the NAO wanted (so it could check that the right people got the right benefit payments): national insurance numbers, names, and benefit numbers. What it got: everything. If the discs hadn't gotten lost, we would never have known.

Ironically enough, this week in London also saw at least three conferences on various aspects of managing digital identity: Digital Identity Forum, A Fine Balance, and Identity Matters. All these events featured the kinds of experts the UK government has been ignoring in its mad rush to create and collect more and more data. The workshop on road pricing and transport systems at the second of them, however, was particularly instructive. Led by science advisor Brian Collins, the most notable thing about this workshop is that the 15 or 20 participants couldn't agree on a single aspect of such a system.

Would it run on GPS or GSM/GPRS? Who or what is charged, the car or the driver? Do all roads cost the same or do we use differential pricing to push traffic onto less crowded routes? Most important, is the goal to raise revenue, reduce congestion, protect the environment, or rebalance the cost of motoring so the people who drive the most pay the most? The more purposes the system is intended to serve, the more complicated and expensive it will become, and the less likely it is to answer any of those goals successfully. This point has of course also been made about the National ID card by the same sort of people who have warned about the security issues inherent in large databases such as the Child Benefit database. But it's clearer when you start talking about something as limited as road charging.

For example: if you want to tag the car you would probably choose a dashboard-top box that uses GPS data to track the car's location. It will have to store and communicate location data to some kind of central server, which will use it to create a bill. The data will have to be stored for at least a few billing cycles in case of disputes. Security services and insurers alike would love to have copies. On the other hand, if you want to tag the driver it might be simpler just to tie the whole thing to a mobile phone. The phone networks are already set up to do hand-off between nodes, and tracking the driver might also let you charge passengers, or might let you give full cars a discount.

The problem is that the discussion is coming from the wrong angle. We should not be saying, "Here is a clever technological idea. Oh, look, it makes data! What shall we do with it?" We should be defining the problem and considering alternative solutions. The people who drive most already pay most via the fuel pump. If we want people to drive less, maybe we should improve public transport instead. If we're trying to reduce congestion, getting employers to be more flexible about working hours and telecommuting would be cheaper, provide greater returns, and, crucially for this discussion, not create a large database system that can be used to track the population's movements.

(Besides, said one of the workshop's participants: "We live with the congestion and are hugely productive. So why tamper with it?")

It is characteristic of our age that the favored solution is the one that creates the most data and the biggest privacy risk. No one in the cluster of organisations opposing the ID card - No2ID, Privacy International, Foundation for Information Policy Research, or Open Rights Group - wanted an incident like this week's to happen. But it is exactly what they have been warning about: large data stores carry large risks that are poorly understood, and it is not enough for politicians to wave their hands and say we can trust them. Information may want to be free, but data want to leak.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

November 9, 2007

Watching you watching me

A few months ago, a neighbour phoned me and asked if I'd be willing to position a camera on my windowsill. I live at the end of a small dead-end street (or cul-de-sac), that ends in a wall about shoulder height. The railway runs along the far side of the wall, and parallel to it and further away is a long street with a row of houses facing the railway. The owners of those houses get upset because graffiti keeps appearing alongside the railway where they can see it and covers flat surfaces such as the side wall of my house. The theory is that kids jump over the wall at the end of my street, just below my office window, either to access the railway and spray paint or to escape after having done so. Therefore, the camera: point it at the wall and watch to see what happens.

The often-quoted number of times the average Londoner is caught on camera per day is scary: 200. (And that was a few years ago; it's probably gone up.) My street is actually one of those few that doesn't have cameras on it. I don't really care about the graffiti; I do, however, prefer to be on good terms with neighbours, even if they're all the way across the tracks. I also do see that it makes sense at least to try to establish whether the wall downstairs is being used as a hurdle in the getaway process. What is the right, privacy-conscious response to make?

I was reminded of this a few days ago when I was handed a copy of Privacy in Camera Networks: A Technical Perspective, a paper published at the end of July. (We at net.wars are nothing if not up-to-date.)

Given the amount of money being spent on CCTV systems, it's absurd how little research there is covering their efficacy, their social impact, or the privacy issues they raise. In this paper, the quartet of authors – Marci Lenore Meingast (UC Berkeley), Sameer Pai (Cornell), Stephen Wicker (Cornell), and Shankar Sastry (UC Berkeley) – are primarily concerned with privacy. They ask a question every democratic government deploying these things should have asked in the first place: how can the camera networks be designed to preserve privacy? For the purposes of preventing crime or terrorism, you don't need to know the identity of the person in the picture. All you want to know is whether that person is pulling out a gun or planting a bomb. For solving crimes after the fact, of course, you want to be able to identify people – but most people would vastly prefer that crimes were prevented, not solved.

The paper cites model legislation (PDF) drawn up by the Constitution Project. Reading it is depressing: so many of the principles in it are such logical, even obvious, derivatives of the principles that democratic governments are supposed to espouse. And yet I can't remember any public discussion of the idea that, for example, all CCTV systems should be accompanied by identification of and contact information for the owner. "These premises are protected by CCTV" signs are everywhere; but they are all anonymous.

Even more depressing is the suggestion that the proposals for all public video surveillance systems should specify what legitimate law enforcement purpose they are intended to achieve and provide a privacy impact assessment. I can't ever remember seeing any of those either. In my own local area, installing CCTV is something politicians boast about when they're seeking (re)election. Look! More cameras! The assumption is that more cameras equals more safety, but evidence to support this presumption is never provided and no one, neither opposing politicians nor local journalists, ever mounts a challenge. I guess we're supposed to think that they care about us because they're spending the money.
The main intention of Meingast, Pai, et al, however, is to look at the technical ways such networks can be built to preserve privacy. They suggest, for example, collecting public input via the Internet (using codes to identify the respondents on whom the cameras will have the greatest impact). They propose an auditing system whereby these systems and their usage is reviewed. As the video streams become digital, they suggest using layers of abstraction of the resulting data to limit what can be identified in a given image. "Information not pertinent to the task in hand," they write hopefully, "can be abstracted out leaving only the necessary information in the image." They go on into more detail about this, along with a lengthy discussion of facial recognition.

The most depressing thing of all: none of this will ever happen, and for two reasons. First, no government seems to have the slightest qualm of conscience about installing surveillance systems. Second, the mass populace don't seem to care enough to demand these sorts of protections. If these protections are to be put in place at all, it must be done by technologists. They must design these systems so that it's easier to use them in privacy-protecting ways than to use them in privacy-invasive ways. What are the odds?

As for the camera on my windowsill, I told my neighbour after some thought that they could have it there for a maximum of a couple of weeks to establish whether the end of my street was actually being used as an escape route. She said something about getting back to me when something or other happened. Never heard any more about it. As far as I am aware, my street is still unsurveilled.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

October 12, 2007

The permission-based society

It was Edward Hasbrouck who drew my attention to a bit of rulemaking being proposed by the Transportation Security Agency. Under current rules, if you want to travel on a plane out of, around, into, or over the US you buy a ticket and show up at the airport, where the airline compares your name and other corroborative details to the no-fly list the TSA maintains. Assuming you're allowed onto the flight, unbeknownst to you, all this information has to be sent to the TSA within 15 minutes of takeoff (before, if it's a US flight, after if it's an international flight heading for the US).

Under the new rules, the information will have to arrive at the TSA 72 hours before the flight takes off – after all, most people have finalised their travel plans by that time, and only 7 to 10 percent of itineraries change after that – and the TSA has to send back an OK to the airline before you can be issued a boarding pass.

There's a whole lot more detail in the Notice of Proposed Rulemaking, but that's the gist. (They'll be accepting comments until October 22, if you would like to say anything about these proposals before they're finalised.)

There are lots of negative things to say about these proposals – the logistical difficulties for the travel industry, the inadequacy of the mathematical model behind this (which at the public hearing the ACLU's Barry Steinhardt compared to trying to find a needle in a haystack by pouring more hay on the stack), and the privacy invasiveness inherent in having the airlines collect the many pieces of data the government wants and, not unnaturally, retaining copies while forwarding it on to the TSA. But let's concentrate on one: the profound alteration such a scheme will make to American society at large. The default answer to the question of whether you had the right to travel anywhere, certainly within the confines of the US, has always been "Yes". These rules will change it to "No".

(The right to travel overseas has, at times, been more fraught. The folk scene, for example, can cite several examples of musicians who were denied passports by the US State Department in the 1950s and early 1960s because of their left-wing political beliefs. It's not really clear to me why the US wanted to keep people whose views it disapproved of within its borders but some rather hasty marriages took place in order to solve some of these immigration problems, though everyone's friends again now and it's fresh passports all round.)

Hasbrouck, Steinhardt, and EFF founder John Gilmore, who sued the government over the right to travel anonymously within the US, have all argued that the key issue here is the right to assemble guaranteed in the First Amendment. If you can't travel, you can't assemble. And if you have to ask permission to travel, your right of assembly is subject to disruption at any time. The secrecy with which the TSA surrounds its decision-making doesn't help.

Nor does the amount of personal data the TSA is collecting from airline passenger name records. The Identity Project's recent report on the subject highlights that these records may include considerable detail: what books the passenger is carrying, what answer you give when asked where you've been or are going, names and phone numbers given as emergency contacts, and so on. Despite the data protection laws, it isn't always easy to find out what information is being stored; when I made such a request of US Airways last year, the company refused to show me my PNR from a recent flight and gave as the reason: "Security." Civilisation as we know it is at risk if I find out what they think they know about me? We really are in trouble.

In Britain, the chief objections to the ID card and, more important, the underlying database, have of course been legion, but they have generally focused on the logistical problems of implementing it (huge cost, complex IT project, bound to fail) and its general privacy-invasiveness. But another thing the ID card – especially the high-tech, biometric, all-singing, all-dancing kind – will do is create a framework that could support a permission-based society in which the ID card's interaction with systems is what determines what you're allowed to do, where you're allowed to go, and what purchases you're allowed to make. There was a novel that depicted a society like this: Ira Levin's This Perfect Day, in which these functions were all controlled by scanner bracelets and scanners everywhere that lit up green to allow or red to deny permission. The inhabitants of that society were kept drugged, so they wouldn't protest the ubiquitous controls. We seem to be accepting the beginnings of this kind of life stone, cold sober.

American children play a schoolyard game called "Mother, May I?" It's one of those games suitable for any number of kids, and it involves a ritual of asking permission before executing a command. It's a fine game, but surely it isn't how we want to live.


Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

September 28, 2007

Anything worth having is worth cheating for

How can you tell if someone is lying? The American civil rights lawyer Alan Dershowitz said during the OJ Simpson trial that even though we all want to believe we can, most people can't. That, he said, is why we must always look at the evidence.

I was thinking about this last week, when the cyclist Floyd Landis was stripped of his 2006 Tour de France title after an arbitration panel ruled two to one to uphold a two-year suspension after testing positive for synthetic testosterone. In his book, Positively False, Landis does a better job than you might expect of casting doubt on the test's validity. But the ritual public shaming will proceed unabated.

These morality plays cover no one with glory, least of all Dick Pound, the self-righteous, moralizing head of the World Anti-Doping Agency who sees all things in black and white.

Take, for example, his comment in the case of tennis player Mariano Puerta, the 2005 French Open finalist: ""You're dealing with somebody who's tested positive twice in less than two years and clearly doesn't think the rules apply to him."

Puerta's second positive test, which got him a two-year suspension and forfeiture of the money and ranking points he won at that French Open, was for traces of etilefrine so slight that the tribunal hearing the case agreed there was no performance-enhancing benefit he could have derived from it. The tribunal was slightly skeptical of Puerta's story, which was that etilefrine is a component of a medication his wife takes for low blood pressure and they must have switched glasses. But there was enough doubt to reduce his suspension from eight years to two.

Puerta's first positive test was for clenbuterol, administered for an asthma attack. The tribunal agreed that the only performance-enhancing benefit he derived from it was not being dead. Under the rules they had no choice but to suspend him. They made it as short and painless as possible, given the circumstances. Pound's attitude does nothing to win hearts and minds.

There's no question that a lot of lethal stuff is going on: this week the Drug Enforcement Administration mounted a comprehensive steroids raid that shut down 26 underground labs, made more than 50 arrests, and identified major suppliers in China. Surely high-profile top athletes with million-dollar endorsements are not buying their steroids online via hot tips from strangers on MySpace. The military and police that Pound, in his book Inside Dope pegs as heavy users also surely have better sources. It's worse: these steroids are (or were) being sold over the Internet to amateur bodybuilders and high school kids.

But it is arguable that this underground distribution network is a logical by-product of the anti-doping empire that has been built up since Ben Johnson's 1988 disqualification from the Seoul Olympics, just as Prohibition created the Mafia in the form of friendly bootleggers. The steroid message boards now are filled with warnings not to buy anything for a while.

Landis has, I think legitimately, pointed out flaws in the anti-doping system as it's presently constituted. For one thing, its courts are not governed by the due process and civil liberties that normally apply. The testing regime is privacy-invasive: urine or blood samples may be demanded at any time, without notice, and a missed test is treated as a positive test. In the case of a positive test, athletes can only call on assistance from experts who are not part of the WADA system – which means almost all the experts on the subject. Finally, the system is set up to presume guilt.

Based on experience, that may seem reasonable. There's no doubt cycling has a serious drug problem: Reading the former soigneur Willy Voet's 2000 Breaking the Chain is sufficient to show that. If you need more, read David Walsh's From Lance to Landis, Paul Kimmage's Rough Ride, or Werner Reiterer's Positive. Baseball player Jose Canseco's Juiced makes it clear that underneath many sports welcome the results. In baseball, club owners have shrunk the size of parks to increase the rate of home runs – more excitement, more paying fans. Steroids do this, too, by as much as 50 to 100 percent, according to this calculation.

Professionalism in sports has brought with it early entry, better training methods, and better nutrition, plus the freedom from other work that allows full-time effort. But American team sports like football, baseball, and hockey have been professional for a long time, and yet the change in body shapes in the last decade or two is striking.

Even so: in other areas of law enforcement it isn't enough to *know* someone is guilty, and the technicalities of how the law is applied do matter. Every year WADA expands its reach, into new sports, into new tests, into new areas of sport, including amateur competitions. We are creating the framework for an international legal system in which any legal issues to do with an ever-changing list of drugs and doping techniques are controlled by a single non-democratic organisation with multinational government funding that makes and administers its own laws. Is this what people mean by "clean sport"?

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

September 21, 2007

The summer of lost hats

I seem to have spent the summer dodging in and out of science fiction novels featuring four general topics: energy, security, virtual worlds, and what someone at the last conference called "GRAIN" technologies (genetic engineering, robotics, AI, and nanotechnology). So the summer started with doom and gloom and got progressively more optimistic. Along the way, I have mysteriously lost a lot of hats. The phenomena may not be related.

I lost the first hat in June, a Toyota Motor Racing hat (someone else's joke; don't ask) while I was reading the first of many very gloomy books about the end of the world as we know it. Of course, TEOTWAWKI has been oft-predicted, and there is, as Damian Thompson, the Telegraph's former religious correspondent, commented when I was writing about Y2K – a "wonderful and gleeful attention to detail" in these grand warnings. Y2K was a perfect example: a timetable posted to comp.software.year-2000 had the financial system collapsing around April 1999 and the cities starting to burn in October…

Energy books can be logically divided into three categories. One, apocalyptics: fossil fuels are going to run out (and sooner than you think), the world will continue to heat up, billions will die, and the few of us who survive will return to hunting, gathering, and dying young. Two, deniers: fossil fuels aren't going to run out, don't be silly, and we can tackle global warming by cleaning them up a bit. Here. Have some clean coal. Three, optimists: fossil fuels are running out, but technology will help us solve both that and global warming. Have some clean coal and a side order of photovoltaic panels.

I tend, when not wracked with guilt for having read 15 books and written 30,000 words on the energy/climate crisis and then spent the rest of the summer flying approximately 33,000 miles, toward optimism. People can change – and faster than you think. Ten years ago, you'd have been laughed off the British isles for suggesting that in 2007 everyone would be drinking bottled water. Given the will, ten years from now everyone could have a solar collector on their roof.

The difficulty is that at least two of those takes on the future of energy encourage greater consumption. If we're all going to die anyway and the planet is going inevitably to revert to the Stone Age, why not enjoy it while we still can? All kinds of travel will become hideously expensive and difficult; go now! If, on the other hand, you believe that there isn't a problem, well, why change anything? The one group who might be inclined toward caution and saving energy is the optimists – technology may be able to save us, but we need time to create create and deploy it. The more careful we are now, the longer we'll have to do that.

Unfortunately, that's cautious optimism. While technology companies, who have to foot the huge bills for their energy consumption, are frantically trying to go green for the soundest of business reasons, individual technologists don't seem to me to have the same outlook. At Black Hat and Defcon, for example (lost hats number two and three: a red Canada hat and a black Black Hat hat), among all the many security risks that were presented, no one talked about energy as a problem. I mean, yes, we have all those off-site backups. But you can take out a border control system as easily with an electrical power outage as you can by swiping an infected RFID passport across a reader to corrupt the database. What happens if all the lights go out, we can't get them back on again, and everything was online?

Reading all those energy books changes the lens through which you view technical developments somewhat. Singapore's virtual worlds are a case in point (lost hat: a navy-and-tan Las Vegas job): everyone is talking about what kinds of laws should apply to selling magic swords or buying virtual property, and all the time in the back of your mind is the blog posting that calculated that the average Second Life avatar consumes as much energy as the average Brazilian. And emits as much carbon as driving an SUV for 2,000 miles. Bear in mind that most SL avatars aren't figured up that often, and the suggestion that we could curb energy consumption by having virtual conferences instead of physical ones seems less realistic. (Though we could, at least, avoid airport security.) In this, as in so much else, the science fiction writer Vernor Vinge seems to have gotten there first: his book Marooned in Real Time looks at the plight of a bunch of post-Singularity augmented humans knowing their technology is going to run out.

It was left to the most science fictional of the conferences, last week's Center for Responsible Nanotechnology conference (my overview is here) to talk about energy. In wildly optimistic terms: technology will not only save us but make us all rich as well.

This was the one time all summer I didn't lose any hats (red Swiss everyone thought was Red Cross, and a turquoise Arizona I bought just in case). If you can keep your hat while all around you everyone is losing theirs…

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

August 31, 2007

Snouting for bandwidth

Our old non-friend Comcast has been under fire again, this time for turning off Internet access to users it deems to have used too much bandwidth. The kicker? Comcast won't tell those users how much is too much.

Of course, neither bandwidth caps nor secrecy over what constitutes heavy usage is anything new, at least in Britain. ntl brought in a 1Gb per day bandwidth cap as long ago as 2003. BT began capping users in 2004. And Virgin Media, which now owns ntl and apparently every other cable company in the UK, is doing it, too.

As for the secrecy, a few years ago when "unlimited" music download services were the big thing, it wasn't uncommon to hear heavy users complain that they'd been blocked for downloading so much that the service owner concluded they were sharing the account. (Or, maybe hoarding music to play later, I don't know.) That was frustrating enough, but the bigger complaint was that they could never find out how much was too much. They would, they said, play by the rules – if only someone would tell them what those rules were.

This is the game Comcast is now playing. It is actually disconnecting exceptionally heavy users – and then refusing to tell them what usage is safe. Internet service, as provided by Franz Kafka. The problem is that in a fair number of areas of the US consumers have no alternative if they want broadband. Comcast owns the cable market, and DSL provision is patchy. The UK is slightly better off: Virgin Media now owns the cable market, but DSL is widespread, and it's not only sold by BT directly but also by smaller third parties under a variety of arrangements with BT's wholesale department.

I am surprised to find I have some – not a lot, but some – sympathy with Comcast here. I do see that publishing the cap might lead to the entire industry competing on how much you can download a month – which might in turn lead to everyone posting the "unlimited" tag again and having to stick with it. On the other hand, as this Slashdot comment says, subscribers don't have any reliable way of seeing how much they actually are downloading. There is no way to compare your records with the company's equivalent to balancing your check book. But at least you can change banks if the bank keeps making mistakes or your account is being hacked. As already noted, this isn't so much of an option for Comcast subscribers.

This type of issue is resurfacing in the UK as a network neutrality dispute with the advent of the BBC's iPlayer. Several large ISPs want the BBC to pay for bandwidth costs, perhaps especially because its design makes it prospectively a bandwidth hog. It's an outrageous claim when you consider that both consumers and the BBC already pay for their bandwidth.

Except…we don't, quite. The fact is that the economics of ISPs have barely changed since they were all losing money a decade ago. In the early days of the UK online industry, when the men were men, the women were (mostly) men, and Demon was the top-dog ISP, ISPs could afford to offer unlimited use of their dial-up connections for one very simple reason. They knew that the phone bills would throw users offline: British users paid by the minute for local calls in those days. ISPs could, therefore, budget their modem racks and leased lines based on the realistic assessment that most of their users would be offline at any given time.

Cut to today. Sure, users are online all the time with broadband. But most of them go out to work (or, if they're businesses, go home at night), and heavy round-the-clock usage is rare. ISPs know this, and budget accordingly. Pipes from BT are expensive, and their size is, logically, enough, specified based on average use. There isn't a single ISP whose service wouldn't fall over if all its users saturated all their bandwidth 24/7. And at today's market rates, there isn't a single ISP who could afford to provide a service that wouldn't fall over under that level of usage. If an entire nation switches even a sizable minority of its viewing habits to the iPlayer ISPs could legitimately have a problem. Today's bandwidth hogs are a tiny percentage of Internet users, easily controlled. Tomorrow's could be all of us. Well, all of us and the FBI.

Still, there really has to be a middle ground. The best seems to be the ideas in the Slashdot posting linked about: subscribers should be able to monitor the usage on their accounts. Certainly, there are advantages to both sides in having flexible rules rather than rigid ones. But the ultimate sanction really can't be to cut subscribers off for a year, especially if they have no choice of supplier. If that's how Comcast wants to behave, it could at least support plans for municipal wireless. Let the burden of the most prolific users of the Internet, like those of health care, fall on the public purse. Why not?


Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

July 27, 2007

There ain't no such thing as a free Benidorm

This has been the week for reminders that the border between real life and cyberspace is a permeable blood-brain barrier.

On Wednesday, Linden Labs announced that it was banning gambling in Second Life. The resentment expressed by some of SL residents is understandable but naive. We're not at the beginning of the online world any more; Second Life is going through the same reformation to take account of national laws as Usenet and the Web did before it.

Second, this week MySpace deleted the profiles of 29,000 American users identified as sex offenders. That sounds like a lot, but it's a tiny percentage of MySpace's 180 million profiles. None of them, be it noted, are Canadian.

There's no question that gambling in Second Life spills over into the real world. Linden dollars, the currency used in-world, have active exchange rates, like any other currency, currently running about L$270 to the US dollar. (When I was writing about a virtual technology show, one of my interviewees was horrified that my avatar didn't have any distinctive clothing; she was and is dressed in the free outfit you are issued when you join. He insisted on giving me L$1,000 to take her shopping. I solemnly reported the incident to my commissioning editor, who felt this wasn't sufficiently corrupt to worry about: US$3.75! In-world, however, that could buy her several cars.) Therefore: the fact that the wagering takes place online in a simulated casino with pretty animated decorations changes nothing. There is no meaningful difference between craps on an island in Second Life and poker on an official Web-based betting site. If both sites offer betting on real-life sporting events, there's even less difference.

But the Web site will, these days, have gone through considerable time and money to set up its business. Gaming, even outside the US, is quite difficult to get into: licenses are hard to get, and without one banks won't touch you. Compared to that, the $3,800 and 12 to 14 hours a day Brighton's Anthony Smith told Information Week he'd invested in building his SL Casino World is risibly small. You have to conclude that there are only two possibilities. Either Smith knew nothing about the gaming business - if he did, he know that the US has repeatedly cracked down on online gambling over the last ten years and that ultimately US companies will be forced to decide to live within US law. He'd also have known how hard and how expensive it is to set up an online gambling operation even in Europe. Or, he did know all those things and thought he'd found a loophole he could exploit to avoid all the red tape and regulation and build a gaming business on the cheap.

I have no personal interest in gaming; risking real money on the chance draw of a card or throw of dice seems to me a ridiculous waste of the time it took to earn it. But any time you have a service that involves real money, whether that service is selling an experience (gaming), a service, or a retail product, when the money you handle reaches a certain amount governments are going to be interested. Not only that, but people want them involved; people want protection from rip-off artists.

The MySpace decision, however, is completely different. Child abuse is, rightly, illegal everywhere. Child pornography is, more controversially, illegal just about everywhere. But I am not aware of any laws that ban sex offenders from using Web sites, even if those Web sites are social networks. Of course, in the moral panic following the MySpace announcement, someone is proposing such a law. The MySpace announcement sounds more like corporate fear (since the site is now owned by News International) than rational response. There is a legitimate subject for public and legislative debate here: how much do we want to cut convicted sex offenders out of normal social interaction? And a question for scientists: will greater isolation and alienation be effective strategies to keep them from reoffending? And, I suppose, a question for database experts: how likely is it that those 29,000 profiles all belonged to correctly identified, previously convicted sex offenders? But those questions have not been discussed. Still, this problem, at least in regards to MySpace, may solve itself: if parents become better able to track their kids' MySpace activities, all but the youngest kids will surely abandon it in favour of sites that afford them greater latitude and privacy.

A dozen years ago, John Perry Barlow (in)famously argued that national governments had no place in cyberspace. It was the most hyperbolic demonstration of what I call the "Benidorm syndrome": every summer thousands of holidaymakers descend on Benidorm, in Spain, and behave in outrageous and sometimes lawless ways that they would never dare indulge in at home in the belief that since they are far away from their normal lives there are no consequences. (Rinse and repeat for many other tourist locations worldwide, I'm sure.) It seems to me only logical that existing laws apply to behaviour in cyberspace. What we have to guard against is deforming cyberspace to conform to laws that don't exist.


Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

July 13, 2007

Constitutional convention

One of the things that surprises outsiders most about Britain is that there is no written constitution. I can only judge what that discovery is like for an American, and in the US in particular our written constitution is regarded with such reverence that the notion of not having one is kind of shocking.

There have been various efforts to change this situation. The best known in the time I've been hanging around Britain is, or was, Charter 88. Founded (logically enough) in 1988, the group seemed to fizzle out in the 1990s, though apparently not entirely. The ideas didn't die, in any case, and the dear departed Blair had been making constitutional noises, and now his replacement, Gordon Brown, has made a commitment to constitutional reform.

Wednesday, July 18, therefore, sees the first of what will doubtless be a series of events at the LSE, organized by Fellows Simon Davies and Gus Hosein and featuring a raft of interesting speakers: Exploring options for the process of constitutional change. The project, known as Future Britain, will launch its Web site on Monday, July 16.

It was only after I'd been living in Britain for a while that it occurred to me that the unwritten constitution is that most quintessentially British thing, a gentleman's agreement. The principles by which Britain is governed have accreted over nine centuries, and for much of that time the people in charge of making decisions based on those principles were in fact gentlemen. I always had the sense that Britons regarded our constant American perusal of the Constitution's text as rather childish, a petty, dogmatic insistence on the exact terms of our written contract. Grown-ups trust each other.

Things are of course different now. The country is no longer so homoegeneous; you can't count on the people in charge of making laws to be gentlemen. It was, I think, no coincidence that Charter 88 started up during Margaret Thatcher's years as Prime Minister. She did things that would simply not be possible under the American Constitution, mostly notably abolishing the Greater London Council and several other local governments. That was the moment when I understood just how centralized British government is. It was, or had been, inconceivable to me that in an old and famous democracy a properly elected leader could be deposed in such a way. What was even more amazing was that despite a few protests, these actions were accepted and the country went on as usual. There is no local government if it can be abruptly terminated in that single-handed way, only delegated authority. Britain, I learned from that, is an elected dictatorship.

Writing down a constitution is not the same as reforming one. A constitution is not a blueprint; it has to be flexible enough and general enough in its principles to be adaptable to changing conditions. One of the significant failures of the US Constitution in today's world is that the Founding Fathers left no room for controlling large, multinational corporations. It would not have mattered that there were no such things in the 18th century if they had simply allowed for the possibility of third-party private interests of economic power. But they thought they had it covered when they put in the clause to separate church and state, since at the time the church was the only multinational corporation in town.
Brown's list of desired reforms does not make the kind of deep-rooted change that Charter 88 was calling for. The case for that is made on Open Democracy, by Neal Ascherson, who argues that this is really just an English problem.

The US Constitution, when I read it now, seems to me to be focused on prohibiting the kinds of abuses its drafters had experienced. Separating church and state, limiting the power of government to interfere in individuals' lives, guaranteeing freedom of speech and of assembly – these all speak of bitter experience. Ascherson's argument seems to suggest that something similar happened in creating Britain's undocumented government: the abuse to overthrow was the power of the king. Parliamentary absolutism was an adequate answer. Even the US's Founding Fathers didn't trust the people unless they were sufficiently wealthy land-owning men.

And that's the thing about constitutions: they are not enough by themselves even if they are written down. This point was made to me by the Campaign to Separate Church and State when I was living in Ireland in the late 1980s. The lifetime of the Irish constitution is still measured in decades, and the clause guaranteeing freedom of religion clearly meant the freedom to be Catholic after centuries of British Protestant rule. It did not guarantee equality for atheists, agnostics, or even Jews. So the broader point my Irish friends made was that the constitutional guarantee was meaningless without supporting legislation to enforce it. A constitution is, therefore, only a beginning.

As a foreigner, I don't think it's up to me to say what a British – or English – constitution should be. But I do know it shouldn't be written by the elected dictatorship in power. To have meaning, a constitution must be written by the people. It's our chance to devise a governmental design to which we give consent.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

June 22, 2007

Many hidden returns

This week, the Open Rights Group released its report on the May 7 electronic voting pilots, conducted during by-elections in various locations in England and across all of Scotland. ORG observed these as closely as it could through the eyes of 25 volunteers.

Much of the report should be familiar to anyone who's read about similar trials and pilot projects in the US and elsewhere (especially the UK's own 2003 trials). There were technical problems when equipment failed or had to be rebooted. There were people problems, when both voters and officials were uncertain how to make machines work. There were security issues, as when ORG observers found PCs and switches with open ports and no one watching them. And there were design problems, when ballot layouts confused voters into spoiling ballots. Sound familiar?

More than that, the process of tallying votes just isn't transparent. At some point in the process, a miracle occurred and numbers were produced. Anti-evoting activists have been talking about "black box voting" for years, and here it was, live and in the silicon.

Probably no one expected ORG to come away from the trials glowing with enthusiasm about the technology. But the group put a significant amount of effort into observing the process and reporting fairly what it saw. The report needs to be taken seriously by the people in charge of choosing how we vote.

The job for the observers, from the sounds of it, wasn't easy. Rules were inconsistent, inconsistently applied, and subject to abrupt change. My favourite was the constituency that apparently got its security advice from someone used to working with banks: they were told not to let anyone see the screens of the laptops. But the whole point of elections is to make the process publicly accountable – which means the nuts and bolts need to be visible.
Curiously enough, it may be the black-box nature of these systems that kills them after all, just not for the reason we always thought.

If there is one consistent refrain throughout the mad rush to move ballot boxes inside computers it's that new technology will engage a new generation of currently disaffected voters. One of the most intriguing observations to come out of the Open Rights Group's report on the recent e-voting trials, therefore, is: "People passionate about local politics were consistently being turned off by the e-voting and e-counting pilot counts in areas observed" (p20).

People who don’t' care that much may just want the counts. But if you're a politician running for office, his agent, or one of the dozens (or thousands) of people who participated in the political process by campaigning for him or who cares about specific issues, just getting the count out of a black box is as much missing the point as watching a tennis match by looking up the final score on the Internet. Worse, since what's at stake is who runs the country (rather an Oscar or a trophy), you need to have confidence that the count has some relation to how people actually voted. If I lived in any of the constituencies where these pilots took place, I'd be demanding they rerun the election.

That might be the thing that kills it, more than the security problems or any philosophical problem the general public might have with privatizing voting. Without passionate supporters there would be no candidates.
Politics, sports, and entertainment all face the same challenge of engaging fans. The lesson from sports in particular is that the more detail you give fans the more obsessive they become. If there were some way to project each ballot, one at a time, on a giant screen, without destroying the secrecy of individual ballots, maybe every election would have the magnetic quality of Bush vs. Gore 2000. It would be quite a show, especially if people had the option of standing up at a microphone and explaining just why they voted the way they did. How's that for public access TV?

As things were, electronic counting meant agents, candidates, and various others couldn't tell what was going on. Internet voters can't be interviewed on existing the poll station, so local parties can't get a sense of how the vote is going. The campaigners who show up on people's doorsteps to get out the vote don't know whose doorsteps to canvass. This may not seem like much of a loss. But, as ORG points out, one way candidates have traditionally decided whether to ask for a recount is by comparing the posted returns with the information the parties have worked to compile throughout the day. (For US voters: after you exit UK polling areas you typically find party representatives conducting exit polls.)

I'm not convinced that the end users – that is, the voters – count for much in any of this. So far, the best efforts of computer scientists, hackers, and activists have had little success in trying to turn back the clock to pencil and paper or other forms of tried and trusted technology. \But if the insiders don't like it – the politicians who award funds, the parties who elect them – there might just be a chance it won't fly permanently. If so, they'd better act now, before the vendors become big enough to own us all.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

May 11, 2007

The Blair we left behind

So, he's gone, or almost.

Ten years is a long time for anyone to remain in power. Blair hasn't quite made it as long as Margaret Thatcher did, but by virtue of the UK's different ways in electing the people who fill its top office it's longer than either Reagan or Bush II. There are children who don't remember what it was like to have the Conservatives in power. And so on.

What's startling in reading the reviews is that although at least some of them do point out how unpopular Blair has been in recent years and point the finger squarely at his policies on Iraq, they generally tend to praise the state in which he's left Britain. What none of these seem to mention is the significant erosion of civil liberties under Blair's time in office. The Britain he leaves is considerably less democratic than the one he inherited.

The most obvious symptom of this is the national ID card, whose acknowledged cost has now reached the £6 billion the LSE report (PDF) predicted – with, no doubt, considerably more to come. The project may yet founder under the weight of its own technological aspirations. But it seems to have been designed to be maximally privacy invasive. Blair also selected as the card's champions first Jack Straw (who used the 9/11 attacks as an excuse to attack those of us who were key escrow); then David Blunkett, who essentially became addicted to the idea; and then Charles Clarke…all, we suppose, in the intersets of proving that Labour was tougher on crime than the Conservatives.

The justification for implementing the card – and the massive databases behind it – has changed over the five years since it was first proposed, but the desire to do it has not. With or without the ID card, Blair leaves behind biometrics in passports – but that we can blame on the International Civil Aeronautics Organization.

Blair talked about making Britain a leader in ecommerce. But first we had lengthy wrangles over key escrow, which eventually even Blair admitted was a mistake, and then we had the achingly slow growth of broadband.

We also had the passage of the Regulation of Investigatory Powers Act in 2000, and the Anti-terrorism, Crime, and Security Act in 2001, the latter passed with unseemly haste after 9/11. Taken together, the two provide law enforcement and the security services with the right to intercept communications or demand data retention, which itself has been the subject of another very long battle. ISPs have universally argued against it; Blair's government has refused to listen.

Yes, Blair's government brought in a Freedom of Information Act – but its availability keeps narrowing. The latest: Blair refuses to condemn proposals to exempt Parliament from it. These are our public servants. Supposedly.

Blair was also for involving faith organizations in policy-making and supported faith schools.

There have also been hotly disputed changes to legislation such as the Police and Criminal Evidence act (1984, revised 2003, and being reviewed again right now – comments to the consultation are due May 31).

During Blair's time in office the right to silence was diluted. You have the right to remain silent under arrest and questioning, to be sure, but if you do the judge and jury at your eventual trial are allowed to infer guilt from your silence.

During Blair's time, CCTV cameras have proliferated everywhere, making Londoners likely to be captured upwards of 200 times a day on camera. This government brought in anti-social behaviour orders, which opponents argue can easily be abused.

And so on, without a clear idea whether any of it is effective (PDF).

But probably the most insidious legacy Blair leaves behind is an important change in the way legislation and policy are enacted. Much new legislation – RIPA and ATCS are cases in point – is now drafted with the details left for secondary legislation that does not require a return to Parliamentary debate. The impact of legislation may be very different depending on how those details are laid out, and removing them from the debate bypasses the democratic process.

The second, the way policy is devised, is a game many countries now play: policy laundering. The game goes something like this. The US wants, say, biometrics in passports, and the UK likes the idea, too. The UK proposes it and when people object the government says, no choice, gotta have it, or the US won't let Brits into their country. When this gets old, they get the idea adopted by, say, ICAO – and thereafter they can say, no choice, it is an international standard mandated by this authority and agreed upon by all these other countries.

Of course these initiatives are not solely Blair's ideas; these proposals are showing up everywhere. But isn't the point of a good leader to resist bad ideas?

Blair was a nominee for "Worst Public Official" in Privacy International's global Big Brother awards. You can argue some geocentrism there, since PI is based in London. Still, here's what they said his credentials were: "his relentless work over ten years to expand the UK into the greatest surveillance society amongst democratic nations".

It's the "democratic" that gets you. There are plenty of countries whose leaders make Blair look like a moderate. But most of them, that's what you expect.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

April 20, 2007

Green spies

Some months back I blogged a breakdown of the various fees that are added on to each airline ticket and tagged it "What we're paying." A commenter took issue: society at large, he wrote, was paying a good deal more than that for my evil flying habits, and I shouldn't be going to Miami anyway. He had a point. What's offending one niece by missing her wedding? I have more.

The intemperateness of the conversation is the kind of thing smokers used to get from those who've already quit.
Just how acrimonious the whole thing is getting was brought home to me this week when Ian Angell surfaced to claim that it is not really possible to be a privacy advocate and an environmentalist at the same time. Of course, Angell was in part just trying to make trouble and get people arguing. But he says he has a serious point.

"The green issues are providing a moral justification for the invasion of privacy," he says, "and the green lobby must take it on board as part of what they're doing. And the fact that they're not taking it on board makes them guilty."

I wouldn't go that far – I do not think you can blame people for unintended consequences. But there are a number of proposals floating around in the UK that could provide yet more infrastructure for endemic surveillance, even if the intention at the moment is to protect the environment.

For example: the idea of the personal carbon allowance, first mooted in 2005 with the notion that it could be linked to the ID card. Last July, environment minister, David Miliband, proposed issuing swipe cards to all consumers, which you'd have to produce whenever you bought anything like petrol or heating – or plane tickets. That at least would give me ammunition against my blog commenter, because other than flying my carbon footprint is modest. In fact, we could have whole forums of moral superiors boasting about how few carbon points they used, like we now have people who boast about how early they get up in the morning. And we could have billboards naming and shaming those who – oh, the horror – had to buy extra carbon points, like they do for TV license delinquents.

Or take the latest idea in waste management, the spy bin fitted with a microchip sensor that communicates with the garbage truck to tell your local council how much you've contributed to the landfill. Given the apparent eagerness of manufacturers to enhance their packaging with RFID chips, this could get really interesting over time.

This is also a country where the congestion charge – a scheme intended to reduce the amount of traffic in central London – is enforced by cameras that record the license plates of every vehicle as it crosses the border. Other countries have had road tolls for decades, but London's mayor, formerly known as "Red Ken" Livingstone because of his extreme left-wing leanings, chose the most privacy-invasive way to do it. Proposals for nationwide road charging follow the same pattern, although the claim is that there will be safeguards against using the installed satellite tracking boxes to actually track motorists. Why on earth is this huge infrastructure remotely necessary? We already have per-mile road use charging. It's called buying fuel.

Privacy International's executive director, Simon Davies, points out that none of these proposals – nor those to expand the use of CCTV (talking cameras!) – are supported by research to show how the environment will benefit.

Of course, if there's one rule about environmentalism it is, as Angell says, "The best tax is the tax the other guy pays." Personally, I'd ban airconditioning; it doesn't get that hot in the UK anyway, and a load of ceiling fans and exhaust fans would take care of all but the most extreme cases of medical need. It certainly does seem ironic that just at the moment when everyone's getting exercised about saving energy and global warming – they're all putting in airconditioning so cold you have to carry a sweater with you if you go anywhere in the "summer".

So, similarly, when Angell says there are "straightforward, immediate answers" he's perfectly right. The problem is they'll all enrage some large group of businesses. "You could reduce garbage by 80 percent by banning packaging in shops. We are squabbling about tiny little changes when quite substantial changes are just not on the cards."
And then, he adds, "They jump on airline travel because you can bump up the taxes and it's morally justified."

I am convinced, however, that it's possible to be a privacy advocate and an environmentalist simultaneously. This is a type of issue that has come up before, most notably in connection with epidemiology. If you make AIDS a notifiable disease you make it easier to track the patterns of infection and alert those most at risk; but doing so invades patient privacy. But in the end, although Angell's primary goal was to stir up trouble, he's right to say that environmentalists need to ensure that their well-meaning desire to save the planet is not hijacked. Or, he says, "they will be blamed for the taxation and the intrusion."

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

March 23, 2007

Double the networks, double the neutralities

Back in 1975, the Ithaca, New York apartment building I was living in had a fire in the basement, and by the time it was out so was my telephone line. The repairman's very first move was to disconnect the $3 30-foot cable I had bought at K-Mart and confiscate it. At the time, AT&T's similar cable cost $25.

In fact, by then AT&T had no right to control what equipment you attached to your phone line because of the Carterfone case, in which the FCC ruled against AT&T's argument that it had to own all the equipment in order to ensure that the network would function properly. But this is how the telco world worked; in Edinburgh in 1983 legally you could only buy a modem from British Telecom. I think it cost about £300 – for 300 baud. Expensive enough that I didn't get online until 1990.

Stories like this are part of why the Internet developed the way it did: the pioneers were determined to avoid a situation where the Internet was controlled like this. In the early 1980s, when the first backbone was being build in the US to connect the five NSF-funded regional computing centers, the feeling was mutual. John Connolly, who wrote the checks for a lot of that work, told me in an interview in 1993 that they had endless meetings with the telcos trying to get them interested, but those companies just couldn't see that there was any money in the Internet.
Well, now here we are, and the Internet is chewing up the telcos' business models and creating havoc for the cable companies who were supposed to be the beneficiaries, and so it's not surprising that the telcos' one wish is to transform the Internet into something more closely approximating the controlled world they used to love.

Which is how we arrived at the issue known as network neutrality. This particular debate has been percolating in the US for at least a year now, and some discussion is beginning in the UK. This week, at a forum held in Westminster on the subject, Ofcom and the DTI said the existing regulatory framework was sufficient.

The basic issue is, of course, money. The traditional telcos are not, of course, having a very good time of things, and it was inevitable that it would occur to some bright CEO – it turned out to be the head of Verizon – that there ought to be some way of "monetizing" all those millions of people going to Google, Yahoo!, and the other top sites. Why not charge a fee to give priority service? That this would also allow the telcos to discriminate against competitor VOIP services and the cablecos (chiefly Comcast) to discrminate against competing online video services is also a plus. These proposals are opposed not only by the big sites in question but by the usual collection of Net rights organization, who tend to believe all sites were created equal – or should be.
Ofcom – and others I've talked to – believes that the situation in the UK is different, in part because although most of the nation's DSL service is provided either directly or indirectly by BT that company has to be cooperative with its competitors or face the threat of regulation. The EU, however, is beginning to take a greater interest in these matters, and has begun legal proceedings against Germany over a law exempting Deutsche Telecom from opening the local loop of its new VDSL network to competitors.

But Timothy Wu, a law professor at Columbia and author of Who Controls the Internet: Illusions of a Borderless World, has pointed out that the current debates are ignoring an important sector of the market: wireless. The mobile market is not now, nor ever has been, neutral. It is less closed in Europe, where you can at least buy a phone and stick any SIM in it; but in the US most phones are hardware-locked to their networks, a situation that could hardly be less consumer-friendly. Apple's new iPod, for example, will be available through only one carrier, AT&T Wireless.

Wu's paper, along with the so-called "Carterfone" decision that forced AT&T to stop confiscating people's phone cords, is cited by Skype in a petition to get the FCC to require mobile phone operators to allow software applications open access. Skype's gripe is easy to comprehend: it can't get its service onto mobile phones. The operators' lack of interest in opening their networks is also easy to comprehend: what consumer is going to call on their expensive tariffs if they can use the Internet data connection to make cheap ones? Wu also documents other cases of features that are added or subtracted according to the network operators' demands: call timers (missing), wi-fi (largely absent), and Bluetooth (often crippled in the US).

The upshot is that because the two markets – wireless phones and the Internet – have developed from opposite directions, we have two network neutrality debates, not one. The wonder is that it took us so long to notice.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

February 23, 2007

Equal prizes

It's been quite a week for women. Wimbledon has announced equal prize money "across the board" for men and women, and a woman has won the Alan M Turing Award from the Association for Computing Machinery. (Please don't confuse that with passing the Turing test; Frances Allen is a pioneer in computer science, not a cleverly built robot.) That concrete pig a friend gave me as a sort of anti-garden gnome is adjusting his aviator goggles and getting ready to take flight.

In the scheme of things, a woman's winning the Turing Award ought to be the less surprising of the two events. Although few women make the mainstream news in computing, there have been enough of them in computing history that it surely had to happen. The All-England Club, which stages the Wimbledon tennis championships every year, is a private club that can do anything it wants, and has for years insisted that the surveys it's carried out show that the audience prefers men's tennis. (To which I say, "Who did you ask?") Anyway: the silly arguments are finally over now, and the best part of that is that we won't have to read the same debate every June. It had gotten boring. Twenty years ago.

The list of Turing Award winners includes some pretty impressive and famous people - Marvin Minsky and John McCarthy for artificial intelligence, Vint Cerf and Robert E. Kahn for the protocols underlying the Internet, Maurice Wilkes, who went on from designing and building the first computer with an internally stored program to inspire generations of computer scientists at Cambridge. The first female winner's work, like many of the other winners' is less familiar as it's in high-performance computing rather than something as mainstream as the Internet. It's not a sign of prejudice that she wasn't better known until now.

I wish I could say that Allen is the first of many. That's not clear. She's almost certainly the first of some. But the truly sad thing is that the numbers of women in computer science have been dropping steadily over the last decade or two, in both Britain and America (and other countries, too). I recently had occasion to interview Nigel Shadbolt, the head of the British Computer Society (the ACM's British equivalent), and he was quite open about it. He named several female BCS Fellows (a designation you need experience and kudos to get), and concluded, "They are there, but not in the numbers we'd like." Only 6 percent of BCS Fellows are women, though the BCS is determined to improve on that. (Bear in mind also that the average age of Fellows is 60, although it's beginning to drop as the generation who grew up with computers in their homes begin to take advantage of that substantial head start.)

Shadbolt blamed early socialising in schools, where girls get the message early that computer science is a hard career to juggle with the demands of any families they might want to have - and also that the geek image is not one you want to have if you're a girl.
Nonetheless, Shadbolt said the BCS numbers are getting a little better. Of the membership as a whole, 14 percent are women. But of the new members the BCS has been recruiting, 20 percent are female.

Does it matter?

Shadbolt thought so. "Modern IT is about social skills as much as technical skills," he told me.
That statement doesn't fill me with as much delight as it might, I'd rather hear that women are needed for their technical genius than the old saw about how they're better with people. Note that Allen has won her awards for fundamentally changing a technical field.

The odd thing is that there are more women in the history of computing than most people realize. Six female mathematicians programmed ENIAC. Contrary to today's idea that only young males could be obsessive enough to spend all that time with their computers, 50 years ago it was thought that only women had the patience to be programmers.

There are several reasons why it does matter to get women into computer science. The first is for the women themselves: why should they miss out on interesting, challenging careers because of some stupid stereotype? The second is simple numbers and applies to all the hard sciences: we need all the talented people we can get entering those fields. The third is practical: computers pervade every part of life. The greater the diversity of the people designing them, the better.

Daily Tennis points out today that equalizing prize money at Wimbledon, while an important gesture, goes only a small way to redress the prize money gap. The women's tour overall has 22 percent less prize money on offer than the men's (men, by the way, play almost exclusively three-set matches away from the Grand Slams), and the Wimbledon change goes only about 1 percent of the way towards narrowing that gap. The chief effect, therefore, is to make the All-England club stop looking like ante-diluvian, misogynist dorks.

Percentagewise Allen's win is smaller than that. But it will remind an entire generation of girls that it's cool to be a computer scientist,

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

February 9, 2007

Getting out the vote

Voter-verified paper audit trails won't save us. That was the single clearest bit of news to come out of this week's electronic voting events.

This is rather depressing, because for the last 15 years it's looked as though VVPAT (as they are euphoniously calling it) might be something everyone could compromise on.: OK, we'll let you have your electronic voting machines as long as we can have a paper backup that can be recounted in case of dispute. But no. According to Rebecca Mercuri in London this week (and others who have been following this stuff on the ground in the US), what we thought a paper trail meant is definitely not what we're getting. This is why several prominent activist organisations have come out against the Holt bill HR811, introduced into Congress this week, despite its apparent endorsement of paper trails.

I don't know about you, but when I imagined a VVPAT, what I saw in my mind's eye was something like an IBM punch card dropping individually into some kind of display where a voter would press a key to accept or reject. Instead, vendors (who hate paper trails) are providing cheap, flimsy, thermal paper in a long roll with no obvious divisions to show where individual ballots are. The paper is easily damaged, it's not clear whether it will survive the 22 months it's supposed to be stored, and the mess is not designed to ease manual recounts. Basically, this is paper that can't quite aspire to the lofty quality of a supermarket receipt.

The upshot is that yesterday you got a programme full of computer scientists saying they want to vote with pencils and paper. Joseoph Kiniry, from University College, Dublin, talked about using formal methods to create a secure system – and says he wants to vote on paper. Anne-Marie Ostveen told the story of the Dutch hacker group who bought up a couple of Nedap machines to experiment on and wound up publicly playing chess on them – and exposing their woeful insecurity – and concluded, "I want my pencil back." And so on.

The story is the same in every country. Electronic voting machines – or, more correctly, electronic ballot boxes – are proposed and brought in without public debate. Vendors promise the machines will be accurate, reliable, secure, and cheaper than existing systems. Why does anyone believe this? How can a voting computer possibly be cheaper than a piece of paper and a pencil? In fact, Jason Kitcat, a longtime activist in this area, noted that according to the Electoral Commission the cost of the 2003 pilots were astounding – in Sheffield £55 per electronic vote, and that's with suppliers waiving some charges they didn't expect either. Bear in mind, also, that the machines have an estimated life of only ten years.

Also the same: governments lack internal expertise on IT, basically because anyone who understand IT can make a lot more money in industry than in either government or the civil service.

And: everywhere vendors are secretive about the inner workings of their computers. You do not have to be a conspiracy theorist to see that privatizing democracy has serious risks.

On Tuesday, Southport LibDem MP John Pugh spoke of the present UK government's enchantment with IT. "The procurers who commission IT have a starry-eyed view of what it can do," he said. "They feel it's a very 'modern' thing." Vendors, also, can be very persuasive (I'd like to see tests on what they put in the ink in those brochures, personally). If, he said, Bill Gates were selling voting machines and came up against Tony Blair, "We would have a bill now."

Politicians are, probably, also the only class of people to whom quick counts appeal. The media, for example, ought to love slow counts that keep people glued to their TV sets, hitting the refresh button on their Web browsers, and buying newspapers throughout. Florida 2000 was a media bonanza. But it's got to be hard on the guys who can't sleep until they know whether they have a job next month.

I would propose the following principles to govern the choice of balloting systems:

- The mechanisms by which votes are counted should be transparent. Voters should be able to see that the vote they cast is the vote they intended to cast,

- Vendors should be contractually prohibited from claiming the right to keep secret their source code, the workings of their machines, or their testing procedures, and they should not be allowed to control the circumstances or personnel under which or by whom their machines are tested. (That's like letting the psychic set the controls of the million-dollar test.)

- It should always be possible to conduct a public recount of individual ballots.

Pugh made one other excellent point: paper-based voting systems are mature. "The old system was never perfect," he said, but over time "we've evolved a way of dealing with almost every conceivable problem." Agents have the right to visit every polling station and watch the count, recounts can consider every single spoiled ballot. By contrast, electronic voting presumes everything will go right.

Guys, it's a computer. Next!

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

January 26, 2007

Vote early, vote often...

It is a truth that ought to be universally acknowledged that the more you know about computer security the less you are in favor of electronic voting. We thought – optimists that we are – that the UK had abandoned the idea after all the reports of glitches from the US and the rather indeterminate results of a couple of small pilots a few years ago. But no: there are plans for further trials for the local elections in May.

It's good news, therefore, that London is to play host to two upcoming events to point out all the reasons why we should be cautious. The first, February 6, is a screening of the HBO movie Hacking Democracy, a sort of documentary thriller. The second, February 8, is a conference bringing together experts from several countries, most prominently Rebecca Mercuri, who was practically the first person to get seriously interested in the security problems surrounding electronic voting. Both events are being sponsored by the Open Rights Group and the Foundation for Information Policy Research, and will be held at University College London. Here is further information and links to reserve seats. Go, if you can. It's free.

Hacking Democracy (a popular download) tells the story of ,a href="http://www.blackboxvoting.org">Bev Harris and Andy Stephenson. Harris was minding her own business in Seattle in 2000 when the hanging chad hit the Supreme Court. She began to get interested in researching voting troubles, and then one day found online a copy of the software that runs the voting machines provided by Diebold, one of the two leading manufacturers of such things. (And, by the way, the company whose CEO vowed to deliver Ohio to Bush.) The movie follows this story and beyond, as Harris and Stephenson dumpster-dive, query election officials, and document a steady stream of glitches that all add up to the same point: electronic voting is not secure enough to protect democracy against fraud.

Harris and Stephenson are not, of course, the only people working in this area. Among computer experts such as Mercuri, David Chaum, David Dill, Deirdre Mulligan, Avi Rubin, and Peter Neumann, there's never been any question that there is a giant issue here. Much argument has been spilled over the question of how votes are recorded; less so around the technology used by the voter to choose preferences. One faction – primarily but not solely vendors of electronic voting equipment – sees nothing wrong with Direct Recording Electronic, machines that accept voter input all day and then just spit out tallies. The other group argues that you can't trust a computer to keep accurate counts, and that you have to have some way for voters to check that the vote they thought they cast is the vote that was actually recorded. A number of different schemes have been proposed for this, but the idea that's catching on across the US (and was originally promoted by Mercuri) is adding a printer that spits out a printed ballot the voter can see for verification. That way, if an audit is necessary there is a way to actually conduct one. Otherwise all you get is the machine telling you the same number over again, like a kid who has the correct answer to his math homework but mysteriously can't show you how he worked the problem.

This is where it's difficult to understand the appeal of such systems in the UK. Americans may be incredulous – I was – but a British voter goes to the polls and votes on a small square of paper with a stubby, little pencil. Everything is counted by hand. The UK can do this because all elections are very, very simple. There is only one election – local council, Parliament – at a time, and you vote for one of only a few candidates. In the US, where a lemon is the size of an orange, an orange is the size of a grapefruit, and a grapefruit is the size of a soccer ball, elections are complicated and on any given polling day there are a lot of them. The famous California governor's recall that elected Arnold Schwarzeneger, for example, had hundreds of candidates; even a more average election in a less referendum-happy state than California may have a dozen races, each with six to ten candidates. And you know Americans: they want results NOW. Like staying up for two or three days watching the election returns is a bad thing.

It is of course true that election fraud has existed in all eras; you can "lose" a box of marked paper ballots off the back of a truck, or redraw districts according to political allegiance, or "clean" people off the electoral rolls. But those types of fraud are harder to cover up entirely. A flawed count in an electronic machine run by software the vendor allows no one to inspect just vanishes down George Orwell's memory hole.

What I still can't figure out is why politicians are so enthusiastic about all this. Yes, secure machines with well-designer user interfaces might get rid of the problem of "spoiled" and therefore often uncounted ballots. But they can't really believe – can they? – that fancy voting technology will mean we're more likely to elect them? Can it?

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

December 29, 2006

Resolutions for 2007

A person can dream, right?

- Scrap the UK ID card. Last week's near-buried Strategic Action Plan for the National Identity Scheme (PDF) included two big surprises. First, that the idea of a new, clean, all-in-one National Identity Register is being scrapped in favor of using systems already in use in government departments; second, that foreign residents in the UK will be tapped for their biometrics as early as 2008. The other thing that's new: the bald, uncompromising statement that it is government policy to make the cards compulsory.

No2ID has pointed out the problems with the proposal to repurpose existing systems, chiefly that they were not built to do the security the legislation promised. The notion is still that everyone will be re-enrolled with a clean, new database record (at one of 69 offices around the country), but we still have no details of what information will be required from each person or how the background checks will be carried out. And yet, this is really the key to the whole plan: the project to conduct background checks on all 60 million people in the UK and record the results. I still prefer my idea from 2005: have the ID card if you want, but lose the database.

The Strategic Action Plan includes the list of purposes of the card; we're told it will prevent illegal immigration and identity fraud, become a key "defence against crime and terrorism", "enhance checks as part of safeguarding the vulnerable", and "improve customer service".

Recall that none of these things was the stated purpose of bringing in an identity card when all this started, back in 2002. Back then, first it was to combat terrorism, then it was an "entitlement card" and the claim was that it would cut benefit fraud. I know only a tiny mind criticizes when plans are adapted to changing circumstances, but don't you usually expect the purpose of the plans to be at least somewhat consistent? (Though this changing intent is characteristic of the history of ID card proposals going back to the World Wars. People in government want identity cards, and try to sell them with the hot-button issue of the day, whatever it is.

As far as customer service goes, William Heath has published some wonderful notes on the problem of trust in egovernment that are pertinent here. In brief: trust is in people, not databases, and users trust only systems they help create. But when did we become customers of government, anyway? Customers have a choice of supplier; we do not.

- Get some real usability into computing. In the last two days, I've had distressed communications from several people whose computers are, despite their reasonable and best efforts, virus-infected or simply non-functional. My favourite recent story, though, was the US Airways telesales guy who claimed that it was impossible to email me a ticket confirmation because according to the information in front of him it had already been sent automatically and bounced back, and they didn't keep a copy. I have to assume their software comes with a sign that says, "Do not press this button again."

Jakob Nielson published a fun piece this week, a list of top ten movie usability bloopers. Throughout movies, computers only crash when they're supposed to, there is no spam, on-screen messages are always easily readable by the camera, and time travellers have no trouble puzzling out long-dead computer systems. But of course the real reason computers are usable in movies isn't some marketing plot by the computer industry but the same reason William Goldman gave for the weird phenomenon that movie characters can always find parking spaces in front of their destination: it moves the plot along. Though if you want to see the ultimate in hilarious consumer struggles with technology, go back to the 1948 version of Unfaithfully Yours (out on DVD!) starring Rex Harrison as a conductor convinced his wife is having an affair. In one of the funniest scenes in cinema, ever, he tries to follow printed user instructions to record a message on an early gramophone.

- Lose the DRM. As Charlie Demerjian writes, the high-def wars are over: piracy wins. The more hostile the entertainment industries make their products to ordinary use, the greater the motivation to crack the protective locks and mass-distribute the results. It's been reasonably argued that Prohibition in the US paved the way for organized crime to take root because people saw bootleggers as performing a useful public service. Is that the future anyone wants for the Internet?

Losing the DRM might also help with the second item on this list, usability. If Peter Gutmann is to be believed, Vista will take a nosedive downwards in that direction because of embedded copy protection requirements.

- Converge my phones. Please. Preferably so people all use just the one phone number, but all routing is least-cost to both them and me.

- One battery format to rule them all. Wouldn't life be so much easier if there were just one battery size and specification, and to make a bigger battery you'd just snap a bunch of them together?

Happy New Year!

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

November 24, 2006

The Great Firewall of Britain

We may joke about the "Great Firewall of China", but by the end of 2007 content blocking will be a fact of Internet life in the UK. In June, Vernon Coaker, Parliamentary Under-Secretary for the Home Department told Parliament, "I have recently set the UK Internet industry a target to ensure that by the end of 2007 all Internet service providers offering broadband Internet connectivity to the UK public prevent their customers from accesssing those Web sites." By "those", he means Web sites carrying pornographic images of children.

Coaker went on to say that by the end of 2006 he expects 90 percent of ISPs to have blocked "access to sites abroad", and that, "We believe that working with the industry offers us the best way forward, but we will keep that under review if it looks likely that the targets will not be met."

The two logical next questions: How? And How much?

Like a lot of places, the UK has two major kinds of broadband access: cable and DSL. DSL is predominantly provided by BT, either retail directly to customers or wholesale to smaller ISPs. Since 2004, BT's retail service is filtered by its Cleanfeed system, which last February the company reported was blocking about 35,000 attempts to access child pornography sites per day. The list of sites to block comes from the Internet Watch Foundation, and is compiled from reports submitted by the public. ISPs pay IWF £5,000 a year to be supplied with the list – insignificant to a company like BT but not necessarily to a smaller one. But the raw cost of the IWF list is insignificant compared to the cost of reengineering a network to do content blocking.

How much will it cost for the entire industry?

Malcolm Hutty, head of public affairs at Linx, says he can't even begin to come up with a number. BT, he thinks, spent something like £1 million in creating and deploying Cleanfeed – half on original research and development, half on deployment. Most of the first half of that would not now be necessary for an ISP trying to decide how to proceed, since a lot more is known now than back in 2003.

Although it might seem logical that Cleanfeed would be available to any DSL provider reselling BT's wholesale product, that's not the case.

"You can be buying all sorts of different products to be able to provide DSL service," he says. A DSL provider might simply rebrand BT's own service – or it might only be paying BT to use the line from your home to the exchange. "You have to be pretty close to the first extreme before BT Cleanfeed can work for you." So adopting Cleanfeed might mean reengineering your entire product.

In the cable business, things are a bit different. There, an operator like ntl or Telewest owns the entire network, including the fibre to each home. If you're a cable company that implemented proxy caching in the days when bandwidth was expensive and caching was fashionable, the technology you built then will make it cheap to do content blocking. According to Hutty, ntl is in this category – but its Telewest and DSL businesses are not.

So the expense to a particular operator varies for all sorts of reasons: the complexity of the network, how it was built, what technologies it's built on. This mandate, therefore, has no information behind it as to how much it might cost, or the impact it might have on an industry that other sectors of government regard as vital for Britain's economic future.

The How question is just as complicated.

Cleanfeed itself is insecure (PDF), as Cambridge researcher Richard Clayton has recently discovered. Cleanfeed was intended to improve on previous blocking technologies by being both accurate and inexpensive. However, Clayton has found that not only can the system be circumvented but it also can be used as an "oracle to efficiently locate illegal websites".

Content blocking is going to be like every other security system: it must be constantly monitored and updated as new information and attacks becomes known or are developed. You cannot, as Clayton says, "fit and forget".

The other problem in all this is the role of the IWF. It was set up in 1996 as a way for the industry to regulate itself; the meeting where it was proposed came after threats of external regulation. If all ISPs are required to implement content blocking, and all content blocking is based on the IWF's list, the IWF will have considerable power to decide what content should be blocked. So far, the IWF has done a respectable job of sticking to clearly illegal pornography involving children. But its ten years have been marked by occasional suggestions that it should broaden its remit to include hate speech and even copyright infringement. Proposals are circulating now that the organisation should become an independent regulator rather than an industry-owned self-regulator. If IWF is not accountable to the industry it regulates; if it's not governed by Parliamentary legislation; if it's not elected….then we will have handed control of the British Internet over to a small group of people with no accountability and no transparency. That sounds almost Chinese, doesn't it?

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

November 17, 2006

Waiting for Gowers

So here it is November, and we are drumming our heels impatiently (to the annoyance of the new downstairs neighbours) still waiting for the results of the Gowers Review of Intellectual Property, which was supposed to report to the Chancellor, the Secretary of State for Trade and Industry, and the Secretary of State for Culture, Media, and Sport "in Autumn 2006". I'm not sure when "Autumn" officially begins or ends, but I'd go with August Bank Holiday/Labor Day to the Sunday when the clocks change.

Perhaps the delay is due to global warming.

The Gowers Review is large and complicated. One change the recording industry is lobbying for is copyright term extension for sound recordings; although copyright in sound recordings is 95 years in the US, here you only get (weep for them) 50. The Open Rights Group, on whose advisory board I email, held an event to air the matter earlier this week. It is heartening to report that the event was full of people and passion: one reason copyright has kept getting extended is that no one outside the industry seemed to care.

There are a number of things that *aren't* included in the review. Government information, for example, which had its own review in 2000. Crown Copyright and Parliamentary Copyright (it may not make sense to an American that the text of national legislation is copyright, but so it is). The Patent Office is doing its own review of trademarks and the definition of a "technical step" that's required to make something patentable – this applies in a vital way to the question of patenting software programs. But things like digital rights management, orphan works, archives' right to make preservation copies, and the problem that of perpetual copyright in unpublished work are all being considered. (Yes. A 15th century, anonymous, unpublished poem cannot legally be published or copied.)

The problem is that so many deals can still be cut in smoke-filled back rooms. The reviews' original plan seems more interested in business IP use than in consumers' rights.

We say again: all intellectual property law is a balance between rewarding artists and creators and the rights of the public to access and use their own culture. Corporations that have bought up large numbers of copyrights won't care about this, but (as I also keep saying) every creator is a net consumer of intellectual property. Every writer reads more than he writes; every musician listens to more music than he learns or composes; every filmmaker, even Woody Allen, sees far more films than he will ever make. The more restrictive – or, in Pamela Samuelson's word for it, maximalist – copyright becomes overall the less people will be able to build on the past to produce new work. And no one, no matter how much of a genius, ever creates things that are entirely new with no reference to what has gone before.

So my hope is that what's taking the extra time is that there are lots of impassioned submissions and Gowers and his team are having to consider public interests they didn't expect. And not, instead, that what's happening is behind-the-scenes dickering to skew the report against the public interest.

It's only the future of copyright in the UK.

Still: the point isn't to rush to release the report. The point is to get the report right.

What *should* happen? The Skeptics, another subculture I inhabit, have a saying with reference to the paranormal that "Extraordinary claims require extraordinary proof." Copyright has been with us for centuries, but the relentless march to extend it has vastly accelerated since the mid-1970s. I think we should class the claim that further extension is necessary as extraordinary, and we should demand commensurate proof of its need from those who are lobbying for it. Especially since the industry's major players are the same in every country; in other legal areas we do not assume that the UK must have the same laws as the US. Why should that be true in copyright?

While we're waiting, I have long thought that we need to replace the term "intellectual property". It's a bad metaphor, and calling the intangible results of the creative process "property" stacks the deck against anyone in favor of public access, because as soon as you talk about limiting the term of property rights you sound like a thief. I've been trying to come up with a term that expresses something about products of the creative process ("croducts"?) or what John Perry Barlow talks about as creatures that form in the intellectual and emotional space between two people. I haven't had very much luck. (Could we talk of a "clever"? or borrow Vannevar Bush's term for his Web-like fantasy machine,a "memex"?) "Intellectual children" is my best analogy: like children, you create and murture the products of your mind, and at some point they leave you and have to find their own way in the world. You do not, ever, own them.

A free copy of one of my books to anyone who can come up with a really good answer to this. Meantime, I'm sure Punxsutawney Phil will be along any day now, looking for his shadow.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

November 10, 2006

ICANN dreams

This week ICANN announced its three new board members for 2006 to 2009: Persistent readers of this column will know that I put my name in for the job. I'm not one of the three. They are: Robert Gaetano, Steven Goldstein, and Rajasekhar Ramaraj, and I know about them approximately what's written by Kieren McCarthy, a journalist who has spent more time than anyone documenting ICANN.

ICANN had 90 applicants for the open jobs – three for the board of directors, and four for various subgroups. I'm told that in Asian countries it would be a terrible loss of face to be on the short list and then not get chosen, and that this could be the reason the names of those on the short list have never been made public. But no statistics have been released either, so we don't even know how many made it that far. Nominating committee members are unlikely ever to divulge even that much; they were required to sign a non-disclosure agreement. I know only this: I was on the short list.

Because so little is known about the ICANN selection process, it seems worth recounting what happened. Shortly before the nominating committee's late September selection meeting in Frankfurt, I got email from the chair, George Sadowsky, asking me to supply a phone number where I could be contacted on Friday, the first day of the meeting. If they wanted to speak to me they would call that number and schedule a phone call for Saturday. I should not draw negative conclusions if they did not contact me. But they did, working around a transatlantic flight, and the phone call was scheduled.

Now, I'm a writer, and kind of a literalist with language. I also have pretty much never applied for a job, and don't work in either the corporate world or academia. Therefore, when his email said they wanted to talk to me for "clarification" I assumed they meant they wanted to ask me questions about what I'd written in my statement of interest. So I reread it. I also spent an hour or two before the phone call reading news and other items on the ICANN site. One of these was the then newly released LSE report (PDF) on the Generic Names Supporting Organization.

None of that helped, because what Sadowsky, who conducted the 20-minute call with utter silence behind him, asked me were things like, "What, in your view, is ICANN's mission?" And "What are the three areas of ICANN you most want to be active in?" The first question made me think I was taking a test; the second seemed more like a job interview, or perhaps a theatrical casting call. You know, the kind where the director and his minions are all sitting, invisible, out in the theater where you can't see them because the stage lights are blinding you. When I asked who else was sitting around the phone they wouldn't say. (They did refer me to the Web page listing the committee's members, but I wasn't sure who might or might not have made the actual meeting.)

"What," the last question went, "would you want to say you had accomplished that only you could do" if I were chosen. I said I wanted to see ICANN become a more trusted and accountable organization.

There's no point pretending otherwise: I sounded completely lame and unprepared. Hardly surprising, because I was. I did manage to suggest that one reason I didn't know more about ICANN – enough, say, to know what they meant by "three areas" (countries? subcommittees? policies? "What are the choices?" I asked, and was referred again to the Web page) – was, as the LSE report agreed, the difficulty of navigating their Web site. It, like the European Union government sites, is perfectly understandable if you are already an expert on its content, but otherwise not so much.

In this sort of endeavor I have a second problem: journalists learn to deadline and forget everything the second they send the article in. In any given year I probably write 200 articles on dozens of topics. There isn't a single one of those topics where I don't have to reread what I've written to know what I said, even if I wrote it yesterday (I also reread my own work because I trust the research).

So, yes, I should have had the sense to be better prepared, but it was all, as I say, so unexpected. I serve on other boards. None requires anything like the effort the ICANN board does; and arguably none of them is as decisive in determining what the organizations do. In all cases I joined because I was asked; I never went through a selection process like this one.

As a reject, I can't really comment intelligently on how ICANN went about making its choices. I merely tell the story here in case my experience can help another applicant, somewhere down the line, be less confused than I was.

Thanks to all those who emailed or posted messages of support, and especially to my three referees.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

October 6, 2006

A different kind of poll tax

Elections have always had two parts: the election itself, and the dickering beforehand (and occasionally afterwards) over who gets to vote. The latest move in that direction: at the end of September the House of Representatives passed the Federal Election Integrity Act of 2006 (H.R. 4844), which from 2010 will prohibit election officials from giving anyone a ballot who can't present a government-issued photo ID whose issuing requirements included proof of US citizenship. (This lets out driver's licenses, which everyone has, though I guess it would allow passports, which relatively few have.)
These days, there is a third element: specifying the technology that will tabulate the votes. Democracy depends on the voters' being able to believe that what determines the election is the voters' choices rather than the latter two.

The last of these has been written about a great deal in technology circles over the last decade. Few security experts are satisfied with the idea that we should trust computers to do "black box voting" where they count up and just let us know the results. Even fewer security experts are happy with the idea that so many politicians around the world want to embrace: Internet (and mobile phone) voting.

The run-up to this year's mid-term US elections has seen many reports of glitches. My favorite recent report comes from a test in Maryland, where it turned out that the machines under test did not communicate with each other properly when the touch screens were in use. If they don't communicate correctly, voters might be able to vote more than once. Attaching mice to the machines solves the problem – but the incident is exactly the kind of wacky glitch that's familiar from everyday computing life and that can take absurd amounts of time to resolve. Why does anyone think that this is a sensible way to vote? (Internet voting has all the same risks of machine glitches, and then a whole lot more.)

The 2000 US Presidential election isn’t as famous for the removal from the electoral rolls in Florida of few hundred thousand voters as it is for hanging chad – but read or watch on the subject. Of course, wrangling over who gets to vote didn't start then. Gerrymandering districts, fighting over giving the right to vote to women, slaves, felons, expatriates…

The latest twist in this fine, old activity is the push in the US towards requiring Voter ID. Besides the federal bill mentioned above, a couple of dozen states have passed ID requirements since 2000, though state courts in Missouri, Kentucky, Arizona, and California are already striking them down. The target here seems to be that bogeyman of modern American life, illegal immigrants.

Voter ID isn't as obviously a poll tax. After all, this is just about authenticating voters, right? Every voter a legal voter. But although these bills generally include a requirement to supply a voter ID free of charge to people too poor to pay for one, the supporting documentation isn't free: try getting a free copy of your birth certificate, for example. The combination of the costs involved in that aspect, plus the effort involved in getting the ID are a burden that falls disproportionately on the usual already disadvantaged groups (the same ones stopped from voting in the past by road blocks, insufficient provision of voting machines in some precincts, and indiscriminate cleaning of the electoral rolls). Effectively, voter ID creates an additional barrier between the voter and the act of voting. It may not be the letter of a poll tax, but it is the spirit of one.

This is in fact the sort of point that opponents are making.

There are plenty of other logistical problems, of course, such as: what about absentee voters? I registered in Ithaca, New York, in 1972. A few months before federal primaries, the Board of Elections there mails me a registration form; returning it gets me absentee ballots for the Democratic primaries and the elections themselves. I've never known whether my vote is truly anonymous; nor whether it's actually counted. I take those things on trust, just as, I suppose, the Board of Elections trusts that the person sending back these papers is not some stray British person who's does my signature really well. To insert voter ID into that process would presumably require turning expatriate voters over to, say, the US Embassies, who are familiar with authentication and checking identity documents.

Given that most countries have few such outposts, the barriers to absentee voting would be substantially raised for many expatriates. Granted, we're a small portion of the problem. But there's a direct clash between the trend to embrace remote voting - the entire state of Oregon votes by mail – and the desire to authenticate everyone.
We can fix most of the voting technology problems by requiring voter-verifiable, auditable, paper trails, as Rebecca Mercuri began pushing for all those years ago (and most computer scientists now agree with), and there seem to be substantial moves in that direction as state electors test the electronic equipment and scientists find more and more serious potential problems. Twenty-seven states now have laws requiring paper trails. But how we control who votes is the much more difficult and less talked-about frontier.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

September 22, 2006

The last social mile

Persistent readers of net.wars may remember that last February I spent a month working in an office. A couple of days ago, it was announced that Jim Fruchterman, the owner The Benetech Initiative, the office in question, has been given the MacArthur "Genius" award for his work as a "social entrepreneur".

The $500,000 award joins Fruchterman to a pretty elite and eclectic gang: Richard Stallman (free software pioneer), Pamela Samuelson (the first to blow the whistle on where copyright was going), and (the first time I ever heard of these awards) magician and paranormal investigator James Randi. The awards famously have no strings: you could take the half-mil and head for retirement. But the people MacArthur picks are the passionate, creative kind who are too driven to do anything but plough the money back into their work.

My corner of Benetech was the Human Rights Database Group which, under the leadership of Patrick Ball, uses relational databases to extract scientifically defensible statistics from testimony documenting human rights abuses, and also makes the Martus program to securely collect and manage unstructured information (such as testimony). But HRDAG is only one of several Benetech projects. Its other programs include Bookshare, an effort that (legally) scans in books to make them available to the vision-impaired, Route 66, a literacy program for adults and teenagers with learning disabilities, and a new tool for landmine detection and removal.

When I was there, Fruchterman, had just returned from his fourth visit to the World Economic Forum in Davos, where he'd been hobnobbing with the sort of people who have to check their aircraft carriers at the door. No entourages and, sadly, not much in the way of direct quotables. Fruchterman's presence at Davos reflected five years of increasing interest in incorporating the social sector into what began as primarily a meeting between business and government (plus the occasional rock star). Religious leaders, Union leaders, non-government organisations, and Fruchterman's own category, social entrepreneurs, are all represented now, he said, and about half of the content of the conference is about social issues. Concerned at the beginning that their invitations might just be "social window dressing", there is now a general sense that they belong.

Enlightened self-interest," he said, in explaining why the welfare of the less fortunate is important to the Davos crowd. It's a quote from Tony Blair, but the point is clear: investing in the socially less fortunate is a matter of self-preservation. Global warming doesn't distinguish between rich and poor countries, just as incurable tuberculosis flitting through an aircraft's ventilation system doesn't discriminate between the rich person in first class and the relatively poor one sitting 30 rows back.

There's a clear line from the first company Fruchterman founded, Calera, an early (1982) optical character recognition company, to Benetech: Fruchterman started wanting to build a reading machine as long ago as his years studying pattern recognition as an undergraduate at Caltech. He didn't have the usual sort of reason; neither he nor a family member has a visual disability. Other than a short detour to start a rocket company ("the rocket blew up") making the world of text available to the visually impaired is a constant thread through his work life.

In 1989, he founded Arkenstone, a non-profit that used Calera's optical character recognition to develop and market such a machine for the blind. It was, he says, a technical breakthrough because the machine needed no training and did not need specific fonts. Arkenstone was eventually sold to Freedom Scientific, which shares Benetech's offices in Palo Alto.

"When you start a company," Fruchterman told me he'd come out of Davos this year thinking, "you imagine there's a gap that needs to be filled, that's why you're doing it. Sometimes you want to make a lot of money. Something you do it because you want to build something – like the average engineer. I came out realizing that there are a whole bunch of demands that people are beginning to put on technology and content. For example, they want better education, more literacy, more health, better economic opportunities for the poor, cleaner energy, to stop global warming."

We're now past the stage of a few years ago, when people were still trying to understand what the issues were. Now, we pretty much know: "It's not complicated, but we need to figure out ways." As a simple example: "Stop systematically screwing poor countries."

By now, he said, "We are transitioning from hype-filled discussions of, 'We have to fix the digital divide' to asking what that really means. People are experimenting." He sees two separate threads to those experiments. One: the PC thread. This includes Negroponte and his cheap laptops, Microsoft's starter edition, Linux and open source generally. The other: the mobile phone group, who are convinced that cellphones will be the platform for everything.

For what Fruchterman does, "I don't care which group wins. The fact that both support Web browsing means we could be delivering Route 66 content to teach people reading and digital textbooks on these platforms." As long as Benetech can build what Fruchterman calls the "last social mile" on the platform, Fruchterman is happy.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post comments here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

August 4, 2006

Hard times at the identity corral

If there is one thing we always said about the ID card it's that it was going to be tough to implement. About ten days ago, the Sunday Times revealed how tough: manufacturers are oddly un-eager to bid to make something that a) the Great British Public is likely to hate, and b) they're not sure they can manufacture anyway. That suggests (even more strongly than before) that in planning the ID card the government operated like an American company filing a dodgy patent: if we specify it, they will come.

I sympathize with IBM and the other companies, I really do. Anyone else remember 1996, when nearly all the early stories coming out of the Atlanta Olympics blamed IBM' prominently for every logistical snafu? Some really weren't IBM's fault (such as the traffic jams). Given the many failures of UK government IT systems, being associated with the most public, widespread, visible system of all could be real stock market poison.

But there's a secondary aspect to the ID card that I, at least, never considered before. It's akin to the effect often seen in the US when an amendment to the Constitution is proposed. Even if it doesn't get ratified in enough states – as, for example, the Equal Rights Amendment did not – the process of considering it often inspires a wave of related legislation. The fact that ID cards, biometric identifiers, and databases are being planned and thought about at such a high level seems to be giving everyone the idea that identity is the hammer for every nail.

Take, for example, the announcement a couple of days ago of NetIDme, a virtual ID card intended to help kids identify each other online and protect them from the pedophiles our society apparently now believes are lurking behind every electron.

There are a lot of problems with this idea, worthy though the intentions behind it undoubtedly are. For one thing, placing all your trust in an ID scheme like this is a risk in itself. To get one of these IDs, you fill out a form online and then a second one that's sent to your home address and must be counter-signed by a professional person (how like a British passport) and a parent if you're under 18. It sounds to me as though this system would be relatively easy to spoof, even if you assume that no professional person could possibly be a bad actor (no one has, after all, ever fraudulently signed passports). No matter how valid the ID is when it's issued, in the end it's a computer file protected by a password; it is not physically tied to the holder in any way, any more than your Hotmail ID and password are. For a third thing, "the card removes anonymity," the father who designed the card, Alex Hewitt, told The Times. But anonymity can protect children as well as crooks. And you'd only have to infiltrate the system once to note down a long list of targets for later use.

But the real kicker is in NetIDme's privacy policy, in which the fledgling company makes it absolutely explicit that the database of information it will collect to issue IDs is an asset of a business: it may sell the database, the database will be "one of the transferred assets" if the company itself is sold, and you explicitly consent to the transfer of your data "outside of your country" to wherever NetIDme or its affiliates "maintain facilities". Does this sound like child safety to you?

But NetIDme and other systems – fingerprinting kids for school libraries, iris-scanning them for school cafeterias – have the advantage that they can charge for their authentication services. Customers (individuals, schools) have at least some idea of what they're paying for. This is not true for the UK's ID card, whose costs and benefits are still unclear, even after years of dickering over the legislation. A couple of weeks ago, it became known that as of October 5 British passports will cost £66, a 57 percent increase that No2ID attributes in part to the costs of infrastructure needed for ID cards but not for passports. But if you believe the LSE's estimates, we're not done yet. Most recent government estimates are that an ID card/passport will cost £93, up from £85 at the time of the LSE report. So, a little quick math: the LSE report also guessed that entry into the national register would cost £35 to £40 with a small additional charge for a card, so revising that gives us a current estimate of £38.15 to £43.60 for registration alone. If no one can be found to make the cards but the government tries to forget ahead with the database anyway, it will be an awfully hard sell. "Pay us £40 to give us your data, which we will keep without any very clear idea of what we're going to do with it, and in return maybe someday we'll sell you a biometric card whose benefits we don't know yet." If they can sell that, they may have a future in Alaska selling ice boxes to Eskimos.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

July 28, 2006

Why I am standing for the ICANN board

Like many of the Net's founders and creators, I am an idealist: I want the Net to remain as free and unfettered as possible, avoiding the twin dangers of stagnation and disintegration, both of which are possible outcomes of poor management. ICANN's job is nominally to provide technical oversight of naming and addressing, but it is impossible to consider these issues without making what is essentially public policy. Governments, corporations, technologists, and lawyers have an important role to play, but they are not the only stakeholders, and it seems to me that Net *users* and consumers are insufficiently represented. I believe I can help represent that point of view. I also believe increased representation of that point of view is necessary. The uniform dispute resolution procedures, for example, are generally considered to be disproportionately weighted in favor of large corporations at the expense of the very small businesses and individuals that the Net is supposed to empower.

The Internet was famously decentralized to withstand a bomb outage. Even so, from the earliest days there have been a number of benevolent dictators who guided the development of specific areas or applications. It is to some extent unavoidable that assigning unique identifiers – names, numbers, and ports – must be handled by one or more central authorities. The most visible aspect of this, the Domain Name System, for all that it has scaled well since Paul Mockapetris devised it in the 1980s, is a single, central point of failure managed by an organization that no one understands and few people trust.

The lack of trust is partly unavoidable. ICANN's predecessor, Jon Postel, was a rare man whom almost everyone trusted. Had Postel lived, he might have been able to act as a guarantor of the fledgling ICANN and been able to transfer some of that trust. After his untimely death and in his absence, it was inevitable that Netizens would treat any new authority with suspicion, especially since many had already vehemently rejected the earlier proposed gTLD-MOU that was widely interpreted (however incorrectly) as a "coup".

But much of today's distrust was not unavoidable. Despite ICANN's insistence that it is an open and accoutable organization, observer after observer has complained that while portions of its official meetings are public decisions are in reality made behind closed doors, often in advance. While I appreciate that the changing meeting venues are intended to avoid giving an unequal advantage in attendance to any one nation or group of nations, the meetings' perpatetic nature make it hard for observers without significant funding to attend on any regular basis. Therefore, it is even more crucial for ICANN to engage the Internet community at large on questions of policy and direction. The decision to do away with elected At-Large board members was widely perceived to derive from a dislike of the electoral results; that, too, has made ICANN look secretive and unaccountable.

The past cannot be changed, but the future can. ICANN has frequently stated that it intends to be publicly accountable and open, and perform its duties of technical oversight by consensus. But because code is law (Amazon UK), technical decisions have public policy consequences. "Technical oversight" is an incorrect description unless ICANN's mission becomes the janitorial role of merely implementing technical decisions made by others (a role to which some have argued it should be constrained). ICANN's latest strategic planning statement (PDF) expresses no such intent. Instead, it says, "The continued evolution of the Internet, especially the DNS, brings with it an increasing number of policy issues of ever increasing complexity that need to be decided through the ICANN process."

But as a policy-making body ICANN has the endemic structural problem of lacking the checks and balances that constrain a democratic government's behavior. Admittedly, technology moves fast and democratic deliberation takes time. As long as ICANN is tied to the Department of State, there is at least some small measure of democratic oversight. WSIS, for all its flaws, is made up of representatives of democratically elected governments. Other technical bodies, such as the IETF, make technical policy by opening their meetings and allowing full participation; technical merit gets you heard. The early Internet made history for its openness, using RFCs to suggest, not impose, technical changes. As ICANN's strategic plan itself recognizes, this is a key moment in ICANN's history: if it is to become independent it must find a way to become truly accountable. It would be a betrayal of every principle on which the Internet was founded for the Internet's most important single point of failure to be completely controlled by a self-selecting body whose inner deliberations and functioning remain obscure.

In these latter days, it is hard for anyone who is not, as I am not, a programmer (or lawyer) to make significant contributions to the Internet's development. The Internet in its many aspects has been my main focus as a London-based journalist since 1991. I continue to make that choice because I want to help push Internet policy and development in what I feel are the right directions: toward openness and experimentation, away from closure and control.

I believe that serving on the ICANN board would be a logical continuation of my work over the last 15 years.

P.S.: I also really love to travel.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

July 14, 2006

Not too cheap to meter

An old Net joke holds that the best way to kill the Net is to invent a new application everyone wants. The Web nearly killed the Net when it was young. Binaries on Usenet. File-sharing. Video on demand may finally really do it. Not, necessarily, because it swamps servers, consumes all available bandwidth. But because, like spam, it causes people to adopt destructive schemes.

Two such examples turned up this week. The first, from the IP Development Network, the brainchild of Jeremy Penston, formerly of UUnet and Pipex, HD-TV over IP: Who Pays the Bill? (PDF), argues that present pricing models will not work in the HDTV future, and ISPs will need to control or provide their own content. It estimates, for example, that a consumer's single download of a streamed HD movie could cost an ISP £21.13, more than some users pay a month. The report has been criticized, and its key assumption – that the Internet will become the chief or only gateway to high-definition content – is probably wrong. Niche programming will get downloaded because any other type of distribution is uneconomical, but broadcast will survive for mass-market.

The germ that isn't so easily dismissed is the idea that bandwidth is not necessarily going to continue to get cheaper, at least for end users.

Which leads to exhibit B, the story that's gotten more coverage, a press release – the draft discussion paper isn't available yet – from the London-based Association of Independent Music (AIM) proposing that ISPs should be brought "into the official value chain". In other words, ISPs should be required to have and pay for licenses agreed with the music industry and a new "Value Recognition Right" should be created. AIM's reasoning: according to figures they cite from MusicAlly Research, some 60 percent of Internet traffic by data volume is P2P, file-sharing, and music has been the main driver of that. Therefore, ISPs are making money from music. Therefore, AIM wants some.

Let's be plain: this is madness.

First of all, the more correct verb there is "was", and even then it's only partially true. Yes, music was the driver behind Napster eight years ago, and Gnutella six years ago, and the various eHoofers. But now Bittorrent is the biggest bandwidth gobbler, and the biggest proportion of transferred data transferred is video, not music. This ought to be obvious: MP3 4Mb, one-hour TV show 350Mb, movie 700Mb to 4.7Gb. Music downloads started first and have been commercialized first, but that doesn't make it the main driver; it just makes it the historically *first* driver. In any event, music certainly isn't the main reason people get online: that is and was email and the Web.

Second of all, one of the key, underrated problems for any charging mechanism that involves distinguishing one type of bits from another type of bits in order to compensate someone is the loss of privacy. What you read, watch, and listen to is all part of what you think about; surely the inner recesses of your mind should be your own. A regime that requires ISPs to police what their customers do – even if it's in their own financial interests to do so – edges towards Orwell's Thought Police.

Third of all, anyone who believes that ISPs are making money from P2P needs remedial education. Do they seriously think that at something like £20 per month for up to 8mbps ADSL anyone's got much of a margin? P2P is, if anything, the bane of ISPs' existence, since it turns ordinary people into bandwidth hogs. Chris Comley, managing director of Wizards, the small ISP that supplies my service (it resells BT connections), says that although his company applies no usage caps, if users begin maxing out their connections (that is, using all their available bandwidth 24 hours a day, seven days a week), the company will start getting complaining email messages from BT and face having to pay higher charges for the connections it resells. Broadband pricing, like that of dial-up before it (when telephone bills could be relied upon to cap users' online hours), is predicated on the understanding that even users on an "unlimited" service will not in fact consume all the bandwidth that is available to them. In Comley's analogy, the owner of an all-you-can-eat buffet sets his pricing on the assumption that people who walk in for a meal are not in fact going to eat everything in the place.

"The price war over bandwidth is going to have to be reversed," he says, "because we have effectively discounted what the user pays for IP to such a low level that if they start to use it they're in trouble, and they will if they start using video on demand or IPTV."

We began with an old Internet joke. We end with an old Internet saying, generally traced back to the goofy hype of Nicholas Negroponte and George Gilder: that bandwidth is or will be too cheap to meter. It ought to be, given that the price of computing power keeps dropping. But if that's what we want it looks like we'll have to fight for it.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

June 30, 2006

Technical enough for government work

Wednesday night was a rare moment of irrelevant glamor in my life, when I played on the Guardian team in a quiz challenge grudge match.

In March, Richard Sarson (intriguingly absent, by the way) accused MPs of not knowing which end was up, technically speaking, and BT funded a test. All good fun.

But Sarson had a serious point: MPs are spending billions and trillions of public funds without the technical knowledge to them. His particular focus was the ID card, which net.wars has written about so often. Who benefits from these very large IT contracts besides, of course, the suppliers and contractors? It must come down to Yes, Minister again: commissioning a huge, new IT system gives the Civil Service a lot of new budget and bureaucracy to play with, especially if the ministers don't understand the new system. Expanded budgets are expanded power, we know this, and if the system doesn't work right the first time you need an even bigger budget to fix them with.

And at that point, the issue collided in my mind with this week's other effort, a discussion of Vernor Vinge's ideas of where our computer-ridden world might be going. Because the strangest thing about the world Vernor Vinge proposes in his new book, Rainbows End, is that all the technology pretty much works as long as no one interferes with it. For example: this is a world filled with localizer sensors and wearable computing; it's almost impossible to get out of view of a network node. People decide to go somewhere and snap! a car rolls up and pops open its doors.

I'm wondering if Vinge has ever tried to catch a cab when it was raining in Manhattan.

There are two keys to this world. First: it is awash in so many computer chips that IPv6 might not have enough addresses (yeah, yeah, I know, no electron left behind and all that). Second: each of these chips has a little blocked off area called the Secure Hardware Environment (SHE), which is reserved for government regulation. SHE enables all sorts of things: detailed surveillance, audit trails, the blocking of undesirable behavior. One of my favorite of Vinge's ideas about this is that the whole system inverts Lawrence Lessig's idea of code is law into "law is code". When you make new law, instead of having to wait five or ten years until all the computers have been replaced so they conform to the new law, you can just install the new laws as a flash regulatory update. Kind of like Microsoft does now with Windows Genuine Advantage. Or like what I call "idiot stamps" – today's denominationless stamps, intended for people who can never remember how much postage is.

There are a lot of reasons why we don't want this future, despite the convenience of all those magically arriving cars, and despite the fact that Vinge himself says he thinks frictional costs will mean that SHE doesn't work very well. "But it will be attempted, both by the state and by civil special interest petitioners." For example, he said, take the reaction of a representative he met from a British writers' group who thought it was a nightmare scenario – but loved the bit where microroyalties were automatically and immediately transmitted up the chain. "If we could get that, but not the monstrous rest of it…"

For another, "You really need a significant number of people who are willing to be Amish to the extent that they don't allow embedded microprocessors in their lifestyle." Because, "You're getting into a situation where that becomes a single failure point. If all the microprocessors in London went out, it's hard to imagine anything short of a nuclear attack that would be a deadlier disaster."

Still, one of the things that makes this future so plausible is that you don't have to posit the vast, centralized expenditure of these huge public IT projects. It relies instead on a series of developments coming together. There are examples all around us. Manufacturers and retailers are leaping gleefully onto RFID in everything. More and more desktop and laptop computers are beginning to include the Trusted Computing Module, which is intended to provide better security through blocking all unsigned programs from running but as a by-product could also allow the widescale, hardware-level deployment of DRM. The business of keeping software updated has become so complex that most people are greatly relieved to be able to make it automatic. People and municipalities all over the place are installing wireless Internet for their own use and sharing it. To make Vinge's world, you wait until people have voluntarily bought or installed much of the necessary infrastructure and then do a Project Lite to hook it up to the functions you want.

What governments would love about the automatic regulatory upgrade is the same thing that the Post Office loves about idiot stamps: you can change the laws (or prices) without anyone's really being aware of what you're doing. And there, maybe, finally, is some real value for those huge, failed IT projects: no one in power can pretend they aren't there. Just, you know, God help us if they ever start being successful.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).