February 11, 2014

The Day We Fight Back

Filed under: code, commons, networks — wseltzer @ 9:16 am

The Day We Fight Back Pervasive surveillance is an attack on the Web and the Internet. It demands both technical and policy responses, and both of those are fostered by what Jamie Boyle called “an environmentalism for the Net.”

The environmental movement had Silent Spring. We have cat signals and The Day We Fight Back.

April 9, 2012

This is not a blog post

Filed under: code — wseltzer @ 4:45 am

it just pretends to be one.

March 5, 2012

ICANN Preview: WHOIS and Privacy

Filed under: ICANN, WHOIS, code, domain names, privacy — wseltzer @ 5:39 pm

Next week, ICANN will meet in San Jose, Costa Rica. While we’ve only just barely seen the schedule, it’s clear we’ll be hearing a lot about WHOIS. The WHOIS Review Team’s draft final report is out for public comment.

In addition, ICANN just posted a summary of negotiations around the Registrar Accreditation Agreement and Law Enforcement requests. First among those requests from law enforcement:

(a) If ICANN creates a Privacy/Proxy Accreditation
Service, Registrars will accept proxy/privacy registrations only
from accredited providers; (b) “Registrants using privacy/proxy
registration services will have authentic Whois information
immediately published by Registrar when registrant is found to be
violating terms of service”

Now, even the WHOIS Review Team, which was not heavy with privacy advocates (thanks to those who were there!) acknowledged several legitimate uses of privacy or proxy services in domain registration, including from companies seeking to hide upcoming mergers or product launches; organizations sharing minority or controversial viewpoints; individuals; and webmasters registering on behalf of clients. The Non-Commercial Stakeholders Group listed others who might be concerned about publishing identities in domain registration in comments on a .CAT privacy amendment.

Would the proposed amendments (whose language is apparently agreed-upon but unshown to the broader community) protect these interests? Would they protect the confidentiality of an attorney-client relationship, where the attorney acted as proxy for a client? Will we all have to use ccTLDs (such as .is) whose operators are not bound by these rules? More once we hit the ground in San Jose…

February 19, 2012

Domain diversification, or why wendy.seltzer.is

Filed under: Chilling Effects, censorship, code, domain names — wseltzer @ 12:45 pm

Early last week, jotforms.com, a platform for user-generated webforms, found its domain name suspended, breaking and all its users’ hosted forms. When its founder inquired why, registrar GoDaddy responded that the name had been “suspended as part of an ongoing law enforcement investigation” — apparently instigated by the U.S. Secret Service. Commentators jumped on GoDaddy, already in the doghouse for supporting SOPA, but also linked the problem to earlier U.S. government domain takedowns: ICE’s year-long unexplained seizure of music blog dajaz1, and more recent seizure of megaupload.com’s domain, along with its principals. The problem comes from both: GoDaddy is too willing to suspend first, ask questions later; and the U.S. government is to eager to use and encourage takedowns, disregarding their free speech implications.

foxylad on Hacker News gave us “Today’s sysadmin todo list:”

0. Get corporate membership with EFF.

1. Identify all applications with user-generated content.

2. Move all associated domains to a non-US based registrar.

3. Migrate DNS, web serving and other critical services to non-US based servers.

4. Migrate yourself to a non-US controlled country.

I’m sorry for US sites and users. Your government is hell-bent on turning the internet into a read-only device like TV, easily regulated and controlled.

Now I still believe that the United States’ First Amendment gives strong protection to free expression, online or off. But so long as the administration’s enforcers are playing with domain takedown like a shiny new toy gun, aimed without regard due process of law, online speech that depends on U.S. registries or registrars is at risk. I’ve registered my domains through the excellent Canada-based Hover, but the .com, .net, and .org registries are still located in the U.S. and hence vulnerable. I don’t think anything on my sites infringes, but that’s one more chance than I’d be taking outside U.S. jurisdiction.

Iceland, on the other hand, has expressed a strong commitment to free, online expression. I’m happy to support Iceland’s free-speech haven by moving some of my business there. If enough others do too, perhaps that jurisdictional arbitrage will show the U.S. government the harm that bad law-enforcement and bad law inflict on U.S. business and society.

Plus, what’s not to like in such fun URLs as http://wendy.seltzer.is/blogging (which redirects here) and http://wendy.seltzer.is/writing (which I’m counting on to inspire me to do more!)

January 19, 2012

Copyright in Congress, Court, and Public

Filed under: Chilling Effects, censorship, code, copyright — wseltzer @ 4:30 pm

Yesterday, while hundreds of sites (including this one, along with Google, Wikipedia, and Reddit) were going black to protest SOPA and PIPA, the Supreme Court released its own copyright blackout, Golan v. Holder (PDF). Justice Ginsburg’s majority opinion held that the First Amendment did not prohibit reclaiming works from the public domain.

Justice Breyer, joined by Justice Alito, gave a stirring dissent. Copyright law, he said, must be “designed to encourage new production,” not just redistribute works already created. Re-copyrighting already-written works “does not encourage anyone to produce a single new work.” Instead, backwards-looking copyright grants create a serious public choice problem:

Whereas forward-looking copyright laws tend to benefit those whose identities are not yet known (the writer who has not yet written a book, the musician who has not yet composed a song), when a copyright law is primarily backward looking the risk is greater that Congress is trying to help known beneficiaries at the expense of badly organized unknown users who find it difficult to argue and present their case to Congress.

We see the same problem with SOPA and PIPA. The legislation pits organized incumbents against future innovators. Congress risks being captured by the lobbying power of current copyright industries, organized in the MPAA and RIAA, before the artists who have yet to create and the industries who support them can find their political voice. But the SOPAstrike reminds us that more than industry interests are at stake here — the general public, the editors of and users of Wikipedia, the contributors and readers of Reddit and the coders and browsers of Mozilla also create and bring value to the Internet.

Golan reminds us too that we can’t count on the courts to help us where Congress gets copyright wrong. The majority leaves a great deal to Congressional discretion, as it did in Eldred (striking down a challenge to copyright term extension): “the Copyright Clause does not demand that each copyright provision, examined discretely, operate to induce new works.” In a chilling phrase, the Golan majority quotes the district court’s finding of a “settled rule that private censorship via copyright enforcement does not implicate First Amendment concerns.”

Perhaps a later Court will see the First Amendment as a stronger check on Congressional power to restrict speech in the name of copyright, but where we can’t count on 5 (Justices), defenders of free communications on the open Internet will need to count to 51% of Congress. Keep up the pressure, it’s having an impact!

January 18, 2012

Keep Copyright Balance: Stop SOPA and PIPA

Filed under: Chilling Effects, censorship, code, copyright — wseltzer @ 7:48 am

As I wrote over on the Tor Project blog, SOPA and PIPA (the House’s “Stop Online Piracy Act” and the Senate’s “Protect-IP Act”) go beyond enforcement of copyright. These copyright bills would strain the infrastructure of the Internet, on which many free communications — anonymous or identified — depend. Originally, the bills proposed that so-called “rogue sites” should be blocked through the Internet’s Domain Name System (DNS). That would have broken DNSSEC security and shared U.S. censorship tactics with those of China’s “great firewall.”

Now, while we hear that DNS-blocking is off the table, the bills remain threatening to the network of intermediaries who carry online speech. Most critically to Tor, SOPA contained a provision forbidding “circumvention” of court-ordered blocking that was written broadly enough that it could apply to Tor — which helps its users to “circumvent” local-network censorship. Further, both bills broaden the reach of intermediary liability, to hold conduits and search engines liable for user-supplied infringement. The private rights of action and “safe harbors” could force or encourage providers to censor well beyond the current DMCA’s “notice and takedown” provision (of which Chilling Effects documents numerous burdens and abuses).

On January 18, we’re joining Wikipedia, Reddit, the MIT Media Lab, and hundreds of others in protest, turning a portion of the Tor site black to call attention to copyright balance and remind the US Congress and voters of the value of the open Internet.

U.S. citizens, please call or write, to urge your representatives to stop SOPA and PIPA. Elsewhere in the world, keep an eye out for similar legislation. and bring the fight there too.

December 15, 2011

Stopping SOPA’s Anti-Circumvention

Filed under: Chilling Effects, censorship, code, copyright, domain names — wseltzer @ 10:35 am

The House’s Stop Online Piracy Act is in Judiciary Committee Markup today. As numerous protests, open letters, and advocacy campaigns across the Web, this is a seriously flawed bill. Sen. Ron Wyden and Rep. Darrell Issa’s proposed OPEN Act points out, by contrast, some of the procedural problems.

Here, I analyze just one of the problematic provisions of SOPA: a new”anticircumvention” provision (different from the still-problematic anti-circumvention of section1201). SOPA’s anticircumvention authorizes injunctions against the provision of tools to bypass the court-ordered blocking of domains. Although it is apparently aimed at MAFIAAfire, the Firefox add-on that offered redirection for seized domains in the wake of ICE seizures,[1] the provision as drafted sweeps much more broadly. Ordinary security and connectivity tools could fall within its scope. If enacted, it would weaken Internet security and reduce the robustness and resilience of Internet connections.

The anticircumvention section, which is not present in the Senate’s companion PROTECT-IP measure, provides for injunctions, on the action of the Attorney General:

(ii)against any entity that knowingly and willfully provides or offers to provide a product or service designed or marketed by such entity or by another in concert with such entity for the circumvention or bypassing of measures described in paragraph (2) [blocking DNS responses, search query results, payments, or ads] and taken in response to a court order issued under this subsection, to enjoin such entity from interfering with the order by continuing to provide or offer to provide such product or service. § 102(c)(3)(A)(ii)

As an initial problem, the section is unclear. Could it cover someone who designs a tool for”the circumvention or bypassing of” DNS blockages in general — even if such a person did not specifically intend or market the tool to be used to frustrate court orders issued under SOPA? Resilience in the face of technological failure is a fundamental software design goal. As DNS experts Steve Crocker, et al. say in their Dec. 9 letter to the House and Senate Judiciary Chairs, “a secure application expecting a secure DNS answer will not give up after a timeout. It might retry the lookup, it might try a backup DNS server, it might even restart the lookup through a proxy service.” Would the providers of software that looked to a proxy for answers –products “designed” to be resilient to transient DNS lookup failures –be subject to injunction? Where the answer is unclear, developers might choose not to offer such lawful features rather than risking legal attack. Indeed, the statute as drafted might chill the development of anti-censorship tools funded by our State Department.

Some such tools are explicitly designed to circumvent censorship in repressive regimes whose authorities engage in DNS manipulation to prevent citizens from accessing sites with dissident messages, alternate sources of news, or human rights reporting. (See Rebecca MacKinnon’s NYT Op-Ed, Stop the Great Firewall of America. Censorship-circumvention tools include Psiphon, which describes itself as an “Open source web proxy designed to help Internet users affected by Internet censorship securely bypass content-filtering systems,” and The Tor Project.) These tools cannot distinguish between Chinese censorship of Tiananmen Square mentions and U.S. copyright protection where their impacts — blocking access to Web content — and their methods — local blocking of domain resolution — are the same.

Finally, the paragraph may encompass mere knowledge-transfer. Does telling someone about alternate DNS resolvers, or noting that a blocked domain can still be found at its IP address — a matter of historical record and necessary to third-party evaluation of the claims against that site — constitute willfully “providing a service designed … [for] bypassing” DNS-blocking? Archives of historic DNS information are often important information to legal or technical network investigations, but might become scarce if providers had to ascertain the reasons their information was being sought.

For these reasons among many others, SOPA should be stopped.

October 3, 2011

Keeping Android Open

Filed under: code, open, phone — wseltzer @ 10:58 am

I’m speaking at the beginning of next week at O’Reilly’s Android Open conference.
O'Reilly Android Open Conference 2011
I’ll be talking on “Leveraging Openness,” strategic considerations for developers and users of the platform to use openness in their favor, supporting user autonomy rather than lock-in. More on that later.

I also appreciate Android’s openness at the practical level of the individual user. This weekend I put the CyanogenMod firmware on my Android phone, in response to security warnings about recently introduced logging functions, and so as not to lose root access with a stock upgrade. The process was simple, well-documented, and gives me the level of control I expect over a device that can track all my movements and communications.

Then there are the little things: I like to change the default screen density to take better advantage of the high-resolution screen, no problem. (Note, however, that in the latest version of the Android market, some apps check these settings and won’t install, claiming device incompatibility. The fix? Change the lcd_density back, install apps, and revert the change; those I’ve tried work just fine.)

August 15, 2011

Google+Motorola = Software Patent Indictment

Filed under: code, open, patent, phone — wseltzer @ 6:47 pm

Google’s announcement this morning that it had agreed to purchase Motorola Mobility for $12.5Billion sent MMI’s stock price soaring and set off another conversation about software patents and the smart-phone ecosystem.

Larry Page himself emphasized the patent angle of the merger in the corporate blog post:

We recently explained how companies including Microsoft and Apple are banding together in anti-competitive patent attacks on Android. The U.S. Department of Justice had to intervene in the results of one recent patent auction to “protect competition and innovation in the open source software community” and it is currently looking into the results of the Nortel auction. Our acquisition of Motorola will increase competition by strengthening Google’s patent portfolio, which will enable us to better protect Android from anti-competitive threats from Microsoft, Apple and other companies.

Android-users already faced several patent lawsuits, and after a coalition of Google’s opponents, including Microsoft, Apple, and Oracle, purchased Nortel’s patent portfolio for $4.5 Billion, Google and its Android partners (including HTC and Motorola) had reason to fear a deepening thicket. Without many patents of its own, Google couldn’t make the traditional counter-strike of suing its attackers for infringement. Motorola’s mobile portfolio (17,000 issued patents and 7,500 pending applications) adds to Android’s arsenal.

Of course Motorola also makes hardware — smartphones that run Android — but few analysts are emphasizing that point. There, the acquisition raises strategic questions for Google: Can it convincingly offer the Android platform to others with whom it now competes? Even if Google maintains Motorola as a separate business, as Page says it intends, will now-competing vendors such as HTC, Samsung, and Acer be reassured of Google+Motorola’s neutrality among them?

Owning a handset maker could improve Android, if it shortens the feedback loop for problem-reporting and new ideas, but it could hurt the platform — and its end-users — more if it scared off competing hardware vendors, shrinking the base to which new applications are written and reducing the diversity of options available to end-users. As proprietor of an open, multi-sided market, Google needs to serve Android’s hardware vendors, app developers, and end-users well enough that a good-sized group of each continue to bring it value — and so the end-users watch the ads whose sale puts money into Google’s pocket from it all. (Oh, and maybe the acquisition will revitalize GoogleTV, as Lauren Weinstein points out.)

The patent motivations are more straightforward. As we know, it doesn’t take deliberate copying to infringe a patent, and patents are granted on small enough increments of software advance that an independently developed application may incorporate dozens to hundreds of elements on which others claim patents, and at millions of dollars a lawsuit, it’s expensive to disprove them. At least if those others are also making phones or software, Google is now more likely to have patents on what they are doing too, paving the way for a cross-license rather than a lawsuit.

Wouldn’t we all be better off skipping those patent threats and cross-licensing transaction costs? As Google’s pre-Motorola travails showed, it’s almost* impossible to opt-out of the patent system by choosing to publish and not patent your own inventions. Unlike in copyright, where you can share under Creative Commons, for example, and just have to prove you never accessed another’s work if accused of infringement, you can only save yourself from patent claims by assuring that every bit of technology you use was published more than 17-20 years ago! (*Rare but not impossible: Richard Hipp of SQLite says he only uses 17-year old, published algorithms to keep his code free of patent clouds.)

In work-in-progress, I argue that patent’s incentives aren’t working right for software, because they come at too early a stage in development. Patents for software motivate lawsuits more than they induce or reward product development. Google+Motorola may prove to have non-patent benefits too, but its early indications shine a spotlight on the thorny thickets of the patent landscape.

June 10, 2011

Deceptive Assurances of Privacy?

Filed under: code, privacy — wseltzer @ 11:52 am

Earlier this week, Facebook expanded the roll-out of its facial recognition software to tag people in photos uploaded to the social networking site. Many observers and regulators responded with privacy concerns; EFF offered a video showing users how to opt-out.

Tim O’Reilly, however, takes a different tack:

Face recognition is here to stay. My question is whether to pretend that it doesn’t exist, and leave its use to government agencies, repressive regimes, marketing data mining firms, insurance companies, and other monolithic entities, or whether to come to grips with it as a society by making it commonplace and useful, figuring out the downsides, and regulating those downsides.

…We need to move away from a Maginot-line like approach where we try to put up walls to keep information from leaking out, and instead assume that most things that used to be private are now knowable via various forms of data mining. Once we do that, we start to engage in a question of what uses are permitted, and what uses are not.

O’Reilly’s point –and face-recognition technology — is bigger than Facebook. Even if Facebook swore off the technology tomorrow, it would be out there, and likely used against us unless regulated. Yet we can’t decide on the proper scope of regulation without understanding the technology and its social implications.

By taking these latent capabilities (Riya was demonstrating them years ago; the NSA probably had them decades earlier) and making them visible, Facebook gives us more feedback on the privacy consequences of the tech. If part of that feedback is “ick, creepy” or worse, we should feed that into regulation for the technology’s use everywhere, not just in Facebook’s interface. Merely hiding the feature in the interface, while leaving it active in the background would be deceptive: it would give us a false assurance of privacy. For all its blundering, Facebook seems to be blundering in the right direction now.

Compare the furor around Dropbox’s disclosure “clarification”. Dropbox had claimed that “All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password,” but recently updated that to the weaker assertion: “Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so).” Dropbox had signaled “encrypted”: absolutely private, when it meant only relatively private. Users who acted on the assurance of complete secrecy were deceived; now those who know the true level of relative secrecy can update their assumptions and adapt behavior more appropriately.

Privacy-invasive technology and the limits of privacy-protection should be visible. Visibility feeds more and better-controlled experiments to help us understand the scope of privacy, publicity, and the space in between (which Woody Hartzog and Fred Stutzman call “obscurity” in a very helpful draft). Then, we should implement privacy rules uniformly to reinforce our social choices.

Next Page »

Powered by WordPress