thinking is dangerous — it leads to ideas
thinking is dangerous — it leads to ideas
President of the Board of the Polish Free and Open Source Software Foundation. Human rights in digital era hacktivist, Free Software advocate, privacy and anonimity evangelist; expert volunteer to the Panoptykon Foundation; co-organizer of SocHack social hackathons; charter member of the Warsaw Hackerspace; and Telecomix co-operator; biker, sailor.
This is my NetMundial content proposal, with some typos fixed and minor edits.
ICANN and IANA decentralisation efforts mark an important milestone in the evolution of the Internet: there is finally widespread recognition of the fact that centrally controlled bodies pose a threat to the free and open nature of the Internet. ICANN and IANA are, however, but a small part of a much larger problem.
More and more, communication platforms and methods are secondarily centralized; that is, in a network decentralized on lower protocol levels there are services being run that are centralized on higher levels. Running on a network based on open standards are closed services, that are then used by other entities as base for their services.
In other words, some private services — offering, for example, user authentication methods — are being used as a de facto infrastructure by large numbers of other entities.
If we recognize the dangers of centrally-controlled domain name system, we should surely recognize the danger of this phenomenon also.
It is of great value that the importance of decoupling IP addresses management and the domain name system management from a single state actor has been recognized and that currently there is a strong push towards multistakeholderism in this area.
There is, however, a secondary emergent centralization happening on the Internet, that potentially can pose a comparable, or even bigger, threat to the interconnected, open and independent nature of this global network.
This centralization is harder to perceive as dangerous, as it is not being actively supported by any state actor; hence, it falls under the radar for many Internet activists and technologists, that would react immediately had similar process been facilitated by a government. It does, however, have a potential to bring negative effects similar to a state-sponsored centralization of infrastructure.
Another reason for this process to happen unnoticed or for the possible negative effects of it to be depreciated is that it is fluid and emergent on behaviour of many actors, enforced by the network effect.
This process is most visibly exemplified in Facebook gathering over a 1 billion of users, by providing a centrally-controlled walled-garden, and at the same time offering an API to developers willing to tap-into this vast resource, for example to use it as authentication service. Now, many if not most Internet services requiring log-in as one of their options offer Facebook log-in. Some (a growing number) offer Facebook as the only option. Many offer commenting system devised by Facebook, that does not allow anonymous comments — a user has to have a Facebook account to be able to partake in the discussion.
Similarily, Google is forcing Google+ on YouTube users; to a lesser extent, Google Search is being used by a swath of Internet services as their default internal search engine (that is, used to search their own website or service). GMail is also by far the most popular e-mail and XMPP service, which gives Google immense power over both.
These are two examples of services offered by private entities (in this case, Google and Facebook) that had become a de facto public infrastructure, meaning that an immense number other services rely and require them to work.
If we recognize the danger of a single state actor controlling ICANN or IANA, we can surely recognize the danger of a single actor (regardless of whether it is a state actor or not) controlling such an important part of Internet infrastructure.
Regardless of reasons, why this situation emerged (users' lack of tech-savvy, service operators' want of easiest and cheapest to implement and integrate solutions, etc), it causes several problems for the free and open Internet:
If such a large part of services and actors depend on a single service (like Facebook or GMail), this in and of itself introduces a single point of failure. It is not entirely in the realm of the impossible for those companies to fail — who will, then, provide the service? We have also seen both of them (as any other large tech company) have large-scale downtime events, taking services based on them down also.
In the most basic sense, any user of a service based on these de facto infrastructures has to comply with and agree to the underlying service (i.e. Facebook, Google) Terms of Service. If many or most of Internet services have that requirement, users and service operators alike lose independence over what they accept.
Operators of such de facto infrastructures are not obliged to provide their services in an open and standard manner — running mostly in the application layer these services usually any attempts of interoperation. Examples include Twitter changing their API TOS to shut-off certain types of applications, Google announcing the planned shut-off of XMPP server-to-server communication, Facebook using XMPP for the internal chat service with server-to-server shut-off.
With such immense and binary ("either use it, or lose it") control over users' and other service providers' data, de facto infrastructure operators do not have any incentives to share information on what is happening with the data they gather. They also have no incentives to be transparent and open about their future plans or protocols used in their services. There is no accountability other than the binary decision to "use it or lose it", which is always heavily influenced by the network effect and the huge numbers of users of these services.
With no transparency, no accountability, and lack of standardization, such de facto infrastructure operators can act in ways that maximize their profits, which in turn can be highly unpredictable, and not in line with users' or the global Internet ecosystem's best interests. Twitters' changing of API TOS is a good example here.
Such de facto infrastructure operators are strongly incentivised to shut-off any interoperability attempts. The larger the number of users of their service, the stronger the network effect, the more other services use their service, and the bigger the influence they can have on the rest of the Internet ecosystem. Social networks are a good example here — a Twitter user cannot communicate with a Facebook user, unless they also have an account on the other network.
This is obviously not the case with e-mail (I can run my own e-mail server), at least not yet. The more people use a single provider here (i.e. GMail), the stronger that provider becomes, and the easier it would be for its operator to shut-off interoperability with other providers. This is exactly what Google is doing with XMPP.
Lack of predictability, openness and independence obviously also hurts innovation. What used to be a free and open area of innovation is more and more becoming a set of closed-off walled-gardens controlled by a small number of powerful actors.
It is also worth noting that centralized infrastructure on any level (including the level of de facto infrastructure discussed herein) creates additional problems on human rights level: centralized infrastructure is easy to surveil and censor.
Hence, the first question to be asked is this: when does a private service become de facto public infrastructure?
At this point this question remains unanswered and there is not a single Internet Governance body, or indeed any actor, able to reply to it authoritatively. Nevertheless, we are all in dire need for an answer to this question, and I deem it a challenge for Internet Governance and an important topic that should be included in any Internet Governance Forums now and in the future.
The second question that ever more urgently requires an answer if we are to defend the open and not balkanized Internet is: what should be done about private services that have become de facto public infrastructure?
This question is also as of yet unanswered, but there are several possible proposals that can be made, including treating such situations as monopoly and breaking them up (so handling them outside Internet Governance), requiring public interoperable API available for other implementators, etc. This is perhaps not exactly in the purview of Internet Governance, it is however crucial for the Internet as a whole and I propose it be treated as a challenge to be art least considered at IGFs henceforth.
Usually when I
rant write about public consultations of some government ideas, there's not much good I can say. Well, for once this is not the case.
The Ministry of Administration and Digitization is working on their position for upcoming NetMundial Internet stakeholders meeting in Saõ Paulo. To prepare for that, the Ministry has announced a call for comments on a document prepared by the European Commission about Internet governance, and has invited several organisations and companies to weigh-in on the topic on a multistakeholder meeting in meatspace.
The topic is immensely important, and I hope to elaborate on that soon. In the meantime, however, I'd just like to say, that for some time now NGOs that are interested and competent in this area no longer have to knock on Ministries' doors. Instead, we're invited along ISPs, telcos, and large Internet companies, and can freely voice our opinions. Sometimes we even get listened-to.
Even better, this time one of the NGOs invited to comment and for the meeting was the Warsaw Hackerspace.
So we got @hackerspace.pl addresses into official ministerial communication, and two hackers into ministerial corridors. Expecting the media to go crazy about it in 3... 2... 1...
Some of you might have already noticed (for example via my Diaspora profile) my infatuation with RetroShare. A very interesting communication and file-sharing tool that does deserve a proper, full review — for which I do not, unfortunately, have time.
There are some good things (full peer-to-peer decentralisation, full encryption), there are some less good things (using SHA1 and the daunting GUI). But today RetroShare really shined, and in an area that is constantly a chore for free software...
Now, I know there are many free software projects trying to do VoIP, but none seems to be "there" yet. SIP is hard to set-up; Jitsi works on a single server but for some reason I have never been able to get a working VoIP call via Jitsi with a contact from a different server. One project that was closest to being usable was QuteCom... "was", as there hasn't been a single new release for 2 years now.
Just download the software, install it and have the keys generated (that happens automagically), and download the VoIP plugin if you don't have it already included (chances are, you have; if not, on Linux retroshare-voip-plugin package is your friend, the other OS users can look here).
Now add a friend, start a chat and voilà, VoIP works. No account on any server needed, no trusting a third party, works behind NATs (tested!). And is already encrypted, so no one can listen-in on your communication.
The amazing part? During testing my lappy suspended to ram. After waking up a few minutes later the call worked as if nothing happened.
Internet censorship proposals are tabled with amazing regularity — and usually are completely detached from reality of how the Internet and digital communication works. For the proponents, censorship seems an "easy and effective solution to a problem", while in fact technical solutions to social problems simply do not work, and have a tendency to break things. Badly.
In preparation to one of the consultation meetings around this subject (even though Polish political climate is rather hostile to censorship ideas at the moment, we still get consultation meetings about it, from time to time) I have prepared a list of questions that have to be asked and answered regarding any
central-level parental filter Internet censorship proposals (PDF and ODT available; I'd like to thank Mr Adam Haertle for his suggestion on extending question no.11).
If anybody feels like using this as a base for a checklist, please be my guest! Same goes for additions, suggestions, improvements.
Internet censorship questions
This document attempts at gathering all the relevant questions that need to be asked and answered with regard to any proposal of introducing a central-level Internet porn censorship solution, and can be used as a map of the related issues that would also need to be decided on.
Questions herein are for the most part not deeply technical and do not require an answer containing any concrete technical solutions. They also do not touch economy-related issues.
1. What definition of pornography is to be used in the context of the proposed solution? In particular:
i. Are graphic works and animations not created via image recording techniques to be included in that definition?
ii. Are textual works describing sexual acts to be included also?
iii. Are audio materials to be included?
iv. Are works of art containing or presenting nudity to be included? If not, how are they going to be differentiated?
v. Are biology and sexual education materials to be included? If not, how are they going to be differentiated?
2. Who is to decide on putting given content on the blocked content list? In particular:
i. What oversight measures are proposed to combat instances of putting (willfully or by mistake) non-pornographic content on said list?
ii. Will the blocked content list public, or secret?
iii. If the list is to be kept secret, what are the reasons for doing so?
3. How is the content to be blocked going to be identified? In particular:
i. Is the content identification to be based on textual keywords within content itself?
ii. Is it to be based on keywords in URL leading to content?
iii. Is it to be based on an explicit blacklist of URLs?
iv. Is it to be based on an explicit blacklist of domains?
v. Is it to be based on an explicit blacklist of IP addresses?
vi. Is it to be based on image recognition?
vii. Is it to be based on audio recognition?
viii. Is it to be based on checksum comparison?
ix. Is it to be based on a combination of methods? If so -- which methods are to be employed?
4. What remedy procedure is considered in case of blocking of content that does not fulfill the definition of pornography? In particular:
i. Where and to whom such incidents are to be reported?
ii. What would the confirmation or denial procedure for such reports be?
5. What remedy procedure is considered in case of not blocking of content that does fulfill the definition of pornography? In particular:
i. Where and to whom such incidents are to be reported?
ii. What would the confirmation or denial procedure for such reports be?
6. Are parents/legal guardians/subscribers to have control over the scope of blocking? In particular:
i. Will they be able to indicate that given content should be excluded from blocking, even though it does fulfill the definition of pornography?
ii. Will they be able to indicate that given content should be blocked, even though it does not fulfill the definition of pornography?
7. Is the blocking solution to be opt-in, opt-out, or is the choice to be presented upon first connection? In particular:
i. Is the choice going to apply to all devices using a given connection?
ii. Is the choice going to apply only to a particular device on any connection?
iii. Is the choice going to apply only to a particular device on a particular connection?
8. Is the choice to enable blocking is to apply also to institutional subscribers and companies? In particular:
i. If not, does that that mean no blocking, or mandatory blocking?
ii. Is it to apply to libraries?
iii. Is it to apply to schools?
iv. Is it to apply to universities and other higher education institutions?
v. Is it to apply to public hot-spots run by local communities?
vi. Is it to apply to public hot-spots run by private service providers?
vii. Is it to apply to hot-spots provided only for private service providers' customers?
viii. Is it to apply to hot-spots run by private companies for their employees?
9. Will content explaining how to circumvent blocking also be blocked?
10. How is HTTPS or other SSL/TLS-encrypted traffic to be handled? In particular:
i. Is HTTPS/TLS/SSL traffic to be ignored altogether?
ii. Is HTTPS/TLS/SSL traffic to be blocked?
iii. Is HTTPS/TLS/SSL traffic to have encryption layer broken and content filtered?
11. How is private communication to be handled? In particular:
i. Is e-mail and Internet messaging communication to be filtered?
ii. Are peer-to-peer networks to be filtered?
iii. Are MMS messages to be filtered?
iv. Is private audio-video (including VoIP) communication to be filtered?
v. Is private audio communication via regular and mobile phones to be filtered?
12. How is encrypted private communication to be handled? In particular:
i. Is such communication to be blocked?
ii. Is such communication to be ignored?
iii. Is such communication to have encryption layer broken and content filtered?
13. Are solutions regarding HTTPS/TLS/SSL and private and encrypted private communication to be implemented in networks operated by institutional subscribers and companies, as per question 8. above?
I'd love to see some answers to these questions from each and every person that proposes or supports central-level
parental filters Internet censorship.
Asking about Ubuntu on Debian's IRC channels is not considered nice — and being a lurker there for years I can understand why. These are two different systems, and trying to get Debian people to work on your Ubuntu problem is more often than not wasting their resources and your time. There are better places to get support for Ubuntu.
Having said that, when somebody makes such a misstep, the right way to proceed is inform. Especially when the question is not about Ubuntu itself, but about a tool used by both distros.
I can understand that many people ask such questions in #debian, and that some need a bit more of an incentive to move to the right channel. We wouldn't want to ban a whole hackerspace because of one user like that, now would we?
Well, apparently some would. And not only this — every single other person that asked why the whole Warsaw Hackerspace's network was banned from the channel, also got immediately banned, with a dry explanation in the kick message:
you should know better
Because I asked about the situation, while connecting from the Free and Open Source Software Foundation's infrastructure, the whole FOSSF got affected:
[02.02.14 00:08:35] <rysiek|pl> abrotman: hey, that's a damn good idea to just ban a whole hackerspace because somebody asked about apt-get in #debian
[02.02.14 00:08:55] *** Mode #debian +o abrotman by ChanServ
[02.02.14 00:08:56] *** Mode #debian +b *!*@master.fwioo.pl by abrotman
[02.02.14 00:08:57] <-* abrotman has kicked rysiek|pl from #debian (you should know better)
Now that's a way to make new friends, abrotman!
Friends or no friends, the whole FOSSF network got banned from #debian. We're doing a lot on that distro, all our servers are running it, providing stable and safe services for projects we run. Bottom line — if we're banned from #debian, spreading Free Software in Poland gets this much harder.
So I started to look around for ways to get in contact with people that might be able to help. Posted on Diaspora, asked in #freenode, got sent to #debian-ops. There I (and several other people from the Warsaw Hackerspace) have tried to reason with the op in question:
[02.02.14 00:33:20] <abrotman> and having you both come in and whine doesn't help
[02.02.14 00:33:23] <q3k> you jus tbanned a community od ~60 people
[02.02.14 00:33:33] <q3k> which is not really excellent.
[02.02.14 00:34:15] <rysiek|pl> abrotman: "come and whine"? I'm sorry, but you just banned a host with many users owned by the organisation I represent
[02.02.14 00:34:34] <rysiek|pl> abrotman: because I asked about your attitude towards a user in #debian
[02.02.14 00:34:35] <abrotman> The ban will expire, folks can ask for a +e
"The ban will expire" was the only real answer we got.
[02.02.14 01:13:46] <abrotman> Posting on diaspora probably won't help ..
[02.02.14 01:15:17] <rysiek|pl> abrotman: and this is my fault... how?
[02.02.14 01:15:31] <abrotman> You had to escalate why?
I guess the question about escalating is the real question here. Did it have to escalate to banning the whole nat.hackerspace.pl because somebody asked a question containing the word "Ubuntu"? Did it have to escalate to banning the whole master.fwioo.pl because I asked about why the Warsaw Hackerspace got banned from #debian?
I understand being an op is a tough cookie, I really do, especially in very popular channels like #debian. And I understand that people get tired, annoyed, frustrated doing that. I appreciate their work, just as I would like people to appreciate the work I do.
But that is no justification for indiscriminately banning whole networks. As Quinn Norton has said at 30C3, "it is time for us to up our game". I believe we can do better.
The bans have been lifted now, thanks to some other good soul in the #debian channel, and I hope once all parties involved get some well-deserved sleep, we'll be able to draw conclusions, and then go past this.