Pervasive surveillance is an attack on the Web and the Internet. It demands both technical and policy responses, and both of those are fostered by what Jamie Boyle called “an environmentalism for the Net.”
February 11, 2014
April 9, 2012
March 5, 2012
Next week, ICANN will meet in San Jose, Costa Rica. While we’ve only just barely seen the schedule, it’s clear we’ll be hearing a lot about WHOIS. The WHOIS Review Team’s draft final report is out for public comment.
(a) If ICANN creates a Privacy/Proxy Accreditation
Service, Registrars will accept proxy/privacy registrations only
from accredited providers; (b) “Registrants using privacy/proxy
registration services will have authentic Whois information
immediately published by Registrar when registrant is found to be
violating terms of service”
Now, even the WHOIS Review Team, which was not heavy with privacy advocates (thanks to those who were there!) acknowledged several legitimate uses of privacy or proxy services in domain registration, including from companies seeking to hide upcoming mergers or product launches; organizations sharing minority or controversial viewpoints; individuals; and webmasters registering on behalf of clients. The Non-Commercial Stakeholders Group listed others who might be concerned about publishing identities in domain registration in comments on a .CAT privacy amendment.
Would the proposed amendments (whose language is apparently agreed-upon but unshown to the broader community) protect these interests? Would they protect the confidentiality of an attorney-client relationship, where the attorney acted as proxy for a client? Will we all have to use ccTLDs (such as .is) whose operators are not bound by these rules? More once we hit the ground in San Jose…
February 19, 2012
Early last week, jotforms.com, a platform for user-generated webforms, found its domain name suspended, breaking and all its users’ hosted forms. When its founder inquired why, registrar GoDaddy responded that the name had been “suspended as part of an ongoing law enforcement investigation” — apparently instigated by the U.S. Secret Service. Commentators jumped on GoDaddy, already in the doghouse for supporting SOPA, but also linked the problem to earlier U.S. government domain takedowns: ICE’s year-long unexplained seizure of music blog dajaz1, and more recent seizure of megaupload.com’s domain, along with its principals. The problem comes from both: GoDaddy is too willing to suspend first, ask questions later; and the U.S. government is to eager to use and encourage takedowns, disregarding their free speech implications.
foxylad on Hacker News gave us “Today’s sysadmin todo list:”
0. Get corporate membership with EFF.
1. Identify all applications with user-generated content.
2. Move all associated domains to a non-US based registrar.
3. Migrate DNS, web serving and other critical services to non-US based servers.
4. Migrate yourself to a non-US controlled country.
I’m sorry for US sites and users. Your government is hell-bent on turning the internet into a read-only device like TV, easily regulated and controlled.
Now I still believe that the United States’ First Amendment gives strong protection to free expression, online or off. But so long as the administration’s enforcers are playing with domain takedown like a shiny new toy gun, aimed without regard due process of law, online speech that depends on U.S. registries or registrars is at risk. I’ve registered my domains through the excellent Canada-based Hover, but the .com, .net, and .org registries are still located in the U.S. and hence vulnerable. I don’t think anything on my sites infringes, but that’s one more chance than I’d be taking outside U.S. jurisdiction.
Iceland, on the other hand, has expressed a strong commitment to free, online expression. I’m happy to support Iceland’s free-speech haven by moving some of my business there. If enough others do too, perhaps that jurisdictional arbitrage will show the U.S. government the harm that bad law-enforcement and bad law inflict on U.S. business and society.
January 19, 2012
Yesterday, while hundreds of sites (including this one, along with Google, Wikipedia, and Reddit) were going black to protest SOPA and PIPA, the Supreme Court released its own copyright blackout, Golan v. Holder (PDF). Justice Ginsburg’s majority opinion held that the First Amendment did not prohibit reclaiming works from the public domain.
Justice Breyer, joined by Justice Alito, gave a stirring dissent. Copyright law, he said, must be “designed to encourage new production,” not just redistribute works already created. Re-copyrighting already-written works “does not encourage anyone to produce a single new work.” Instead, backwards-looking copyright grants create a serious public choice problem:
Whereas forward-looking copyright laws tend to benefit those whose identities are not yet known (the writer who has not yet written a book, the musician who has not yet composed a song), when a copyright law is primarily backward looking the risk is greater that Congress is trying to help known beneficiaries at the expense of badly organized unknown users who find it difficult to argue and present their case to Congress.
We see the same problem with SOPA and PIPA. The legislation pits organized incumbents against future innovators. Congress risks being captured by the lobbying power of current copyright industries, organized in the MPAA and RIAA, before the artists who have yet to create and the industries who support them can find their political voice. But the SOPAstrike reminds us that more than industry interests are at stake here — the general public, the editors of and users of Wikipedia, the contributors and readers of Reddit and the coders and browsers of Mozilla also create and bring value to the Internet.
Golan reminds us too that we can’t count on the courts to help us where Congress gets copyright wrong. The majority leaves a great deal to Congressional discretion, as it did in Eldred (striking down a challenge to copyright term extension): “the Copyright Clause does not demand that each copyright provision, examined discretely, operate to induce new works.” In a chilling phrase, the Golan majority quotes the district court’s finding of a “settled rule that private censorship via copyright enforcement does not implicate First Amendment concerns.”
Perhaps a later Court will see the First Amendment as a stronger check on Congressional power to restrict speech in the name of copyright, but where we can’t count on 5 (Justices), defenders of free communications on the open Internet will need to count to 51% of Congress. Keep up the pressure, it’s having an impact!
January 18, 2012
As I wrote over on the Tor Project blog, SOPA and PIPA (the House’s “Stop Online Piracy Act” and the Senate’s “Protect-IP Act”) go beyond enforcement of copyright. These copyright bills would strain the infrastructure of the Internet, on which many free communications — anonymous or identified — depend. Originally, the bills proposed that so-called “rogue sites” should be blocked through the Internet’s Domain Name System (DNS). That would have broken DNSSEC security and shared U.S. censorship tactics with those of China’s “great firewall.”
Now, while we hear that DNS-blocking is off the table, the bills remain threatening to the network of intermediaries who carry online speech. Most critically to Tor, SOPA contained a provision forbidding “circumvention” of court-ordered blocking that was written broadly enough that it could apply to Tor — which helps its users to “circumvent” local-network censorship. Further, both bills broaden the reach of intermediary liability, to hold conduits and search engines liable for user-supplied infringement. The private rights of action and “safe harbors” could force or encourage providers to censor well beyond the current DMCA’s “notice and takedown” provision (of which Chilling Effects documents numerous burdens and abuses).
On January 18, we’re joining Wikipedia, Reddit, the MIT Media Lab, and hundreds of others in protest, turning a portion of the Tor site black to call attention to copyright balance and remind the US Congress and voters of the value of the open Internet.
U.S. citizens, please call or write, to urge your representatives to stop SOPA and PIPA. Elsewhere in the world, keep an eye out for similar legislation. and bring the fight there too.
December 15, 2011
The House’s Stop Online Piracy Act is in Judiciary Committee Markup today. As numerous protests, open letters, and advocacy campaigns across the Web, this is a seriously flawed bill. Sen. Ron Wyden and Rep. Darrell Issa’s proposed OPEN Act points out, by contrast, some of the procedural problems.
Here, I analyze just one of the problematic provisions of SOPA: a new”anticircumvention” provision (different from the still-problematic anti-circumvention of section1201). SOPA’s anticircumvention authorizes injunctions against the provision of tools to bypass the court-ordered blocking of domains. Although it is apparently aimed at MAFIAAfire, the Firefox add-on that offered redirection for seized domains in the wake of ICE seizures, the provision as drafted sweeps much more broadly. Ordinary security and connectivity tools could fall within its scope. If enacted, it would weaken Internet security and reduce the robustness and resilience of Internet connections.
The anticircumvention section, which is not present in the Senate’s companion PROTECT-IP measure, provides for injunctions, on the action of the Attorney General:
(ii)against any entity that knowingly and willfully provides or offers to provide a product or service designed or marketed by such entity or by another in concert with such entity for the circumvention or bypassing of measures described in paragraph (2) [blocking DNS responses, search query results, payments, or ads] and taken in response to a court order issued under this subsection, to enjoin such entity from interfering with the order by continuing to provide or offer to provide such product or service. § 102(c)(3)(A)(ii)
As an initial problem, the section is unclear. Could it cover someone who designs a tool for”the circumvention or bypassing of” DNS blockages in general — even if such a person did not specifically intend or market the tool to be used to frustrate court orders issued under SOPA? Resilience in the face of technological failure is a fundamental software design goal. As DNS experts Steve Crocker, et al. say in their Dec. 9 letter to the House and Senate Judiciary Chairs, “a secure application expecting a secure DNS answer will not give up after a timeout. It might retry the lookup, it might try a backup DNS server, it might even restart the lookup through a proxy service.” Would the providers of software that looked to a proxy for answers –products “designed” to be resilient to transient DNS lookup failures –be subject to injunction? Where the answer is unclear, developers might choose not to offer such lawful features rather than risking legal attack. Indeed, the statute as drafted might chill the development of anti-censorship tools funded by our State Department.
Some such tools are explicitly designed to circumvent censorship in repressive regimes whose authorities engage in DNS manipulation to prevent citizens from accessing sites with dissident messages, alternate sources of news, or human rights reporting. (See Rebecca MacKinnon’s NYT Op-Ed, Stop the Great Firewall of America. Censorship-circumvention tools include Psiphon, which describes itself as an “Open source web proxy designed to help Internet users affected by Internet censorship securely bypass content-filtering systems,” and The Tor Project.) These tools cannot distinguish between Chinese censorship of Tiananmen Square mentions and U.S. copyright protection where their impacts — blocking access to Web content — and their methods — local blocking of domain resolution — are the same.
Finally, the paragraph may encompass mere knowledge-transfer. Does telling someone about alternate DNS resolvers, or noting that a blocked domain can still be found at its IP address — a matter of historical record and necessary to third-party evaluation of the claims against that site — constitute willfully “providing a service designed … [for] bypassing” DNS-blocking? Archives of historic DNS information are often important information to legal or technical network investigations, but might become scarce if providers had to ascertain the reasons their information was being sought.
For these reasons among many others, SOPA should be stopped.
November 4, 2011
Law enforcement demands to domain name registrars were a recurring theme of the 42d ICANN public meeting, concluded last week in Dakar. The Governmental Advisory Committee (GAC) took every opportunity at its public meetings with GNSO and Board, and in its Communique to express dismay, disappointment, and demands for urgent action to “reduce the risk of criminal abuse of the domain name system.”
This conversation about domain name abuse benefits from a multi-stakeholder environment, where it can include domain registrars, registrants, and Internet users, along with law enforcement representatives. Broad debate helps because the question is not just how to “mitigate criminal activity using the domain name system,” but how to recognize criminal activity at the DNS level, how to implement due process to protect legitimate online speakers from abusive or mistaken takedowns, and how to protect the privacy and security of non-criminal users of the domain name system.
ICANN’s processes, particularly the GNSO Policy Development Process, are designed to bring these viewpoints together and find consensus. The Generic Names Supporting Organization has representatives from domain registries, registrars, business, and non-commercial users. (I sit on the GNSO Council as a Non-Commercial Stakeholder Group representative.) Governments are invited to participate in these processes, as well as having a specially privileged role to give “Advice” to the ICANN Board, which the Board must explicitly consider. The rights of domain registrants and Internet users depend on the terms of the Registrar Accreditation Agreement between domain registrars and ICANN. Under all the acronyms lie important issues of free expression.
Yet the U.S., speaking through the GAC, demanded a bigger stick and a smaller discussion, asserting that domain registrars should have unilaterally acceded to the 12-point law enforcement demands instead of going through community comment, negotiation, and discussion. The U.S. cannot simultaneously seek public support for multistakeholder processes while attempting to circumvent those processes in action. Thus I welcome the ICANN Board’s resolution starting an Issue Report for the GNSO to consider issues for RAA amendment.
Now some of the law enforcement demands — publication of a contact address, identification of registrars’ principals — appear relatively innocuous, but even those could be the prelude to assessing intermediary liability and pressure on those who facilitate speech. More troubling, law enforcement wants to force registrars to do extensive verification of domain name registrants’ identities, and to constrain the privacy and proxy services that currently permit registrants to shield identities and addresses from public disclosure.
Domain names are often tools of individual and group expression; not so much through expressive content of the strings themselves, but through the speech hosted at a domain, the conversations carried on through URLs and hyperlinks, and the use of domains to route email and other messaging. Domain names provide stable location pointers for individuals’ and groups’ online speech; as such, they also present possible chokepoints for censorship and suppression of speech.
In the specific instance of responding to law enforcement requests for the publication of registrar contact information, the potential impact is indirect but not insubstantial. In response to law enforcement requests for “registrar cooperation in addressing online crime,” the resolution considers a requirement that registrars “must publish on their respective web sites e-mail and postal mail addresses to which law enforcement actions may be directed.”
If we could be sure that the requests would relate only to activity universally agreed to be criminal, from law enforcement agencies following due process of law and respecting human rights, the proposed requirement would be uncontroversial. As legal regimes and their approaches to human rights are not uniform, we cannot make that blanket assumption. The contacts could be used to censor.
I don’t want to interfere with legitimate law enforcement. I do want to specify explicit procedure and limitations so that these contact points do not become points of control through which registrars can be pressured into removing domains that provide access to critical or “inharmonious” speech. To that end, it’s important that the discussion take place in the GNSO forum where civil society is represented to raise these concerns and develop procedural protections.
October 3, 2011
I’m speaking at the beginning of next week at O’Reilly’s Android Open conference.
I’ll be talking on “Leveraging Openness,” strategic considerations for developers and users of the platform to use openness in their favor, supporting user autonomy rather than lock-in. More on that later.
I also appreciate Android’s openness at the practical level of the individual user. This weekend I put the CyanogenMod firmware on my Android phone, in response to security warnings about recently introduced logging functions, and so as not to lose root access with a stock upgrade. The process was simple, well-documented, and gives me the level of control I expect over a device that can track all my movements and communications.
Then there are the little things: I like to change the default screen density to take better advantage of the high-resolution screen, no problem. (Note, however, that in the latest version of the Android market, some apps check these settings and won’t install, claiming device incompatibility. The fix? Change the lcd_density back, install apps, and revert the change; those I’ve tried work just fine.)
August 15, 2011
Google’s announcement this morning that it had agreed to purchase Motorola Mobility for $12.5Billion sent MMI’s stock price soaring and set off another conversation about software patents and the smart-phone ecosystem.
Larry Page himself emphasized the patent angle of the merger in the corporate blog post:
We recently explained how companies including Microsoft and Apple are banding together in anti-competitive patent attacks on Android. The U.S. Department of Justice had to intervene in the results of one recent patent auction to “protect competition and innovation in the open source software community” and it is currently looking into the results of the Nortel auction. Our acquisition of Motorola will increase competition by strengthening Google’s patent portfolio, which will enable us to better protect Android from anti-competitive threats from Microsoft, Apple and other companies.
Android-users already faced several patent lawsuits, and after a coalition of Google’s opponents, including Microsoft, Apple, and Oracle, purchased Nortel’s patent portfolio for $4.5 Billion, Google and its Android partners (including HTC and Motorola) had reason to fear a deepening thicket. Without many patents of its own, Google couldn’t make the traditional counter-strike of suing its attackers for infringement. Motorola’s mobile portfolio (17,000 issued patents and 7,500 pending applications) adds to Android’s arsenal.
Of course Motorola also makes hardware — smartphones that run Android — but few analysts are emphasizing that point. There, the acquisition raises strategic questions for Google: Can it convincingly offer the Android platform to others with whom it now competes? Even if Google maintains Motorola as a separate business, as Page says it intends, will now-competing vendors such as HTC, Samsung, and Acer be reassured of Google+Motorola’s neutrality among them?
Owning a handset maker could improve Android, if it shortens the feedback loop for problem-reporting and new ideas, but it could hurt the platform — and its end-users — more if it scared off competing hardware vendors, shrinking the base to which new applications are written and reducing the diversity of options available to end-users. As proprietor of an open, multi-sided market, Google needs to serve Android’s hardware vendors, app developers, and end-users well enough that a good-sized group of each continue to bring it value — and so the end-users watch the ads whose sale puts money into Google’s pocket from it all. (Oh, and maybe the acquisition will revitalize GoogleTV, as Lauren Weinstein points out.)
The patent motivations are more straightforward. As we know, it doesn’t take deliberate copying to infringe a patent, and patents are granted on small enough increments of software advance that an independently developed application may incorporate dozens to hundreds of elements on which others claim patents, and at millions of dollars a lawsuit, it’s expensive to disprove them. At least if those others are also making phones or software, Google is now more likely to have patents on what they are doing too, paving the way for a cross-license rather than a lawsuit.
Wouldn’t we all be better off skipping those patent threats and cross-licensing transaction costs? As Google’s pre-Motorola travails showed, it’s almost* impossible to opt-out of the patent system by choosing to publish and not patent your own inventions. Unlike in copyright, where you can share under Creative Commons, for example, and just have to prove you never accessed another’s work if accused of infringement, you can only save yourself from patent claims by assuring that every bit of technology you use was published more than 17-20 years ago! (*Rare but not impossible: Richard Hipp of SQLite says he only uses 17-year old, published algorithms to keep his code free of patent clouds.)
In work-in-progress, I argue that patent’s incentives aren’t working right for software, because they come at too early a stage in development. Patents for software motivate lawsuits more than they induce or reward product development. Google+Motorola may prove to have non-patent benefits too, but its early indications shine a spotlight on the thorny thickets of the patent landscape.