thinking is dangerous — it leads to ideas
thinking is dangerous — it leads to ideas
President of the Board of the Polish Free and Open Source Software Foundation. Human rights in digital era hacktivist, Free Software advocate, privacy and anonimity evangelist; expert volunteer to the Panoptykon Foundation; co-organizer of SocHack social hackathons; charter member of the Warsaw Hackerspace; and Telecomix co-operator; biker, sailor.
For some time now I've been missing a short and succinct way to indicate why things like centralization at the service level are not entirely good ideas, regardless of how much we trust their operators.
So here it is — rysiek's law of unavoidable consequences:
If it's technically possible,
it's practically unavoidable.
Well, the idea is simple. If, say, a given software project promises something (e.g. that it will not spy on users), we should not rely only on a promise. It should be technically impossible to break that promise, otherwise it will get broken sooner or later.
If some undesirable actions or outcomes are technically possible,
they should be assumed to be unavoidable.
There are many reasons this can happen: a break-in; a change of heart of the owner; a change of owner; law being changed, used or misused. Regardless of the reason, if it's possible, it will happen.
The corollary being:
If there are some undesirable outcomes you want to avoid
make them technically impossible (or very hard).
Let's take Ello on, for instance. Ello promises some neat things — like "no ads" and being "privacy-friendly". But is it technically possible for Ello to introduce ads to the network, and sell their users' privacy out?
So, once the management changes or decides they need some more money, there is nothing stopping them from doing just that.
Can Diaspora creators introduce ads and sell-out users on privacy?
Well, it's much more complicated. The developers can introduce ad functionality to the code, but will server admins (who are not usually directly connected to the developers) introduce that code to their instances? Dubious. Because there are many different servers, users can pick and choose, and move to servers that do not support ads. Tl;dr being: it's much harder, and much less possible.
Similarly, selling out users on privacy would rather be possible for the server admins instead of the developers (who do not have access to users' private data). But:
These mean that server admins have a strong incentive, based (among others) in technology itself, to not do nasty things; and it is technically not possible at all to do it at the same time in the whole network.
If you think about it, this is exactly the reason why we have separation of powers. It's not that we do not trust our current powers that are, it's that we really don't know who will be in power in a few short years. Separation of powers is the "technical" way of making sure we don't have to rely only on trust.
And remember this?
The Net interprets censorship as damage and routes around it.
Censorship is technically impossible (or rather extremely hard) because of how the Internet is engineered. Had it been any other way, we would have a completely different Net.
Even the Kerckhoffs's principle is an example of a more specific version of the corollary.
Yet again we are implored to "think of the children" by more than 250 000 supporters of a bill proposed in Poland that would put a 2-year prison penalty on...
...whoever publicly promotes or condones undertaking sexual activities by minors of less than 15 years of age, or supplies them with materials facilitating such activities.
Yes, you are reading this right. Two years in jail for giving a teen child a condom just in case, or informing them where kids come from. I won't even mention the filth called "sex-ed classes"! Yes, this also pertains to parents. What should a parent say when a child comes and asks how did their little sister get inside mummy? "Go ask the good reverend", I guess.
Of course there's a question of how the "pro-family" organisations that promote this enlightened idea reconcile their "pro-familiness" with the fact that such a law would have a great potential for breaking families apart, but I'll leave that one for the Dear Reader to ponder. Also, while I find hate speech laws to be a bit problematic, as long as we have them on the books, how about somebody look into how these people identify paedophilia with not being heteronormative, eh?
I'll leave dealing with the cranial rectal syndrome that makes people propose banning the best weapon we have against paedophiles (education) because they are afraid of paedophiles to those better suited for the task. Something else interests me in this situation.
For years I have taken part in many meetings concerning proposed Internet censorship measures. Each and every time "the paedophile argument" was one of the big guns in the proposers' arsenal. One of the organisations that used to propose such measures (and use such arguments), today went through the looking-glass:
We are convinced that the changes proposed will not amount to effective tools against paedophilia. The project aims to ban educating children and youth about human sexuality, which equips them with knowledge required to notice threats, maintain own integrity and look for help
It is hard to fathom that in the 21st Century it is still possible to propose criminal penalties for supplying children with knowledge about their development and the nature of sexual relations, and to lump custodians, teachers and educators providing such education with paedophiles
While I do find it a bit surprising, today I have to agree wholeheartedly with the President of Fundacja Dzieci Niczyje.
During the weeks since Mozilla's DRM-embracing decision to include EME there were quite a few voices defending Mozilla's decision. Most of the serious defence basically boils down to: we had to; without EME/DRM support Mozilla would be the browser that can't play video, and users would turn to other browsers which would jeopardize our work for freedom and open Internet in other areas.
As I have written before users already have little reason to stay with Firefox, and the strongest selling point for many of users still on Firefox has for a longest time been: that's the freedom preserving browser. With EME/DRM in Firefox, this reason is moot.
What's tragic is that even with EME/DRM inside, which already cost Firefox some users from the freedom crowd (and inspired at least one fork, of course), Firefox is bound to also lose in the less freedom-centred crowd.
Think about it for just a short while. The whole basic idea of DRM is flawed beyond repair — software that has to make some content available to a user (to be viewed, for example), and simultaneously make the same content not available to the same user (so that it's not possible to copy it).
This scheme has serious problems working even in closed-source, black-box software (sometimes even fails hilariously). How is it supposed to work in an open-source browser?
Let's ponder a scenario, shall we?
...and has DRM solution suppliers (like Adobe) write DRM plugins for Firefox. That's where we're at today.
...so that it's only available to the browser itself (to display to the user), but not the extensions — otherwise get ready for an extension that grabs the decoded media stream and saves it to disk (completely side-stepping any DRM) in 3... 2... 1...
Say, how about a fork that removes this very protection of the decoded media stream, but leaves in-place the rest of the EME/DRM infrastructure? Somebody is bound to do it. At this point DRM/EME is completely side-stepped in this Firefox fork.
One of the defenders of Mozilla's EME/DRM decision, Ben Moskovitz, remarks:
enabling users to do more is a feature.
Being able to save the media stream to disk sounds to me like enabling users to do more. Let us guess, then, which Firefox version will now become more and more popular, eh?
Is there anything Mozilla can do to plug this hole? Not as long as the code is open and free-as-in-freedom! Ah, well, Hollywood won't have any of that hippie bullshit, so they push DRM providers to remove support for Firefox (and its forks).
Mozilla lands with EME infrastructure and no DRM providers willing to write a plugin using it (as it would jeopardize their relationship with Hollywood), freesofties have already long moved to some more freedom-preserving browser, and regular users move to any browser that has DRM plugins for its EME infrastructure. You know, the closed-source ones.
After all, why would they stay on "a browser that can't"?
Another day, another conference on Internet governance, this time close enough to go there on my own dime. Besides, Berlin is always a treat.
As was to be expected of a conference organised in ministerial halls, for the most part when it wasn't objectionable, it was mind-boggingly dull. And yes, WiFi was as good as it gets on such events.
I have a strong policy of going to conferences mainly for the hallway/coffee chit-chat and making new acquaintances, and it was a winner this time around too.
Starting off with a welcoming address by the powers that be, including Neelie Kroes, who deemed the conference so important, she made a video appearance (how about we agree on a rule that when you're a politician wanting to have a point in a conference agenda, you can either come in person, or... pass entirely; no pre-recorded videos, please!), the conference gave no hope for anything of significance to happen within the confines of the programme.
Thankfully, you can always count on activists to bring the gravitas along. And while having Edward Snowden in the panel (or as a keynote speaker) would be the right thing to do, several Edwards Snowdens in the audience were the next best thing.
The first panel focused on lessons learned from NETmundial, and made a good first impression with no chair available for the only female panelist. Were there any civil society participants to the panel? Of course not. Questions from the floor about that fact (asked by the undersigned) and about the glaring gender disproportion in the panel (asked by Mrs. O'Loughlin of Council of Europe) were waved-off as "off-topic".
Representative of the organisers also remarked on how hard it was to find women for the panel. They tried, they just couldn't find any on the right positions.
Let's ponder about this for just a moment, even though I don't even know where to start.
I could say, for instance, that equality (gender, and otherwise) was a big issue on NETmundial, as evidenced in the opening address by Nnenna Nwakanma. I could refer you, Dear Reader, to the concepts like glass ceiling, and note how this is no excuse for not including women in the panel on equal standing. I could, as I have in my question, note the irony of a panel about lessons from NETmundial (y'know, the multistakeholder conference on Internet governance) comprising almost entirely of men, and with no representative of the third sector.
Or I could point out, that including civil society in the panel might have made it easier for the organisers to find female panelists, as while the glass ceiling is indubitably also sadly present in civil society, it doesn't seem to be as prevalent as in government and business sectors.
However, there is always hope. The "When the public sphere became private" workshop proved to be both inspiring and interesting, and the exchange of ideas relevant and much deeper than I would have expected.
It did help that the topic sounded eerily familiar, but the discussion went far and wide, touching on a number of related issues.
There was an important distinction that had to be made, as became apparent in the course of the discussion, between two meanings of the word "private", in the context of communication infrastructures.
First meaning being "pertaining to or supportive of privacy". Here, private communication medium would mean a communication medium that ensures the privacy of the communication between communicating parties.
The second one is, of course, "privately-owned", with private communication medium meaning a medium owned by a private entity.
Obviously, similar distinction has to be made for the word "public" in the same context.
With this in mind it's easy to see how crucial misunderstandings can arise when using these terms without making clear which of the particular meanings we have in mind. Specifically, privately-owned infrastructure can be (and often is) hostile towards privacy of the communicating parties.
When the whole infrastructure is privately-owned, privacy is not the only problem. Public sphere is crucial to democratic processes, but today it is more and more being replaced by privately-owned and controlled fora. Public discourse should not, however, be contingent on rules made unilaterally by private entities. Or, as one of the workshop panelists neatly put it:
Public agora cannot underlie a business model based on surveillance
As always, the first step is admitting that we do have a problem, and I take it we are getting ready for such an admission. Finally. But what's really interesting is the next step — what should we do about it? There is, unfortunately, no clear answer, but several ideas have been floated.
One of these is open standards, or making the operators of such privately-owned fora to at least supply APIs allowing full interoperability between different providers (think Facebook interoperating with Google+). Another (crazy, I give you that!) idea — floated by a friend of mine some time ago — is to have source code of all software available at least for inspection, just like ingredients listing on packaged food.
Yet another would be mandating privacy impact assessment on all lawmaking activities, and on infrastructural decisions made (for instance) on governmental levels.
Finally, there was this gem:
Governments need to pass human rights as technical requirements
That's something that really got my attention, as for some time now I am pondering that we — the technical community, geeks, free-softies, etc. — should start making software with the assumption that if some abuse is possible, it is inevitable. And start designing our software for privacy just as we design it for security. I'll elaborate on that in a separate post.
All of these need further thought and consideration; some might turn out workable, some might turn out impossible, and some combination of them might be the right way to proceed.
But the right questions are apparently finally being asked. Not holding my breath, but maybe next time we're even able to find some less locked-down solution instead of a Twitter wall to bring in the remote participation...
It's official — I have been confirmed as a member of the Digital Affairs Council to the Minister of Administration and Digital Affairs. I was recommended by Internet Society Poland and Polish Linux Users Group.
the Council is "minister's advisory and consultative body" (as described in art.17 of the informatisation law). That means that on one hand it doesn't really get to make direct decisions; on the other, however, Council's recommendations will carry certain weight (at least, that's the theory).
According to the law, the Council will propose and opine projects of statements (among others, by the Council of Ministers), documents, development strategies, program projects and reports in the areas of informatisation, communications, information society development and rules regarding the functioning of public registers, rules and state of introducing ICT systems in public administration, and even Polish ICT terminology. And...
The Council can initiate activities related to informatisation, ICT market development, and development of information society.
The Council today has 20 members, representing administration, NGOs, technical organisations and business. What recommendations will the Council produce and which direction will it lean? How will the practicalities of its operation look like? Hard to say today. But the possibilities seem quite interesting.
I have had the pleasure of meeting several members of the Council on different occasions; not all of them, unfortunately. The ones I know paint an interesting picture.
Hence we have openness and privacy activists on one hand, copyright maximalists and representatives of big IT companies on the other. What will come of this — we'll see.