Skip to main content

Songs on the Security of Networks
a blog by Michał "rysiek" Woźniak

Breaking radio silence

After a long while (almost 5 years!), the blog is finally back online. Yes, I finally came to terms with the word “blog”. Also, the title got changed to what a major translation service spat out when fed the Icelandic information security law.

I admit it took way too much time for me to finally start working on bringing the blog back, and then again too much time to actually get it done. I probably did overthink stuff massively. As I am prone to do.

But hey, at least we can now have…

Nice things

There are Atom and RSS feeds; I am also considering adding a JSON feed. There is a Contents page with tag- and language-based filtering available, all implemented without a single line of JavaScript and no external includes. All the content from the old site is preserved and old URLs are redirected to new URLs (if the URLs got changed).

Care was taken to make the site usable for screen readers, and to be readable and useful even with CSS completely blocked. Go ahead, check how the site looks with CSS disabled! One page where it is very difficult to make the pure markup nice and easy to use is the Contents page, due to CSS-based interactivity, but even that page is not horrid I hope, and I am eager to improve.

I am also sure there is plenty I could improve for screen readers and other assistive technologies. Feedback welcome.

Plans

Eventually, I am planning to add a Tor Onion Service (with Alt-Svc or Onion-Location headers), Gemini site, and PDF/EPUB versions of each article. You can already get a source Markdown version for each post, see just below a post’s title, on the right.

The whole thing is a static site, so it won’t break due to a PHP version upgrade – which, as embarassing as it is to admit it, was the reason why the site went dark all those years ago. This also means I can add more interesting stuff later: put it behind Fasada, easily deploy Samizdat, or generate a zipfile to download and browse off-line for anyone who is so inclined.

I would like the site to become a bit of a showcase of different ways websites can be made resilient against web censorship. I don’t expect rys.io to be blocked anywhere, but making it such a showcase could perhaps help admins of other websites, more likely to be blocked, figure out ways to stay available for their readers.

You can read a bit more about the site (theme, header graphic, etc.) on the About page.

Blast from the past

After pondering this for quite a while, I decided to bring back all of the content that was available on the blog until it went under. All old content is tagged as ancient.

For some posts bringing them back was an obvious decision:

Subjectively on Anti-ACTA in Poland
A subjective historical record of the Anti-ACTA campaign in Poland, referenced by quite a few other sites.
Why I find -ND unnecessary and harmful
The No Derivatives versions of Creative Commons licenses are quite problematic. Here’s why.
How information sharing uproots conservative business models
Copyright was never really about authors’ rights. If the Internet is incompatible with copyright-based business models, it’s the business models that need to adapt.
Blurry line between private service and public infrastructure
The question of when does a private service become de facto public infrastructure (and what should be done about it) is exactly the question that needs answering now in the context of Big Tech.

Others are perhaps interesting in the context of the Fediverse, especially considering they have been published years before Fediverse was even a thing:

Breaking the garden walls
This was written with Diaspora and pre-Pump.io Identi.ca in mind, and it’s interesting to see how the Fediverse basically solves the first two steps mentioned in that post.
Diaspora-Based Comment System
A decade ago I advocated for a decentralized social media based comment system for blogs; way before it was cool got implemented as ActivityPub plugins for WordPress and for Drupal.
Social blogosphere
Another take on the idea of decentralized social media enabled blogs.

Some are braindumps, summaries of experience I gained from particular workshops or through my activism. They might still be useful, although at least partially they might have not aged all that well:

Border conditions for preserving subjectivity in the digital era
Summary of a workshop about subjectivity (that is: being a subject, not an object, of actions; having agency) online.
HOWTO: effectively argue against Internet censorship ideas
Eight years ago Internet censorship landscape was similar yet different in many interesting ways. Still, useful snapshot of an activist’s perspective on it at a particular point in time.
Public consultations and anonymity
How does pseudonymity and anonymity work withing a public consultations process? Can they bring value to them, even though they make accountability more difficult?

But then… then there are the other posts. The silly ones, or those published before I figured out this whole blogging thing (today they would be toots on the fedi instead). I struggled with those, but in the end decided to keep them for histerical (sic!) record.

Lot of effort went into this site. I hope you enjoy reading it as much as I enjoyed creating it!

Centralisation is a danger to democracy

A version of this post was originally published on Redecentralized and VSquare.

After the violent events at the US Capitol social media monopolists are finally waking up to the reality that centralisation is dangerous; with power over daily communication of hundreds of millions of users comes responsibility perhaps too big even for Big Tech.

For years Facebook and Twitter were unwilling to enforce their own rules against those inciting violence, in fear of upsetting a substantial part of their userbase. Now, by banning the accounts of Donald Trump and peddlers of QAnon conspiracy theory they are hoping to put the genie back in the bottle, and go back to business as usual.

Not only is this too little too late, but needs to be understood as an admission of complicity.

After all, nothing really changed in President Trump’s rhetoric, or in the wild substance of QAnon conspiracy theories. Social media monopolists were warned for years that promoting this kind of content will lead to bloodshed (and it has in the past already).

Could it be that after the electoral shake-up what used to be an asset became a liability?

A “difficult position”

I have participated in many a public forum on Internet governance, and whenever anyone pointed out that social platforms like Facebook need to do more as far as content moderation is concerned, Facebook would complain that it’s difficult in their huge network, since regulation and cultures are so different across the world.

They’re not wrong! But while their goal was to stifle further regulation, they were in fact making a very good argument for decentralisation.

After all the very reason they are in this “difficult position” is their business decision to insist on providing centrally-controlled global social media platforms, trying to push the round peg of a myriad of cultures into a square hole of a single moderation policy.

Social media behemoths argued for years that democratically elected governments should not regulate them according to the will of the people, because it is incompatible with their business models!

Meanwhile they were ignoring calls to stifle the spread of violent white supremacy, making money hand over fist by outrightpromoting extremist content (something their own research confirms).

Damage done to the social fabric itself is, unsurprisingly, just an externality.

Damned if you do, damned if you don’t

Of course, major social media platforms banning anyone immediately raise concerns about censorship (and those abusing those social networks to spread a message of hate and division know how to use this argument well). Do we want to live in a world where a handful of corporate execs control the de-facto online public space for political and social debate?

Obviously we don’t. This is too much power, and power corrupts. But the question isn’t really about how these platforms should wield their power — the question is whether these platforms should have such power in the first place.

And the answer is a resounding “no”.

Universe of alternatives

There is another way. The Fediverse is a decentralised social network.

Imagine if Twitter and Facebook worked the way e-mail providers do: you can have an account on any instance (as servers are called on the Fediverse), and different instances talk to each other — If you have an account on, say, mastodon.social, you can still talk to users over at pleroma.soykaf.com or almost any other compatible instance.

Individual instances are run by different people or communities, using different software, and each has their own rules.

These rules are enforced using moderation tools, some of which are simply not possible in a centralised network. Not only are moderators able to block or silence particular accounts, but also block (or, “defederate from”) whole instances which cater to abusive users — which is inconceivable if the whole network is a single “instance”.

Additionally, each user has the ability to block or silence threads, abusive users, or whole instances, too. All this means that the response to abusive users can be fine-tuned. Because Fediverse communities run their own instances, they care about keeping any abuse or discrimination at bay, and they have the agency to do just that.

Local rules instead of global censorship

White supremacy and alt-right trolling were a problem also on the Fediverse. Services like Gab tried to become part of it, and individual bad actors were setting up accounts on other instances.

They were, however, decisively repudiated by a combination of better moderation tools, communitiesbeing clear about what is and what is not acceptable on their instances, and moderators and admins being unapologetic about blocking abusive users or defederating from instances that are problematic.

This talk by technology writer and researcher Derek Caelin provides pretty good overview of this (along with quite some data), I can only recommend watching it in full.

Now, alt-right trolls and white supremacists are all but limited to a corner of the Fediverse almost nobody else talks to. While it does not prevent a dedicated group from talking hatefully among themselves on their own instance (like Gab), it does isolate them, makes radicalising new users harder, and protects others from potential abuse. They are also, of course, welcome to create accounts on other instances, provided that they behave themselves.

All that despite there not being a central authority to enforce the rules. Turns out not many people like talking to or platforming fascists.

Way forward

Instead of trying to come up with a single centrally-mandated set of rules — forcing it on everyone and acting surprised when that inevitably fails — it is time to recognise that different communities have different sensibilities, and members of these communities better understand the context and can best enforce their rules.

On an individual level, you can join the Fediverse. Collectively, we should break down the walls of mainstream social media, regulate them, and make monetising toxic engagement spilling into public discourse as onerous as dumping toxic waste into a river.

In the end even the monopolists are slowly recognising moderation in a global centralised network is impossible and that there is a need for more regulation. Perhaps everyone else should too.

Needless haystacks

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

I find that in most situations where any mishap is involved, especially with any large institutions in the picture, Hanlon’s razor tends to apply, and is a good working model to base assumptions on.

This has been the case with most Internet censorship debates in Poland, for instance. Assuming malice really wasn’t helping to get our point across.

Of needles and haystacks

This is why I am flabbergasted with NSA’s (and the rest of the gang, too) insistence on gathering as much data as they can. Sure, for most regular Jacks or Jills, “you need the haystack to find the needle” might sound about right. A bit more observant person might however do a double-take: “wait, what?”. When I’m searching for a needle, the last thing I want or need is an ever-larger haystack. Something’s fishy.

Then, they might go the extra mile and dig a bit, finding out that NSA’s data has no real impact on anti-terrorism efforts. Maybe they’ll even dig out a 2007 Stratfor report on the “obstacles to the capture of Osama”, pointing out things like:

[T]he Taliban and al Qaeda so far have used their home-field advantage to establish better intelligence networks in the area than the Americans.

And:

One big problem with this, according to sources, was that most of these case officers were young, inexperienced and ill-suited to the mission.

Or this gem:

This lack of seasoned, savvy and gritty case officers is complicated by the fact that, operationally, al Qaeda practices better security than do the Americans.

And while one of the sections of the report is indeed entitled “Needle in a Haystack”, it doesn’t exactly support the “we need the whole haystack” narrative of the NSA and it’s ilk. Because this narrative simply makes no sense. Why? Because math.

When we’re talking about searching large datasets for something, we need to account for false positives and false negatives. The larger the dataset, the larger a problem they become. But don’t take my word for it, Floyd Rudmin has written a great analysis of this back in 2006:

Suppose that NSA’s system is really, really, really good, really, really good, with an accuracy rate of .90, and a misidentification rate of .00001, which means that only 3,000 innocent people are misidentified as terrorists. With these suppositions, then the probability that people are terrorists given that NSA’s system of surveillance identifies them as terrorists is only p=0.2308, which is far from one and well below flipping a coin. NSA’s domestic monitoring of everyone’s email and phone calls is useless for finding terrorists.

That’s right. Even if we assume amazingly good accuracy, the agency has a better chance catching a terrorist by flipping a coin, than by actually using the data they gather.

Unknown knowns and competent incompetence

That’s exactly why I am flabbergasted: usually that would be the point where I’d call upon Hanlon’s razor. But we have just assumed that NSA is really, really competent in what they’re doing, and what they’re doing is, in no small part, math.

So either they are very, very competent and understand that mass surveillance cannot work the way NSA claims it is supposed to; or they are not competent enough to know this, but then all the more they lack the most basic skills to work with datasets they have. Can’t have it both ways!

The third way

The scary possibility is that NSA knows this full well, and yet they still gather the data. Why would they do this? Well, while it might not be all that useful to catching terrorists, it might be a game-changer in areas where the numbers are different. Again, Floyd Rudmin puts it best:

Also, mass surveillance of the entire population is logically plausible if NSA’s domestic spying is not looking for terrorists, but looking for something else, something that is not so rare as terrorists. For example, the May 19 Fox News opinion poll of 900 registered voters found that 30% dislike the Bush administration so much they want him impeached. If NSA were monitoring email and phone calls to identify pro-impeachment people, and if the accuracy rate were .90 and the error rate were .01, then the probability that people are pro-impeachment given that NSA surveillance system identified them as such, would be p=.98, which is coming close to certainty (p_1.00).

So are the NSA and other security agencies too incompetent to understand mass surveillance is useless for its stated purpose, or are they competent enough to understand it and the real purpose is just a bit different?

Neither possibility makes me feel safer. Or be safer, for that matter.

Ban on encryption is not about banning encryption

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

David Cameron’s bright idea to ban encryption that is not backdoored by the UK law enforcement, backed, of course, by Barrack Obama, is not exactly popular among the geeks and the technically savvy.

Main argument against the ban goes: if an encryption system has a master key, “bad guys” too can get it or discover it. The whole encryption scheme, then, is critically flawed.

Apart from that, the prevailing view among the geeks and hackers can be summarized as “good luck banning it, I’m going to use it anyway and what are they going to do about that? They’re not going to put us all in jail!”

Problem is, the ban is not about banning encryption. It’s about criminalizing its use and flagging those who use it.

Hence, the whole technical community – hackers, activists, IT specialists, etc – discussing technical merits of the proposal and technical means to go around it once introduced miss the point completely. Technical issues are not relevant for the British PM and his ilk.

All for one and one for all

Right now John McDoe using an HTTPS-protected website or TLS-protected IMAP-server basically uses the same crypto, that a TOR-using privacy activist does. AES, Diffie-Hellman key exchange, public-key crypto are all there. These are tried and true, based in some basic math, ingeniously used.

If any of the elements gets compromised, it’s compromised for everybody. Security of your bank’s HTTPS-protected website is directly connected to the security of TOR or GnuPG.

And of course, it’s as deplorable to the listeners, as it is obvious to the techies.

Show me a man and I’ll find a crime

Making strong, non-backdoored crypto illegal is a neat “solution” to this “problem”.

Banks and large corporations will bend over, because being prosecuted for non-compliance with “legislation critical to national security” is not good for business. Besides, they’re patriots, right?

Anything used or offered officially by any company in the UK or the US will have to be backdoored. This will “solve the problem” of commercially-available secure platforms, offering good security and privacy for non technically-savvy users. You either pay for backdoored encryption, or are on your own using (unwieldy at times) FLOSS tools.

Of course, the tech-savvy can still use the encryption tools, and help the less technically fluent to do so too. However, when they do, they become criminals. The Government does not have to show that you did anything illegal other than the simple fact that you used non-backdoored encryption services or software.

The very fact of wanting to stay secure and keep your privacy will become a criminal offence.

How can they prove you used non-backdoored encryption tools? Simply by saying so, provided that you used any encryption at all. This also means that even if you do use a backdoored encryption platform, the Government can always claim that this particular platform has not been backdoored, and therefore you still broke the law. You have no way of proving otherwise. Can we guess how that plays out?

Oh, and have you ever participated in a CryptoParty, or, even worse, organised one? Congratulations, you might also be liable also for “conspiracy to commit a crime”.

Nobody’s going to be putting non-backdoored encryption users in jail by the dozen, no doubt. But as soon as the Government wants you, they can have you. By the balls or behind the bars.

Not Free as in Beer

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

This text has been written for the CopyCamp 2014 post-conference publication, where it has been published originally. I recommend the whole publication, and hope to see you at CopyCamp this autumn.

Free as in Freedom,

  • not free as in beer*

Richard M. Stallman’s quote, well known to free software advocates, brings clarity to an ambiguous term – “free” can refer to freedom, or can mean “gratis”; both can be on-topic as far as software is concerned. It has also become, in a way, the motto of the free software movement.

Many initiatives draw inspiration from free software philosophy – libre culture movement, Wikipedia, open educational resources, and many other, base on ideas floated by and tested within free and open source software projects. The “free as in freedom, not free as in beer” thought is also present outside of the freedom-loving software developers’ world.

Usually it’s the first part of the quote that gets the most attention and focus. It is about freedom, after all, and not about whether or not something is available gratis. This focus was (and is) required to clearly demarcate software, culture or educational resources that give and preserve freedoms of their users from those that are just available cost-free (allowing for access, yet denying the rest of the Four Freedoms); the priceless from the zero-priced.

We might need to change that accent, however. Software developers, artists and educational resources creators, libre or not, have to eat, too.

Four Freedoms

Richard Stallman had introduced a simple yet effective criterion of whether or not a given software (or any other resource, for that matter) is freedom-preserving – its license has to guarantee:

  • freedom to run/use the program without any restrictions;
  • freedom to examine how it works and to modify it;
  • freedom to distribute it further;
  • freedom to distribute one’s own modifications of it.

To make extending the set of libre software easier, in the first free software license, the GNU GPL, one more trick has been also used – copyleft, the requirement that all software based on GPL-licensed software will also have to be distributed under the same terms.

Copyleft clause has since become a point of contention within the free/libre/open-source software community. The debate between its detractors and proponents is as vivid today, as it has been 30 years ago.

The former prefer non-copyleft licenses, like MIT or BSD; the latter – promote the use of GNU GPL family of licenses.

The MIT/BSD crowd argues that copyleft denies developers of derivative works (in this case, software based on a GNU GPL-licensed project) the freedom to close their project or change the license.

The GNU GPL side points out that even if that particular freedom is denied in such a case, it’s for the greater good – others, including the users of the derivative work, have their four freedoms preserved.

The debate, then, concerns the freedom of the derivative work’s author to close that work, versus the four freedoms of all users, ever. And of course, this is relevant not only to software.

Business models

Within the software development world and outside of it the copyleft clause tends to be considered “bad for business”. Derivative work authors would like to be able to close their works regardless of the licensing of the originals, so as to earn a living on them – after all, how can one make money on something that is free to copy at will?

The answer lies with new business models, compatible with the culture of sharing (and sharing of culture). Crowdfunding, voluntary payment-based models, making money on merchandise (like band t-shirts) or concerts, and (in the case of software) selling services like feature implementation, support, or deployment, allow the creators to thrive and earn a living even though – or, as often is the case, precisely because of – fans sharing of their works.

These are not obvious and seem uncertain – and yet more and more often they finance productions, large and small. On the other hand, the “tried and tested” ways of making money on creative work are not a guaranteed way to make a profit. Even more so with the market being saturated by huge companies.

Preference for non-copyleft licenses might stem from lack of trust to new models: “I might want to sell a closed product based on this, what then?” However, if I can close something, others can, too. We’re all worse-off.

Heartbleed

The Heartbleed debacle illustrates this well. A trivial software bug in a popular free software library used on the Net by big and small alike to provide secure transmission had huge consequences for the whole FLOSS ecosystem, and broader: for the whole Internet. It also remained undiscovered for years.

Software involved – the OpenSSL library – is available on a non-copyleft license. It’s being used by companies, including most of the heavyweights (including Google, Facebook, and Amazon), in their products and services.

They use it, but do not really help develop this crucial piece of software. OpenSSL developers did not have the funds for regular code audits that would have discovered the bug long before it caused any harm.

Large companies also do not share their modifications. OpenSSL’s license does not require it, so why would they? Turns out Facebook modified their OpenSSL version in a way that (inadvertently, probably) made it insusceptible to the bug.

Had OpenSSL used a copyleft license, requiring sharing modified code with the community, Heartbleed might have been discovered much earlier, causing much less harm.

Not free as in beer

Free software, libre culture, open educational resources development has its cost. Thousands donate their time and expertise, and share effects of their work. It often is overlooked, usually when while arguing for use of FLOSS the “it’s gratis” argument is being used.

It is not. Time to start properly valuing the work put into those initiatives. And to support them, also financially.

Copyleft, turns out, can help here too: if nobody can close my work, I myself can also use their enhancements. We’re all better-off.

GPG Key Transition

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

This is my GPG key transition statement. I am transitioning off of my old key:

07FD 0DA1 72D3 FC66 B910 341C 5337 E3B7 60DE C17F

To a new key:

D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E

The old key has not been compromised. The main reason for transition is this weak subkey:

sub1024R/0x085C4F046A46EBC9

I have generated a new, much stronger key. And I have done so in a way that (to an extent) protects me from ugly consequences of a possible private key loss (think: stolen laptop, with keys). I used these three great howtos:

With their help I have generated a master keypair, stowed away in a safe place; and a laptop keypair that I use day-to-day.

The master keypair has never touched my laptop or any device associated with me – it has been generated on an airgapped random loner laptop in the Warsaw Hackerspace (every hackerspace has a few of these), running a copy of TAILS.

From it, the laptop keypair has been also generated on the airgapped loner lappy. Then, the master keypair has been transferred to the storage medium, and the laptop pair – to my laptop; both have been safely wiped from the loner afterwards (besides, everything was happening on a ramdisk anyway).

The minor inconvenience if this setup is that I can only sign other people’s keys with my master keypair, i.e. when I am not travelling.

Key Transition Statement

Below you’ll find my key transition statement. You can also download this statement signed by both the old and the new key.

GPG Key Transition Statement Date: 30th December, 2014

For a number of reasons, i’ve recently set up a new OpenPGP key, and will be transitioning away from my old one.

The old key will continue to be valid for some time, but i prefer all future correspondence to come to the new one. I would also like this new key to be re-integrated into the web of trust. This message is signed by both keys to certify the transition.

The old key was:

pub 4096R/0x5337E3B760DEC17F 2011-09-28 [2014-12-30](expires:) Key fingerprint = 07FD 0DA1 72D3 FC66 B910 341C 5337 E3B7 60DE C17F

And the new key is:

pub 4096R/0xEAA4EC8179652B2E 2014-10-14 [2020-10-12](expires:) Key fingerprint = D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E

To fetch the full key from a public key server, you can simply do:

gpg --keyserver keys.riseup.net --recv-key 'D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E'

If you already know my old key, you can now verify that the new key is signed by the old one:

gpg --check-sigs 'D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E'

If you don’t already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

gpg --fingerprint 'D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E'

If you are satisfied that you’ve got the right key, and the UIDs match what you expect, I’d appreciate it if you would sign my key. You can do that by issuing the following command:

** NOTE: if you have previously signed my key but did a local-only signature (lsign), you will not want to issue the following, instead you will want to use –lsign-key, and not send the signatures to the keyserver **

gpg --sign-key 'D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E'

I’d like to receive your signatures on my key. You can either send me an e-mail with the new signatures (if you have a functional MTA on your system):

gpg --export 'D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E' \ | gpg --encrypt -r 'D0E9 E1E3 D80A 098A 0D0D 7EC4 EAA4 EC81 7965 2B2E' \ --armor | mail -s 'OpenPGP Signatures' rysiek@hackerspace.pl

Additionally, I highly recommend that you implement a mechanism to keep your key material up-to-date so that you obtain the latest revocations, and other updates in a timely manner. You can do regular key updates by using parcimonie to refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits for each key. The purpose is to make it hard for an attacker to correlate the key updates with your keyring.

I also highly recommend checking out the excellent Riseup GPG best practices doc, from which I stole most of the text for this transition message ;-)

https://we.riseup.net/debian/openpgp-best-practices

Please let me know if you have any questions, or problems, and sorry for the inconvenience.

Michał “rysiek” Woźniak rysiek@hackerspace.pl http://rys.io/

Internet in Poland to be porn-free after all?

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

Can’t leave parliamentarians alone for 3 days, can you.

Today, the Administration and Digitization Commission of Sejm (the lower chamber of Polish Parliament) has approved for further proceedings a project of “A Resolution concerning actions to limit children’s access to pornography on the Internet”, which used to “call upon the Minister of Administration and Digitization to guarantee parents a right to porn-free Internet” – the final draft is still not available on Sejm website, but it should soon be available here.

In comparison with the original project the new text is… better, although that does not mean it’s any good. Here it is for your reading pleasure (please note: the translation is mine and unofficial, and I omit the rather unimportant “whereas…” part):

RESOLUTION

By Sejm of the Republic of Poland of ……………

Concerning actions to limit children’s access to pornography on the Internet

(…)

  1. Sejm of the Republic of Poland moves for the Minister of Administration and Digitization to prepare solutions which will guarantee parents a right to access the Internet network free from pornography.
  2. These solutions should follow these guidelines:
    1. Any person should have the possibility to block transmission of any pornographic materials;
    2. An internet service provider should provide tools that would allow blocking transmission of pornographic materials;
    3. An internet service provider is required to provide tools that would allow blocking transmission of pornographic materials free of charge;
    4. An internet service provider can disable access to pornographic materials. An agreement with a customer should reflect this.
  3. Minister of Administration and Digitization shall present a proposal of such solutions within 18 months from the date of adoption of this resolution.

Wait, what?

Yep. The Commission has convened on this issue mere week after the previous session, not giving enough time to properly prepare and have a serious discussion. At least the text has been changed in a way that makes it not entirely absurd (only just a bit, depending on who is reading it).

What does that mean?

One could read the text of the resolution in a way that would give the Ministry the possibility to simply reply:

There are parental filters available, free of charge, for any software platform, KTHXBAI.

…or, in a way that would require an answer along those lines:

ISPs are required to “voluntarily” censor the Net on the level of their core infrastructure, opt-in or opt-out.

Basically, we need to make sure that (providing that the resolution clears Sejm) the Ministry will not go in the direction of a solution that would introduce central filtering of the Internet.

The only sane solution I see is filtering on end-user devices (including home routers). During consultations last year, regarding this very topic, this has exactly been the solution we have suggested the Ministry should go along with. Time to take it off the shelf, I guess.

Now what?

Now Sejm has to decide, and this will happen during next few weeks. Unfortunately, the modified project apparently has the support of the coalition, so I’d like to invite Poles to write their representatives, and in the meantime I’m prepping up for an 18-month fight to keep any central-level filtering, be it obligatory or “voluntary” (as in the UK), limited to end-user devices.

This means a lot of work; if you feel it’s important or valuable – support Panoptykon.

Block everything!

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

Another couple of months, another bout of Internet censorship ideas. This time from two sides simultaneously. And it used to be so swell!

RSiUN from the dead

A year ago a representative of the Association of Employers and Employees of Bookmaker Companies has said…

It’s a very simple solution. A register of illegal gambling websites is created. Internet service providers are then obliged to block access to these websites from within Poland. In the opinion of our association such a solution is an effective gambling policy enforcement tool – and thus, an effective way to fight illegal gambling.

In the opinion of the undersigned the Esteemed Representative hasn’t the faintest idea about the topic. I would gladly invite him for a coffee and explain why such a solution is nowhere near being “simple”.

And we could live it at that – as, for instance, just another case of “somebody person can’t into Internets and thinks that filtering will solve all problems”… if only the Ministry of Finance didn’t get inspired with the enlightening quote from the Esteemed Representative, and start pondering rising RSiUN from the cold, cold grave.

What’s RSiUN anyway?

It’s the Rejestr Stron i Usług Niedozwolonych (“Register of forbidden websites and services”, yes, the name is that good), an idea of the very same Ministry of Finance, floated years ago, to combat illegal gambling. Once the word had gotten out about the idea of introducing what can only be described as network core-level Internet censorship, a huge activist- and NGO-led campaign has been waged against it in the media and the public mind.

Finally, then-Prime Minister Donald Tusk (whom you might remember from being the Polish Prime Minister during the anti-ACTA debacle some years later, and today the “President of EU”) has agreed to meet “the Internet community”. After several hours of a live-streamed meeting a decision has been made to kill RSiUN off.

Today, the idea returns. In the words of minister Kapica:

I believe that at some point we will find ourselves in a situation where we will be able to convince public opinion that blocking illegal gambling websites does not interfere with political and human rights.

I, on the other hand, believe that our elected representatives and other authority figures could learn a thing or two from time to time; heck, they could even draw conclusions from history (either recent, or more ancient). I’m afraid, Dear Minister, that we are both a bit naïve in our faith.

Meantime, in the parliament

I must, however, do justice to Minister Dmowski, who during yesterday’s session of Administration and Digitization Commission of Sejm reported on results of last year’s public consultations on United Poland’s splendid “right to Internet without porn” idea.

I had the pleasure of listening to that report in person, and I heard, among others, that:

  • education is the crucial tool and should be the main mechanism used to support parents in assuring the right level of parental control over children’s Internet usage;
  • parental filtering software is available for all software platforms;
  • technical solutions should complement, not substitute, parent actions; and should be implemented on end-user devices only;
  • introduction of filtering mechanism requires introducing Internet usage surveillance – that could be dangerous (the word “China” even appeared);
  • content-based Internet use surveillance is incompatible with EU laws, which states that legislator cannot impose a requirement of that kind on telecommunication companies (in Great Britain the government got around this rule by not regulating on it, but still pushing the telcos in a way that they “self-regulated” accordingly);
  • there’s an obvious problem with defining what exactly constitutes pornography;
  • the cost of creating an efficient and reasonably effective filtering system would be astronomical and not possible to bear particularly by small ISPs;
  • obvious issues arise regarding freedom of speech and of access to information;
  • mechanisms like these require constant upkeep, which means further, regular costs;
  • overblocking is a problematic issue (what about paintings containing nudity? biology materials?);
  • blocking of certain content is incompatible with net neutrality, while the Polish official stance on that is that Internet should stay neutral;
  • any filtering mechanism can be neutred, children will get around them, British filter is being circumvented.

To this slew of reasons why Internet filteringcensorship is a bad idea, Mr Mężydło added a couple:

  • GIODO’s doubts about such ideas;
  • Czech and German experiences with filtering, where it was later cancelled.

Mr Mężydło, I must admit, won my heart with by stating that (due to the fact that children learn fast how to circumvent UK porn filters)…

Cameron is raising a generation of hackers.

So there is a silver lining of Internet censorship after all! /joke

Children defenders mount an offensive

Could it be that years of arguing against Internet censorship finally reached the hearts and minds of our beloved leaders? Nah, that would be boring! Thankfully, we have our heroic defenders of children. It’s always about the children, isn’t it!

Mr Sosnowski lead the charge, albeit still on-topic – saying that “pornography is a problem” and that in Great Britain some effort has been undertaken to handle it, and what can we do to follow suit? It might be possible to talk to Mr Sosnowski and explain a few things.

This definitely is not the case, however, with Mrs Hrynkiewicz and Kempa (the latter being the very author of the draft resolution).

Mrs Hrynkiewicz straight out accused the Ministry of dodging responsibility, and the Sejm Office of Analysis (authors of a not-entirely-pro-censorship, but entirely fact-based, analysis of the project) of incompetence or being outright biased (with the government being so hostile towards the opposition and the parliament so entirely controlled by the government… not).

Madam Member exceptionally astonished

Main point of the programme was without a doubt Mrs Kempa, who turned out to be “exceptionally astonished” by Minister Dmowski’s report, as Minister Boni used to lean in the exactly opposite direction”. I, for one, am exceptionally astonished with that statement, as having taken part in a number of meetings about similar and related topics I drew an exactly opposite conclusion (possibly stemming from one meeting in particular, where Mr Boni essentially put his foot down and stated that “we’re not here to discuss censoring the Internet, we are looking for a different solution to this problem”).

Might this discrepancy be somehow related to the fact that one of us wasn’t present on those meetings?

Children exceptionally attacked

Regardless of her exceptional astonishment Mrs Kempa was still able to defend children in earnest. After all:

Today’s discussion clearly shows how it is possible to use heavy guns against small children

And what would these children do had there been no Mrs Kempa and her broad chest to defend them? Who would defend them from “corporate interests” (in the mind of Mrs Kempa represented on the meeting by Mr Mężydło), and from the Ministry of Administration and Digitization, just looking for ways to weasel-out instead of looking for solutions (can’t expect Mrs Kempa to find a solution that does not exist, after all).

Consititution exceptionally abused

Mrs Kempa, as a lawyer, was also able and willing to dissect the much-used Article 54 (Section 2. of the Polish Constitution), called upon by members of the Commission more sceptical towards censorship:

  1. The freedom to express opinions, to acquire and to disseminate information shall be ensured to everyone.
  2. Preventive censorship of the means of social communication and the licensing of the press shall be prohibited. Statutes may require the receipt of a permit for the operation of a radio or television station.

Undoubtedly this article has to be read in the context of (here Mrs Kempa wasn’t so sure – was it Article 32, or 33? I kindly submit it’s Article 31, point 3, also in Section 2):

Any limitation upon the exercise of constitutional freedoms and rights may be imposed only by statute, and only when necessary in a democratic state for the protection of its security or public order, or to protect the natural environment, health or public morals, or the freedoms and rights of other persons. Such limitations shall not violate the essence of freedoms and rights.

Interesting how differently accents can be laid in this article. Mrs Kempa accented the “public morals” bit, while I usually put more pressure on “necessary in a democratic state” and “shall not violate the essence of freedoms and rights”.

Companies exceptionally profitable

Perspicacity of MRs Kempa allowed her to see clearly through the dirty game of filtering detractors; obviously their main reason to oppose filtering is protecting profits of companies involved.

What companies? Well, Mrs Kempa was not kind enough to indicate them unambiguously (or, at all). One can only assume it’s either huge telecommunication companies (of which I am a well-known fan and supporter), or porno business (tracking them hand in hand with Twoja Sprawa Association).

Perhaps I should finally bill my business principals?

Internet exceptionally dangerous

Curiously, Mrs Kempa switched camps for a minute there. An oft-used argument against introducing Internet censorship in any extent is the fat that it can be used and abused to block other content, the extent and scope can and will be broadened to include more and more categories.

British pornfilter, for instance, now blocks so much more than porn.

Mrs Kempa stated that today we may be talking about filtering on-line pornography, but the next step would be to consider filtering censoring violence; next up, then, would be hate speech.

It’s interesting on several levels. For one, take how Mrs Kempa goes from something hard to define (and hence to create a good filter for) towards things that are even harder to define. Then – I am not entirely sure if Mrs Kempa really wants to introduce hate speech filtering, taking into account that mere months ago she was against introducing anti-hate speech regulation in the parliament.

Children exceptionally in need

For God’s sake, let’s not wheel out heavy guns against children!

…Mrs Kempa concluded, and I started pondering proposing 250EUR for each and every child of less than 16 years of age in Poland. Wouldn’t it be a better solution for the kids themselves? The idea is almost as absurd as Internet censorship, costs are probably similar, but I have a feeling it would have a much better outcome for the kids. Plus: there are no constitutional or human rights-related issues arising here!

Internet filtering proponents will not propose such an idea simply because they understand the absurdity of it in our economic reality. We can’t afford it, and we know it. Should I start stomping my feet and throwing a tantrum about how they are “wheeling out heavy guns against children”?

There are less absurd ideas, though. How about properly financing orphanages and youth hostels? Or finding the money to provide an ample amount of hot meals for children from poorer families? For a hungry child, a hot meal, I presume, might be a bit more interesting a proposal than “porn-free Internet”.

Why won’t Mrs Kempa channel her interest and time in the direction of effecting actual positive change for orphans? My guess is she is well aware that parents that are not interested in their children’s future might not be interested in voting for her even if she does.

A more cynical person might come to a conclusion that Mrs Kempa, simply put, thus inaugurated her electoral campaign. Not me. I believe it’s all really about children’s interests, after all – she might not have heard about orphanages yet. Maybe it’s time to tell her about them?

Internets, arise!

After five years of attending similar meetings and explaining to people over and over again why Internet censorship is an idea so bad, it actually has the word “censorship” in the name, you can get a bit tired. It was possible to kill RSiUN; to defuse the children protection directive implementation ideas; to generate some knowledge and understanding in the Ministry of Administration and Digital Affairs… and yet time after time somebody gets the bright idea and there we go again.

Draft resolution could have been killed yesterday, in first reading. It came through, instead (for killing it: 9 members of the Commission; against: 9 also). Next session in December. Depressing.

Sejm’s website contains a stimulating quote (from Polish Constitution of May 3, 1791):

All authority in human society takes its origin in the will of the people

Let us be inspired! You can use these letters (in Polish) to Minister Kapica and to members of the Administration and Digitization Commission. And here are the addresses should one wish to send these:

Jacek Kapica Podsekretarz Stanu Ministerstwo Finansów ul. Świętokrzyska 12 00-916 Warszawa, Poland

…and…

Poseł Andrzej Orzechowski Przewodniczący Komisja Administracji i Cyfryzacji Sejm Rzeczypospolitej Polskiej ul. Wiejska 4/6/8 00-902 Warszawa

Want more? You can send letters directly to members of the Commission, here’s the list, you can find addresses of their Member of Parliament bureaus on Sejm website, for instance here for Mrs Kempa, here for Mrs Hryniewicz, and here for Mr Sosnowski.

Need a letter directly to Mrs Kempa? Happy to provide, too!


And if that’s still not enough, you are heartily invited to support the Panoptykon Foundation. Members of Parliament receive salary for their work out of our pockets, activists usually work pro publico bono.

Introducing: rysiek's law of unavoidable consequences

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

For some time now I’ve been missing a short and succinct way to indicate why things like centralization at the service level are not entirely good ideas, regardless of how much we trust their operators.

So here it is – rysiek’s law of unavoidable consequences:

If it’s technically possible, it’s practically unavoidable.

Wait, what?

Well, the idea is simple. If, say, a given software project promises something (e.g. that it will not spy on users), we should not rely only on a promise. It should be technically impossible to break that promise, otherwise it will get broken sooner or later.

Here’s a longer, more verbose version:

If some undesirable actions or outcomes are technically possible, they should be assumed to be unavoidable.

There are many reasons this can happen: a break-in; a change of heart of the owner; a change of owner; law being changed, used or misused. Regardless of the reason, if it’s possible, it will happen.

The corollary being:

If there are some undesirable outcomes you want to avoid
make them technically impossible (or very hard).

Test drive: Ello

Let’s take Ello on, for instance. Ello promises some neat things – like “no ads” and being “privacy-friendly”. But is it technically possible for Ello to introduce ads to the network, and sell their users’ privacy out?

Well, yes. Yes it is.

So, once the management changes or decides they need some more money, there is nothing stopping them from doing just that.

Compare and contrast: Diaspora

Can Diaspora creators introduce ads and sell-out users on privacy?

Well, it’s much more complicated. The developers can introduce ad functionality to the code, but will server admins (who are not usually directly connected to the developers) introduce that code to their instances? Dubious. Because there are many different servers, users can pick and choose, and move to servers that do not support ads. Tl;dr being: it’s much harder, and much less possible.

Similarly, selling out users on privacy would rather be possible for the server admins instead of the developers (who do not have access to users’ private data). But:

  • no single server admin has access to private data of all Diaspora users;
  • if a given server is caught red-handed, users can just… move to a more privacy-friendly server, without much hassle.

These mean that server admins have a strong incentive, based (among others) in technology itself, to not do nasty things; and it is technically not possible at all to do it at the same time in the whole network.

A broader perspective

If you think about it, this is exactly the reason why we have separation of powers. It’s not that we do not trust our current powers that are, it’s that we really don’t know who will be in power in a few short years. Separation of powers is the “technical” way of making sure we don’t have to rely only on trust.

And remember this?

The Net interprets censorship as damage and routes around it.

Censorship is technically impossible (or rather extremely hard) because of how the Internet is engineered. Had it been any other way, we would have a completely different Net.

Even the Kerckhoffs’s principle is an example of a more specific version of the corollary.

Now we need to engineer this into software.

Stop paedophilia

This is an ancient post, published more than 4 years ago.
As such, it might not anymore reflect the views of the author or the state of the world. It is provided as historical record.

Yet again we are implored to “think of the children” by more than 250 000 supporters of a bill proposed in Poland that would put a 2-year prison penalty on…

…whoever publicly promotes or condones undertaking sexual activities by minors of less than 15 years of age, or supplies them with materials facilitating such activities.

Yes, you are reading this right. Two years in jail for giving a teen child a condom just in case, or informing them where kids come from. I won’t even mention the filth called “sex-ed classes”! Yes, this also pertains to parents. What should a parent say when a child comes and asks how did their little sister get inside mummy? “Go ask the good reverend”, I guess.

Of course there’s a question of how the “pro-family” organisations that promote this enlightened idea reconcile their “pro-familiness” with the fact that such a law would have a great potential for breaking families apart, but I’ll leave that one for the Dear Reader to ponder. Also, while I find hate speech laws to be a bit problematic, as long as we have them on the books, how about somebody look into how these people identify paedophilia with not being heteronormative, eh?

Live by the sword…

I’ll leave dealing with the cranial rectal syndrome that makes people propose banning the best weapon we have against paedophiles (education) because they are afraid of paedophiles to those better suited for the task. Something else interests me in this situation.

For years I have taken part in many meetings concerning proposed Internet censorship measures. Each and every time “the paedophile argument” was one of the big guns in the proposers’ arsenal. One of the organisations that used to propose such measures (and use such arguments), today went through the looking-glass:

We are convinced that the changes proposed will not amount to effective tools against paedophilia. The project aims to ban educating children and youth about human sexuality, which equips them with knowledge required to notice threats, maintain own integrity and look for help

It is hard to fathom that in the 21st Century it is still possible to propose criminal penalties for supplying children with knowledge about their development and the nature of sexual relations, and to lump custodians, teachers and educators providing such education with paedophiles

While I do find it a bit surprising, today I have to agree wholeheartedly with the President of Fundacja Dzieci Niczyje.