Skip to main content

Songs on the Security of Networks
a blog by Michał "rysiek" Woźniak

GPG Key Transition

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

This is my GPG key transition statement. I am transitioning off of my old key:

07FD 0DA1 72D3 FC66 B910 341C 5337 E3B7 60DE C17F

To a new key:

D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E

The old key has not been compromised. The main reason for transition is this weak subkey:

sub1024R/0x085C4F046A46EBC9

I have generated a new, much stronger key. And I have done so in a way that (to an extent) protects me from ugly consequences of a possible private key loss (think: stolen laptop, with keys). I used these three great howtos:

With their help I have generated a master keypair, stowed away in a safe place; and a laptop keypair that I use day-to-day.

The master keypair has never touched my laptop or any device associated with me – it has been generated on an airgapped random loner laptop in the Warsaw Hackerspace (every hackerspace has a few of these), running a copy of TAILS.

From it, the laptop keypair has been also generated on the airgapped loner lappy. Then, the master keypair has been transferred to the storage medium, and the laptop pair – to my laptop; both have been safely wiped from the loner afterwards (besides, everything was happening on a ramdisk anyway).

The minor inconvenience if this setup is that I can only sign other people’s keys with my master keypair, i.e. when I am not travelling.

Key Transition Statement

Below you’ll find my key transition statement. You can also download this statement signed by both the old and the new key.

GPG Key Transition Statement Date: 30th December, 2014

For a number of reasons, i’ve recently set up a new OpenPGP key, and will be transitioning away from my old one.

The old key will continue to be valid for some time, but i prefer all future correspondence to come to the new one. I would also like this new key to be re-integrated into the web of trust. This message is signed by both keys to certify the transition.

The old key was:

pub 4096R/0x5337E3B760DEC17F 2011-09-28 [2014-12-30](expires:) Key fingerprint = 07FD 0DA1 72D3 FC66 B910 341C 5337 E3B7 60DE C17F

And the new key is:

pub 4096R/0xEAA4EC8179652B2E 2014-10-14 [2020-10-12](expires:) Key fingerprint = D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E

To fetch the full key from a public key server, you can simply do:

gpg --keyserver keys.riseup.net --recv-key 'D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E'

If you already know my old key, you can now verify that the new key is signed by the old one:

gpg --check-sigs 'D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E'

If you don’t already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

gpg --fingerprint 'D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E'

If you are satisfied that you’ve got the right key, and the UIDs match what you expect, I’d appreciate it if you would sign my key. You can do that by issuing the following command:

** NOTE: if you have previously signed my key but did a local-only signature (lsign), you will not want to issue the following, instead you will want to use –lsign-key, and not send the signatures to the keyserver **

gpg --sign-key 'D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E'

I’d like to receive your signatures on my key. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system):

gpg --export 'D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E' \ | gpg --encrypt -r 'D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E' \ --armor | mail -s 'OpenPGP Signatures' rysiek@hackerspace.pl

Additionally, I highly recommend that you implement a mechanism to keep your key material up-to-date so that you obtain the latest revocations, and other updates in a timely manner. You can do regular key updates by using parcimonie to refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits for each key. The purpose is to make it hard for an attacker to correlate the key updates with your keyring.

I also highly recommend checking out the excellent Riseup GPG best practices doc, from which I stole most of the text for this transition message ;-)

https://we.riseup.net/debian/openpgp-best-practices

Please let me know if you have any questions, or problems, and sorry for the inconvenience.

Michał “rysiek” Woźniak rysiek@hackerspace.pl http://rys.io/

Internet in Poland to be porn-free after all?

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

Can’t leave parliamentarians alone for 3 days, can you.

Today, the Administration and Digitization Commission of Sejm (the lower chamber of Polish Parliament) has approved for further proceedings a project of “A Resolution concerning actions to limit children’s access to pornography on the Internet”, which used to “call upon the Minister of Administration and Digitization to guarantee parents a right to porn-free Internet” – the final draft is still not available on Sejm website, but it should soon be available here.

In comparison with the original project the new text is… better, although that does not mean it’s any good. Here it is for your reading pleasure (please note: the translation is mine and unofficial, and I omit the rather unimportant “whereas…” part):

RESOLUTION

By Sejm of the Republic of Poland of ……………

Concerning actions to limit children’s access to pornography on the Internet

(…)

  1. Sejm of the Republic of Poland moves for the Minister of Administration and Digitization to prepare solutions which will guarantee parents a right to access the Internet network free from pornography.
  2. These solutions should follow these guidelines:
    1. Any person should have the possibility to block transmission of any pornographic materials;
    2. An internet service provider should provide tools that would allow blocking transmission of pornographic materials;
    3. An internet service provider is required to provide tools that would allow blocking transmission of pornographic materials free of charge;
    4. An internet service provider can disable access to pornographic materials. An agreement with a customer should reflect this.
  3. Minister of Administration and Digitization shall present a proposal of such solutions within 18 months from the date of adoption of this resolution.

Wait, what?

Yep. The Commission has convened on this issue mere week after the previous session, not giving enough time to properly prepare and have a serious discussion. At least the text has been changed in a way that makes it not entirely absurd (only just a bit, depending on who is reading it).

What does that mean?

One could read the text of the resolution in a way that would give the Ministry the possibility to simply reply:

There are parental filters available, free of charge, for any software platform, KTHXBAI.

…or, in a way that would require an answer along those lines:

ISPs are required to “voluntarily” censor the Net on the level of their core infrastructure, opt-in or opt-out.

Basically, we need to make sure that (providing that the resolution clears Sejm) the Ministry will not go in the direction of a solution that would introduce central filtering of the Internet.

The only sane solution I see is filtering on end-user devices (including home routers). During consultations last year, regarding this very topic, this has exactly been the solution we have suggested the Ministry should go along with. Time to take it off the shelf, I guess.

Now what?

Now Sejm has to decide, and this will happen during next few weeks. Unfortunately, the modified project apparently has the support of the coalition, so I’d like to invite Poles to write their representatives, and in the meantime I’m prepping up for an 18-month fight to keep any central-level filtering, be it obligatory or “voluntary” (as in the UK), limited to end-user devices.

This means a lot of work; if you feel it’s important or valuable – support Panoptykon.

Block everything!

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

Another couple of months, another bout of Internet censorship ideas. This time from two sides simultaneously. And it used to be so swell!

RSiUN from the dead

A year ago a representative of the Association of Employers and Employees of Bookmaker Companies has said…

It’s a very simple solution. A register of illegal gambling websites is created. Internet service providers are then obliged to block access to these websites from within Poland. In the opinion of our association such a solution is an effective gambling policy enforcement tool – and thus, an effective way to fight illegal gambling.

In the opinion of the undersigned the Esteemed Representative hasn’t the faintest idea about the topic. I would gladly invite him for a coffee and explain why such a solution is nowhere near being “simple”.

And we could live it at that – as, for instance, just another case of “somebody person can’t into Internets and thinks that filtering will solve all problems”… if only the Ministry of Finance didn’t get inspired with the enlightening quote from the Esteemed Representative, and start pondering rising RSiUN from the cold, cold grave.

What’s RSiUN anyway?

It’s the Rejestr Stron i Usług Niedozwolonych (“Register of forbidden websites and services”, yes, the name is that good), an idea of the very same Ministry of Finance, floated years ago, to combat illegal gambling. Once the word had gotten out about the idea of introducing what can only be described as network core-level Internet censorship, a huge activist- and NGO-led campaign has been waged against it in the media and the public mind.

Finally, then-Prime Minister Donald Tusk (whom you might remember from being the Polish Prime Minister during the anti-ACTA debacle some years later, and today the “President of EU”) has agreed to meet “the Internet community”. After several hours of a live-streamed meeting a decision has been made to kill RSiUN off.

Today, the idea returns. In the words of minister Kapica:

I believe that at some point we will find ourselves in a situation where we will be able to convince public opinion that blocking illegal gambling websites does not interfere with political and human rights.

I, on the other hand, believe that our elected representatives and other authority figures could learn a thing or two from time to time; heck, they could even draw conclusions from history (either recent, or more ancient). I’m afraid, Dear Minister, that we are both a bit naïve in our faith.

Meantime, in the parliament

I must, however, do justice to Minister Dmowski, who during yesterday’s session of Administration and Digitization Commission of Sejm reported on results of last year’s public consultations on United Poland’s splendid “right to Internet without porn” idea.

I had the pleasure of listening to that report in person, and I heard, among others, that:

  • education is the crucial tool and should be the main mechanism used to support parents in assuring the right level of parental control over children’s Internet usage;
  • parental filtering software is available for all software platforms;
  • technical solutions should complement, not substitute, parent actions; and should be implemented on end-user devices only;
  • introduction of filtering mechanism requires introducing Internet usage surveillance – that could be dangerous (the word “China” even appeared);
  • content-based Internet use surveillance is incompatible with EU laws, which states that legislator cannot impose a requirement of that kind on telecommunication companies (in Great Britain the government got around this rule by not regulating on it, but still pushing the telcos in a way that they “self-regulated” accordingly);
  • there’s an obvious problem with defining what exactly constitutes pornography;
  • the cost of creating an efficient and reasonably effective filtering system would be astronomical and not possible to bear particularly by small ISPs;
  • obvious issues arise regarding freedom of speech and of access to information;
  • mechanisms like these require constant upkeep, which means further, regular costs;
  • overblocking is a problematic issue (what about paintings containing nudity? biology materials?);
  • blocking of certain content is incompatible with net neutrality, while the Polish official stance on that is that Internet should stay neutral;
  • any filtering mechanism can be neutred, children will get around them, British filter is being circumvented.

To this slew of reasons why Internet filteringcensorship is a bad idea, Mr Mężydło added a couple:

  • GIODO’s doubts about such ideas;
  • Czech and German experiences with filtering, where it was later cancelled.

Mr Mężydło, I must admit, won my heart with by stating that (due to the fact that children learn fast how to circumvent UK porn filters)…

Cameron is raising a generation of hackers.

So there is a silver lining of Internet censorship after all! /joke

Children defenders mount an offensive

Could it be that years of arguing against Internet censorship finally reached the hearts and minds of our beloved leaders? Nah, that would be boring! Thankfully, we have our heroic defenders of children. It’s always about the children, isn’t it!

Mr Sosnowski lead the charge, albeit still on-topic – saying that “pornography is a problem” and that in Great Britain some effort has been undertaken to handle it, and what can we do to follow suit? It might be possible to talk to Mr Sosnowski and explain a few things.

This definitely is not the case, however, with Mrs Hrynkiewicz and Kempa (the latter being the very author of the draft resolution).

Mrs Hrynkiewicz straight out accused the Ministry of dodging responsibility, and the Sejm Office of Analysis (authors of a not-entirely-pro-censorship, but entirely fact-based, analysis of the project) of incompetence or being outright biased (with the government being so hostile towards the opposition and the parliament so entirely controlled by the government… not).

Madam Member exceptionally astonished

Main point of the programme was without a doubt Mrs Kempa, who turned out to be “exceptionally astonished” by Minister Dmowski’s report, as Minister Boni used to lean in the exactly opposite direction”. I, for one, am exceptionally astonished with that statement, as having taken part in a number of meetings about similar and related topics I drew an exactly opposite conclusion (possibly stemming from one meeting in particular, where Mr Boni essentially put his foot down and stated that “we’re not here to discuss censoring the Internet, we are looking for a different solution to this problem”).

Might this discrepancy be somehow related to the fact that one of us wasn’t present on those meetings?

Children exceptionally attacked

Regardless of her exceptional astonishment Mrs Kempa was still able to defend children in earnest. After all:

Today’s discussion clearly shows how it is possible to use heavy guns against small children

And what would these children do had there been no Mrs Kempa and her broad chest to defend them? Who would defend them from “corporate interests” (in the mind of Mrs Kempa represented on the meeting by Mr Mężydło), and from the Ministry of Administration and Digitization, just looking for ways to weasel-out instead of looking for solutions (can’t expect Mrs Kempa to find a solution that does not exist, after all).

Consititution exceptionally abused

Mrs Kempa, as a lawyer, was also able and willing to dissect the much-used Article 54 (Section 2. of the Polish Constitution), called upon by members of the Commission more sceptical towards censorship:

  1. The freedom to express opinions, to acquire and to disseminate information shall be ensured to everyone.
  2. Preventive censorship of the means of social communication and the licensing of the press shall be prohibited. Statutes may require the receipt of a permit for the operation of a radio or television station.

Undoubtedly this article has to be read in the context of (here Mrs Kempa wasn’t so sure – was it Article 32, or 33? I kindly submit it’s Article 31, point 3, also in Section 2):

Any limitation upon the exercise of constitutional freedoms and rights may be imposed only by statute, and only when necessary in a democratic state for the protection of its security or public order, or to protect the natural environment, health or public morals, or the freedoms and rights of other persons. Such limitations shall not violate the essence of freedoms and rights.

Interesting how differently accents can be laid in this article. Mrs Kempa accented the “public morals” bit, while I usually put more pressure on “necessary in a democratic state” and “shall not violate the essence of freedoms and rights”.

Companies exceptionally profitable

Perspicacity of MRs Kempa allowed her to see clearly through the dirty game of filtering detractors; obviously their main reason to oppose filtering is protecting profits of companies involved.

What companies? Well, Mrs Kempa was not kind enough to indicate them unambiguously (or, at all). One can only assume it’s either huge telecommunication companies (of which I am a well-known fan and supporter), or porno business (tracking them hand in hand with Twoja Sprawa Association).

Perhaps I should finally bill my business principals?

Internet exceptionally dangerous

Curiously, Mrs Kempa switched camps for a minute there. An oft-used argument against introducing Internet censorship in any extent is the fat that it can be used and abused to block other content, the extent and scope can and will be broadened to include more and more categories.

British pornfilter, for instance, now blocks so much more than porn.

Mrs Kempa stated that today we may be talking about filtering on-line pornography, but the next step would be to consider filtering censoring violence; next up, then, would be hate speech.

It’s interesting on several levels. For one, take how Mrs Kempa goes from something hard to define (and hence to create a good filter for) towards things that are even harder to define. Then – I am not entirely sure if Mrs Kempa really wants to introduce hate speech filtering, taking into account that mere months ago she was against introducing anti-hate speech regulation in the parliament.

Children exceptionally in need

For God’s sake, let’s not wheel out heavy guns against children!

…Mrs Kempa concluded, and I started pondering proposing 250EUR for each and every child of less than 16 years of age in Poland. Wouldn’t it be a better solution for the kids themselves? The idea is almost as absurd as Internet censorship, costs are probably similar, but I have a feeling it would have a much better outcome for the kids. Plus: there are no constitutional or human rights-related issues arising here!

Internet filtering proponents will not propose such an idea simply because they understand the absurdity of it in our economic reality. We can’t afford it, and we know it. Should I start stomping my feet and throwing a tantrum about how they are “wheeling out heavy guns against children”?

There are less absurd ideas, though. How about properly financing orphanages and youth hostels? Or finding the money to provide an ample amount of hot meals for children from poorer families? For a hungry child, a hot meal, I presume, might be a bit more interesting a proposal than “porn-free Internet”.

Why won’t Mrs Kempa channel her interest and time in the direction of effecting actual positive change for orphans? My guess is she is well aware that parents that are not interested in their children’s future might not be interested in voting for her even if she does.

A more cynical person might come to a conclusion that Mrs Kempa, simply put, thus inaugurated her electoral campaign. Not me. I believe it’s all really about children’s interests, after all – she might not have heard about orphanages yet. Maybe it’s time to tell her about them?

Internets, arise!

After five years of attending similar meetings and explaining to people over and over again why Internet censorship is an idea so bad, it actually has the word “censorship” in the name, you can get a bit tired. It was possible to kill RSiUN; to defuse the children protection directive implementation ideas; to generate some knowledge and understanding in the Ministry of Administration and Digital Affairs… and yet time after time somebody gets the bright idea and there we go again.

Draft resolution could have been killed yesterday, in first reading. It came through, instead (for killing it: 9 members of the Commission; against: 9 also). Next session in December. Depressing.

Sejm’s website contains a stimulating quote (from Polish Constitution of May 3, 1791):

All authority in human society takes its origin in the will of the people

Let us be inspired! You can use these letters (in Polish) to Minister Kapica and to members of the Administration and Digitization Commission. And here are the addresses should one wish to send these:

Jacek Kapica Podsekretarz Stanu Ministerstwo Finansów ul. Świętokrzyska 12 00-916 Warszawa, Poland

…and…

Poseł Andrzej Orzechowski Przewodniczący Komisja Administracji i Cyfryzacji Sejm Rzeczypospolitej Polskiej ul. Wiejska 4/6/8 00-902 Warszawa

Want more? You can send letters directly to members of the Commission, here’s the list, you can find addresses of their Member of Parliament bureaus on Sejm website, for instance here for Mrs Kempa, here for Mrs Hryniewicz, and here for Mr Sosnowski.

Need a letter directly to Mrs Kempa? Happy to provide, too!


And if that’s still not enough, you are heartily invited to support the Panoptykon Foundation. Members of Parliament receive salary for their work out of our pockets, activists usually work pro publico bono.

Introducing: rysiek's law of unavoidable consequences

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

For some time now I’ve been missing a short and succinct way to indicate why things like centralization at the service level are not entirely good ideas, regardless of how much we trust their operators.

So here it is – rysiek’s law of unavoidable consequences:

If it’s technically possible, it’s practically unavoidable.

Wait, what?

Well, the idea is simple. If, say, a given software project promises something (e.g. that it will not spy on users), we should not rely only on a promise. It should be technically impossible to break that promise, otherwise it will get broken sooner or later.

Here’s a longer, more verbose version:

If some undesirable actions or outcomes are technically possible, they should be assumed to be unavoidable.

There are many reasons this can happen: a break-in; a change of heart of the owner; a change of owner; law being changed, used or misused. Regardless of the reason, if it’s possible, it will happen.

The corollary being:

If there are some undesirable outcomes you want to avoid
make them technically impossible (or very hard).

Test drive: Ello

Let’s take Ello on, for instance. Ello promises some neat things – like “no ads” and being “privacy-friendly”. But is it technically possible for Ello to introduce ads to the network, and sell their users’ privacy out?

Well, yes. Yes it is.

So, once the management changes or decides they need some more money, there is nothing stopping them from doing just that.

Compare and contrast: Diaspora

Can Diaspora creators introduce ads and sell-out users on privacy?

Well, it’s much more complicated. The developers can introduce ad functionality to the code, but will server admins (who are not usually directly connected to the developers) introduce that code to their instances? Dubious. Because there are many different servers, users can pick and choose, and move to servers that do not support ads. Tl;dr being: it’s much harder, and much less possible.

Similarly, selling out users on privacy would rather be possible for the server admins instead of the developers (who do not have access to users’ private data). But:

  • no single server admin has access to private data of all Diaspora users;
  • if a given server is caught red-handed, users can just… move to a more privacy-friendly server, without much hassle.

These mean that server admins have a strong incentive, based (among others) in technology itself, to not do nasty things; and it is technically not possible at all to do it at the same time in the whole network.

A broader perspective

If you think about it, this is exactly the reason why we have separation of powers. It’s not that we do not trust our current powers that are, it’s that we really don’t know who will be in power in a few short years. Separation of powers is the “technical” way of making sure we don’t have to rely only on trust.

And remember this?

The Net interprets censorship as damage and routes around it.

Censorship is technically impossible (or rather extremely hard) because of how the Internet is engineered. Had it been any other way, we would have a completely different Net.

Even the Kerckhoffs’s principle is an example of a more specific version of the corollary.

Now we need to engineer this into software.

Stop paedophilia

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

Yet again we are implored to “think of the children” by more than 250 000 supporters of a bill proposed in Poland that would put a 2-year prison penalty on…

…whoever publicly promotes or condones undertaking sexual activities by minors of less than 15 years of age, or supplies them with materials facilitating such activities.

Yes, you are reading this right. Two years in jail for giving a teen child a condom just in case, or informing them where kids come from. I won’t even mention the filth called “sex-ed classes”! Yes, this also pertains to parents. What should a parent say when a child comes and asks how did their little sister get inside mummy? “Go ask the good reverend”, I guess.

Of course there’s a question of how the “pro-family” organisations that promote this enlightened idea reconcile their “pro-familiness” with the fact that such a law would have a great potential for breaking families apart, but I’ll leave that one for the Dear Reader to ponder. Also, while I find hate speech laws to be a bit problematic, as long as we have them on the books, how about somebody look into how these people identify paedophilia with not being heteronormative, eh?

Live by the sword…

I’ll leave dealing with the cranial rectal syndrome that makes people propose banning the best weapon we have against paedophiles (education) because they are afraid of paedophiles to those better suited for the task. Something else interests me in this situation.

For years I have taken part in many meetings concerning proposed Internet censorship measures. Each and every time “the paedophile argument” was one of the big guns in the proposers’ arsenal. One of the organisations that used to propose such measures (and use such arguments), today went through the looking-glass:

We are convinced that the changes proposed will not amount to effective tools against paedophilia. The project aims to ban educating children and youth about human sexuality, which equips them with knowledge required to notice threats, maintain own integrity and look for help

It is hard to fathom that in the 21st Century it is still possible to propose criminal penalties for supplying children with knowledge about their development and the nature of sexual relations, and to lump custodians, teachers and educators providing such education with paedophiles

While I do find it a bit surprising, today I have to agree wholeheartedly with the President of Fundacja Dzieci Niczyje.

Even with EME, Mozilla will become "the browser that can't"

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

During the weeks since Mozilla’s DRM-embracing decision to include EME there were quite a few voices defending Mozilla’s decision. Most of the serious defence basically boils down to: we had to; without EME/DRM support Mozilla would be the browser that can’t play video, and users would turn to other browsers which would jeopardize our work for freedom and open Internet in other areas.

As I have written before users already have little reason to stay with Firefox, and the strongest selling point for many of users still on Firefox has for a longest time been: that’s the freedom preserving browser. With EME/DRM in Firefox, this reason is moot.

What’s tragic is that even with EME/DRM inside, which already cost Firefox some users from the freedom crowd (and inspired at least one fork, of course), Firefox is bound to also lose in the less freedom-centred crowd.

Think about it for just a short while. The whole basic idea of DRM is flawed beyond repair – software that has to make some content available to a user (to be viewed, for example), and simultaneously make the same content not available to the same user (so that it’s not possible to copy it).

This scheme has serious problems working even in closed-source, black-box software (sometimes even fails hilariously). How is it supposed to work in an open-source browser?

Let’s ponder a scenario, shall we?

1. Mozilla implements EME in Firefox

…and has DRM solution suppliers (like Adobe) write DRM plugins for Firefox. That’s where we’re at today.

2. Firefox now has to have some sort of protection of the decoded media stream

…so that it’s only available to the browser itself (to display to the user), but not the extensions – otherwise get ready for an extension that grabs the decoded media stream and saves it to disk (completely side-stepping any DRM) in 3… 2… 1…

3. May the forks be with you!

Say, how about a fork that removes this very protection of the decoded media stream, but leaves in-place the rest of the EME/DRM infrastructure? Somebody is bound to do it. At this point DRM/EME is completely side-stepped in this Firefox fork.

One of the defenders of Mozilla’s EME/DRM decision, Ben Moskovitz, remarks:

enabling users to do more is a feature.

Being able to save the media stream to disk sounds to me like enabling users to do more. Let us guess, then, which Firefox version will now become more and more popular, eh?

4. Hollywood and DRM providers get wind of the fork

Is there anything Mozilla can do to plug this hole? Not as long as the code is open and free-as-in-freedom! Ah, well, Hollywood won’t have any of that hippie bullshit, so they push DRM providers to remove support for Firefox (and its forks).

5. Game over

Mozilla lands with EME infrastructure and no DRM providers willing to write a plugin using it (as it would jeopardize their relationship with Hollywood), freesofties have already long moved to some more freedom-preserving browser, and regular users move to any browser that has DRM plugins for its EME infrastructure. You know, the closed-source ones.

After all, why would they stay on “a browser that can’t”?

EuroDIG 2014

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

Another day, another conference on Internet governance, this time close enough to go there on my own dime. Besides, Berlin is always a treat.

As was to be expected of a conference organised in ministerial halls, for the most part when it wasn’t objectionable, it was mind-boggingly dull. And yes, WiFi was as good as it gets on such events.

I have a strong policy of going to conferences mainly for the hallway/coffee chit-chat and making new acquaintances, and it was a winner this time around too.

Off for a “good” start

Starting off with a welcoming address by the powers that be, including Neelie Kroes, who deemed the conference so important, she made a video appearance (how about we agree on a rule that when you’re a politician wanting to have a point in a conference agenda, you can either come in person, or… pass entirely; no pre-recorded videos, please!), the conference gave no hope for anything of significance to happen within the confines of the programme.

Thankfully, you can always count on activists to bring the gravitas along. And while having Edward Snowden in the panel (or as a keynote speaker) would be the right thing to do, several Edwards Snowdens in the audience were the next best thing.

Multistakeholderism meets gender equality

The first panel focused on lessons learned from NETmundial, and made a good first impression with no chair available for the only female panelist. Were there any civil society participants to the panel? Of course not. Questions from the floor about that fact (asked by the undersigned) and about the glaring gender disproportion in the panel (asked by Mrs. O’Loughlin of Council of Europe) were waved-off as “off-topic”.

Representative of the organisers also remarked on how hard it was to find women for the panel. They tried, they just couldn’t find any on the right positions.

Let’s ponder about this for just a moment, even though I don’t even know where to start.

I could say, for instance, that equality (gender, and otherwise) was a big issue on NETmundial, as evidenced in the opening address by Nnenna Nwakanma. I could refer you, Dear Reader, to the concepts like glass ceiling, and note how this is no excuse for not including women in the panel on equal standing. I could, as I have in my question, note the irony of a panel about lessons from NETmundial (y’know, the multistakeholder conference on Internet governance) comprising almost entirely of men, and with no representative of the third sector.

Or I could point out, that including civil society in the panel might have made it easier for the organisers to find female panelists, as while the glass ceiling is indubitably also sadly present in civil society, it doesn’t seem to be as prevalent as in government and business sectors.

Here’s a simple exercise: make your own suggestions of female panelists. I have my own shortlist, of course.

Sudden outbreak of relevancy

However, there is always hope. The “When the public sphere became private” workshop proved to be both inspiring and interesting, and the exchange of ideas relevant and much deeper than I would have expected.

It did help that the topic sounded eerily familiar, but the discussion went far and wide, touching on a number of related issues.

Private vs. privately-owned

There was an important distinction that had to be made, as became apparent in the course of the discussion, between two meanings of the word “private”, in the context of communication infrastructures.

First meaning being “pertaining to or supportive of privacy”. Here, private communication medium would mean a communication medium that ensures the privacy of the communication between communicating parties.

The second one is, of course, “privately-owned”, with private communication medium meaning a medium owned by a private entity.

Obviously, similar distinction has to be made for the word “public” in the same context.

With this in mind it’s easy to see how crucial misunderstandings can arise when using these terms without making clear which of the particular meanings we have in mind. Specifically, privately-owned infrastructure can be (and often is) hostile towards privacy of the communicating parties.

Public sphere in private infrastructure

When the whole infrastructure is privately-owned, privacy is not the only problem. Public sphere is crucial to democratic processes, but today it is more and more being replaced by privately-owned and controlled fora. Public discourse should not, however, be contingent on rules made unilaterally by private entities. Or, as one of the workshop panelists neatly put it:

Public agora cannot underlie a business model based on surveillance

As always, the first step is admitting that we do have a problem, and I take it we are getting ready for such an admission. Finally. But what’s really interesting is the next step – what should we do about it? There is, unfortunately, no clear answer, but several ideas have been floated.

One of these is open standards, or making the operators of such privately-owned fora to at least supply APIs allowing full interoperability between different providers (think Facebook interoperating with Google+). Another (crazy, I give you that!) idea – floated by a friend of mine some time ago – is to have source code of all software available at least for inspection, just like ingredients listing on packaged food.

Yet another would be mandating privacy impact assessment on all lawmaking activities, and on infrastructural decisions made (for instance) on governmental levels.

Finally, there was this gem:

Governments need to pass human rights as technical requirements

That’s something that really got my attention, as for some time now I am pondering that we – the technical community, geeks, free-softies, etc. – should start making software with the assumption that if some abuse is possible, it is inevitable. And start designing our software for privacy just as we design it for security. I’ll elaborate on that in a separate post.

All of these need further thought and consideration; some might turn out workable, some might turn out impossible, and some combination of them might be the right way to proceed.

But the right questions are apparently finally being asked. Not holding my breath, but maybe next time we’re even able to find some less locked-down solution instead of a Twitter wall to bring in the remote participation…

Hacker in the Digital Affairs Council

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

It’s official – I have been confirmed as a member of the Digital Affairs Council to the Minister of Administration and Digital Affairs. I was recommended by Internet Society Poland and Polish Linux Users Group.

What is the Digital Affairs Council anyway?

the Council is “minister’s advisory and consultative body” (as described in art.17 of the informatisation law). That means that on one hand it doesn’t really get to make direct decisions; on the other, however, Council’s recommendations will carry certain weight (at least, that’s the theory).

The Council is an evolution of the Informatisation Council, operating since 2005. Several members of the current Council had been involved in that previous installment.

According to the law, the Council will propose and opine projects of statements (among others, by the Council of Ministers), documents, development strategies, program projects and reports in the areas of informatisation, communications, information society development and rules regarding the functioning of public registers, rules and state of introducing ICT systems in public administration, and even Polish ICT terminology. And…

The Council can initiate activities related to informatisation, ICT market development, and development of information society.

The Council today has 20 members, representing administration, NGOs, technical organisations and business. What recommendations will the Council produce and which direction will it lean? How will the practicalities of its operation look like? Hard to say today. But the possibilities seem quite interesting.

Who’s in the Council?

I have had the pleasure of meeting several members of the Council on different occasions; not all of them, unfortunately. The ones I know paint an interesting picture.

  • Igor Ostrowski – Council Chairman; lawyer, Vice-Minister of Administration and Digital Affairs during anti-ACTA protests, before that a member of the Prime Minister’s Strategic Advisors Team; such a choice can only please, especially all “opennists” and privacy advocates out there.
  • Joanna Berdzik – Vice-Minister of Education, engaged in the Digital School project (including the Open Textbooks programme).
  • Dominik Skoczek – lawyer, represents the Polish Film-makers’ Association; during anti-ACTA protests he was the head of the Intellectual Property and Media Department in the Ministry of Culture and National Heritage, and responsible for the ACTA process; copyright maximalist, claiming that copyright reform proponents are only in it for “gratis access for users”.
  • Anna Streżyńska – well-known in Poland for her activities while presiding over the Office of Electronic Communications and successful fight against the Polish telco monopolist.
  • Katarzyna Szymielewicz – President and co-founder of the Panoptykon Foundation, unrelenting activist for privacy, freedom and personal autonomy in the times of pervasive surveillance.
  • Alek Tarkowski – “opennist”, Polish Creative Commons chapter co-ordinator, director of the Digital Centre; previously, with Igor Ostrowski, a member of the Prime Minister’s Strategic Advisors Team.
  • Elżbieta Traple – law professor, copyright law expert; during the post-ACTA Ministry of Administration and Digital Affairs workshops she proposed changes to Polish copyright law reaffirming fair use in the digital domain.
  • Jarosław Tworóg – Vice-President of the Board of the National Chamber of Electronics and Telecommunication; I’ve had the pleasure of taking part in several public consultation meetings along with Mr. Tworóg; expert in the area of electronics and telecommunication.
  • Agata Wacławik-Wejman – co-founder and Member of the Board of the Institute of Law and Society, policy counsel at Google.
  • Piotr VaGla Waglowski – operator of prawo.vagla.pl website, lawyer, activist, member of the Council of Panoptykon Foundation, co-initiator of organising Public Domain Day celebrations.

Hence we have openness and privacy activists on one hand, copyright maximalists and representatives of big IT companies on the other. What will come of this – we’ll see.

Public consultations and anonymity

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

The problem of anonymity – and a connected issue of representativeness – in public consultations (and wider: generally in public debate) seem to be a Gordian knot. On one hand, anonymity is indicated as necessary for a truly independent discourse; on the other, in invites behaviour that is far from desirable.

We tried to tackle this issue (both in the panels and during the workshops) at the Nowe perspektywy dialogu (“New perspectives of dialogue”) conference, held within the framework of the W Dialogu (“In Dialogue”) project – in which the FOSS Foundation cooperates with the Institute of Sociology at the University of Warsaw.

The Problem

Anonymity in a discussion has some advantages:

  • higher comfort of voicing opinions – the participants don’t have to consider what their spouse, boss or priest thinks of what they have to say; nor do they have to be concerned with potential government retribution for opinions that are not in-line with the “party line”;
  • higher capacity to change opinions – as one of the attendees noted, anonymous participants are more likely and willing to admit error and change their opinion based on facts and subject matter arguments;
  • reasoning instead of personal connections – anonymity allows the discussion to move beyond personal connections, relations and animosities, and focus more on subject matter arguments and facts.

Obviously, there are also important drawbacks:

  • trolling – likely to be present in any exchange of ideas, trolls are especially drawn to on-line discussions, and anonymity is a strong contributing factor;
  • mandate – it is hard to ascertain that every member to an anonymous public debate has mandate to partake in it (consider a participatory budgeting debate in a local community: non-residents shouldn’t be able to influence the decision);
  • lack of transparency – participants can voice their own opinion, but can work in the interest of particular companies or groups of interests as well; while this is fine, transparency is crucial in a democratic society: information how a given interest group lobbied might important for the final decision, and it is non-trivial to provide accountability and transparency in an anonymous decision making process;
  • sock-puppets – with anonymous participation, what is to stop certain participants, companies or interests groups from using multiple artificial identities to sway the decision?

Would it be possible to have the anonymous cookie and eat it too, though?

Shades of anonymity

First of all, it is worth reminding that there are several shades shades of anonymity, depending on:

  • what data is anonymized (e.g. affiliation, full name, address, gender, etc.);
  • with regard to whom is it anonymized (e.g. other participants to a given discussion, discussion organizers, observers, public institutions, media, etc.);
  • at what stage of the discussion the data is anonymized (e.g. only during the discussion but available it ends, entirely and with regard to the whole discussion and all of its effects, only after the discussion has concluded, etc.).

Additionally, statements in a discussion can be:

  • not being signed at all, allowing for full anonymity – this way participants don’t can’t even know if any two statements were made by the same person, or different persons;
  • signed with a discussion-specific identifier (e.g. a random number), hiding the identity of authors, but making it possible to see which statements in a given discussion (but not beyond) are made by the same person;
  • signed with a global identifier in all discussions on a given platform (again: for example a random number or UUID), making it possible to check all statements a given person made in all discussions, but still not divulging their identity.

The first of these makes it impossible to follow a conversation (no way to be sure if we’re answering the same person, or some other participant). The second one allows for a better structuring of a given discussion, and to more easily follow the exchange of ideas. Last one doesn’t really differ from pseudonymity (apart from the fact that the identifier is chosen by the system, instead of the participants themselves), hence it makes it possible for participants to build identities of sorts within a given platform.

Different tools, different aims

Anonymity is a certain tool that can help us achieve certain goals, if we use it with care. How?

Polish Data Protection Supervisor, dr Wiewiórowski, made a simple yet powerful distinction: anonymity makes sense and is very useful in general, high-level consultation processes. As soon as we start consulting particular documents and discuss specifics, commas and numbers, transparency and accountability are much more important – as this is where particular interests really come into play, and we need ways to follow these very closely in a democratic society.

This was further supplemented by a thesis that a fully anonymous public consultation process needs to be evaluated with regard to subject matter by the consultation organisers, and its result should be treated as a guideline rather than a definite decision. If a given process is to be completely binding, it needs to be completely transparent.

Hence on one axis we have a whole spectrum of anonymity of public consultation processes, on the other – a spectrum of how general or particular a given process is and how binding it should be. We also know that there is a strong correlation between the two axes: the more detailed and binding a given consultation process is, the more transparency and accountability is needed, hence less anonymity for its participants.

This correlation, I would say, is extremely powerful in organizing the discussion around anonymity in public consultations. It also means that it is impossible to make a decision about anonymity in a given consultation process without deciding first what kind of a process it is supposed to be. This is also crucial to all attempts at creating tools aiming to support such processes.

It’s worth noting we already have examples of quasi-consultation processes from both ends of the spectrum:

  • general elections are partially anonymous (participants are identified to ascertain their mandate, but the vote itself is secret, so that it is impossible to attribute a given ballot to a given voter), while at the same time being very general, high-level and not really binding with regard to particular decisions to be made by representatives (as anybody who voted on a politician just to see them back-pedal from their election-time promises knows full well);
  • consensus meetings around a particular issue are meant to be non-anonymous, fully transparent and accountable (every participant is required to give their name and affiliation), because they are to a large degree binding and concrete.

Another interesting example is the Chatham House Rule:

When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.

Hence, during a meeting governed by the Rule participants are not anonymous to each other (which solves the problem of representativeness, helps structure the discussion better, etc), but after the meeting all participants can expect full anonymity with regard to who said what (which in turn helps make the discussion more open, honest and not tied-in with particular interests of participants’ affiliations).

Why being a pirate is not worth it

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

I have lately been asked to write a short text on “why being a pirate is not worth it”. To be honest, I wasn’t entirely sure how to approach it, so we ended up changing the topic. However, challenges are there to be accepted, hence I decided to make an attempt in my free time and without deadlines. And no, even though my love towards the Polish Pirate Party is well-known, this is really not about them.

Undoubtedly, pirates have a very positive public image nowadays, and for some time now. This has to be romanticism’s illegitimate child, this fascination with pirates’ uneven, solitary struggle against the unforgiving elements, and resistance towards social norms of their day. Resistance, that banishes them from the society for good.

It’s hard to tell, though, which goes first: was the resistance a reaction to rejection, or the other way around? Each pirate would have their own story to tell, and their own reasons.

What we will definitely find in piracy – the idealized version, that is – admiration of the cold and brutal, yet beautiful nature, fascination with times long past (with their aesthetic and peculiar ethos) and tragic yet full of determination strife for personal freedoms, against all odds and “the system” (feudal, with some rudimentary capitalism). That strife is what resonates so well today.

Problem is: this image is so idealized, it’s almost unrecognisable. It’s a Hollywood version, simplified and painted pretty, but not having much relation to historical facts.

Pirates were excluded from the society, and constantly struggling with merciless elements, that’s undisputed. However, they were far from being as “anti-system”, as we’d like to think – they often had mandate from one of the sea powers, and operated in a manner we would call today “freelancing”. So much for the romantic ideal of a freedom fighter.

Sailing ship crews, especially pirates, were controlled by the iron will (and fist) of the captain, the death tall was always high, and the cruel sea was as much a reason for this as were brutal and inhumane punishments administered with the conviction (not that far from truth) that only fear can keep a crew of bandits in check. Full-blown feudalism, only at sea and drowned in blood.

Of course, pirates’ blood was not the only being spilt: crews of captured merchant ships were rarely spared – after all, who’s to feed and guard tens of prisoners in hard conditions at sea?

Pirate’s life was a cruel life of a bandit on uncompromising sea, threatened from every side: the elements, captain, fellow crew members, attacked crews and finally – navy ships, trying to keep control over trading routes.

Not a life to envy.


Those of you, who expected something about copyright law and copying in the Internet, might I remind that “piracy” is not downloading music from the Web. I’d like to suggest familiarizing oneself with this helpful infographic.