July 29, 2014 § Leave a comment
The first day of CLSI 2014 started with Ron Diebert talking about the state of the field and the attempt currently under way to build an inter-disciplinary research community around monitoring Internet openness and rights. Fenwick McKelvey has also put up a reading list of papers mentioned at CLSI 2014.
The opening panel looked at Network Measurement and Information Controls, and was facilitated by Meredith Whittaker of Google Research. Phillipa Gill gave an outline of the ICLAB project [slides]. This project is trying to develop better automation techniques for measuring censorship which would allow a better understanding of not just what is blocked, but also how it’s being blocked, who’s blocking it, and which circumvention methods might be most effective. At the moment the tool is still running in pre-alpha, and having some successes with block page detection: early findings will come out in IMC later this year.
Nick Feamster from Georgia Tech then discussed another project which is attempting to build a more nuanced picture of Web filtering than the data currently available. He argued that censorship takes many forms, not just blocking: performance degradation, personalisation, and other tactics. This means that measuring Web filtering is harder than it appears, and what is required is, “Widespread, continuous measurements of a large number of censored sites.” Issues with this include the problem of distributing client software to look for censorship, which is potentially done through the browser. This is possible, but leads to ethical issues.
Jeffrey Knockel of the University of New Mexico talked about moving, ‘Toward Measuring Censorship Everywhere All the Time’ [slides]. The method discussed here was to use side channels, which allows measuring IP censorship off-path without running any software on the server or the client or anywhere in between. This can be done completely in Layer 3, which has enough side channels. Almost 10% of IPv4 addresses respond to large pings, higher in some countries – this allows for more vantage points. [I have no idea what this means.]
Finally, Collin Anderson talked about studying information controls inside Iran. He discussed the use of mass-scale continuous data collection as a way to show themes of political discourse within the country. This requires content-specific, context-specific knowledge. For example, when Iraq started to clamp down on the Internet, Islamist content was specifically blocked, as well as an odd assortment of pornographic site. Anderson argued that this research will be more effective when people avoid references to “censorship”, which can be divisive, and instead talk about “interference” and “information controls”. (This was also a theme that came up in the Q&A as Meredith discussed the need to avoid ‘inflammatory activist tinge’ to language, project titles, and so on, because this can discourage use and endanger anyone accessing services).
The Q&A for this last session focused quite a bit on ethics issues, and on the problems with managing these given the limitations of current ethics research boards and the challenges involved in the research itself. For example, while university ethics boards tend to prioritise ‘informed consent’, this can create problems for users of circumvention tools as it removes plausible deniability. Similarly, the idea of using anonymity to protect activists may not always match activists’ experience: some participants want their real names used because they feel this offers the protection of international visibility. Gill argued that part of what we need is better models of risk: frameworks for predicting how censors are likely to react to measurement.
The next session of the date focused on Mobile Security and Privacy. David Lie of University of Toronto began with a discussion of ‘Pscout: Analyzing the Android Permission Specification’. This tool uses two-factor attestation as a way to improve data security. This combines two-factor authentication with malware protection across both laptops and mobiles/authentication tokens. (I have some concern about the focus here on ‘trusted computing’, which takes devices further out of their users’ control).
Jakub Dalek of Citizen Lab talked next about the Asia Chats project, which focuses on chat apps that are popular outside the western context. In this case, Line, Firechat, and WeChat. Line implements blocking for users registered with a Chinese number, although there are a number of ways to circumvent this blocking. Firechat, which has been popular in Iraq, is promoted as being anonymous, but the actual content of messages is very poorly protected. Finally, Dalek noted that there was a lot of Chinese government interest in regulating WeChat.
Jason Q. Ng, also Citizen Lab, shared his work on the same project, this time focusing on Weixin. One of the interesting trends here is the emergence of messages which place the blame on other users for blocked content, such as: “This content has been reported by multiple people, the related content is unable to be shown”. Looking at the specific kinds of content blocked suggest that even if ‘users’ are blocking this material, there’s some link with the Chinese government (or at least with government interests). More work is needed, perhaps, which looks at these kinds of indirect forms of information control.
Finally, Bendert Zevenbergen of the Oxford Internet Institute outlined the Ethical Privacy Guidelines for Mobile Connectivity Measures, the outcome of a workshop held with ten lawyers and ten technical experts. He also raised the potential helpfulness of a taxonomy of Internet Measurement ethics issues, and invited people to begin collaborating in the creation of a draft document.
The next session focused on Transparency and Accountability in Corporations and Government. Chris Prince of the Office of the Privacy Commissioner of Canada talked about the annual report in Canada on the use of electronic surveillance which has been made available since 1974. A paper analysing this data, Big Brother’s Shadow, was published in 2013, and suggested important shifts in targets and sites of surveillance.
Jon Penney of the Berkman Center, Citizen Lab, and Oxford Internet Institute, outlined three major challenges for transparency reporting in ‘Corporate Transparency: the US experience’. These include the need for more companies to be willing to share transparency reports with more and better data (including standardised data); better presentation and communication of transparency reports which balance advocacy and research and provide contextualisation; and more work on the legal and regulatory space impacting transparency reporting.
Nathalie Marechal of USC Annenberg talked about the ‘Ranking Digital Rights‘ project, which is developing and testing criteria for particular privacy-protections from companies (such as whether they allow users to remain anonymous), working within an international human rights framework. This work has the potential to be useful not only for civil society actors advocating for better corporate behaviour, but also for corporations lobbying for policy change. The initial phase of the project is looking at geographically-based case studies to better understand themes across different locations, and during this phase there’s an interest in understanding how to assess multinational corporations operating across multiple regulatory contexts, including those which are acquired by other companies. Marechal and other researchers on the project are seeking feedback on the work so far.
Chris Parsons of Citizen Lab spoke on the need for better data about online privacy and related issues in the Canadian context: at the moment, we’re aware that, “an eye is monitoring Canadan communications”, but don’t have full details. This work began by sending surveys to leading Canadian companies in order to get more information an data retention. Results mainly indicated a generalised refusal to engage in any depth with the questions. The work has also been crowdsourcing ‘right of access’ information through an open request tool [try it out, if you're Canadian!]. Unlike the surveys, these requests are legally binding, and through the data generated, they’re trying to figure out how long online data is stored, how it is processed, and who it is shared with. Collaborations with MP Charmaine Borg have also led to more information about how Canadian intelligence and police agencies are engaging in data surveillance. From this initial research, they’re now trying to use this data to develop a transparency template to more effectively map what still need to know.
In the final talk of the session, Matt Braithwaite of Google talked about work around Gmail to build a better understanding of increasing encryption of email in transit. Google also has useful data available on this, and their report on it received significant attention, which resulted in a spike in encryption of email.
The final panel for day one looked at Surveillance
Seth Hardy of Citizen Lab talked about ‘Targeted Threat Index: Characterizing and Quantifying Politically Motivated Malware’, This is a way of measuring the combination of social targeting (for example, the use of specific language and internal group knowledge to convince activists to open attachments) and technical sophistication to build a better understanding of how politically-motivated malware is developing. Research from this project will be presented at USENIX Security on August 21st, 2014.
Bill Marczak (UC Berkeley and Citizen Lab) and John Scott-Railton (UCLA and Citizen Lab), talking about the growth of state sponsored hacking. They described the growth of mercenaries, companies selling tools to governments (such as FinFly). Some of the challenges for this research include the lack of people available to contact targeted groups and find out about the issues they might be having, and that targeted users may not even realised they’re under attack in some cases. There is some information available on malware that users are accessing, but metadata on this is limited: researchers get a file name, country of submitter, and time submitted, which doesn’t give information about the context in which malware was accessed.
Ashkan Soltani spoke on how technological advances enable bulk surveillance. One of the important differences between traditional surveillance techniques and new methods is the cost. For example, Soltani estimates that for the FBI to tail someone, it’s about $50/hr by foot, $105/hour by car, and covert auto pursuit with five cars is about $275/hour. Mobile tracking might work out to between 4c and $5/hour. This means that the FBI has been able to use mobile tracking to watch 3,000 people at a time, which would be totally impossible otherwise. This is vital when we think about how different forms of surveillance are (or aren’t) regulated.
Nicholas Weaver is based at the International Computer Science Institute, and emphasising that this gives him more freedom to look at NSA-relevant areas because he has a freedom to look at leaks that US government employees are prohibited from accessing. He advises us not to trust any Tim Horton’s near any government buildings. He gave a brief overview of NSA surveillance, arguing that it’s not particularly sophisticated and opens up a lot of vulnerabilities. Weaver said that anyone with a knowledge of the kinds of surveillance that the US’s allies (such as France and Israel) are engaging in will find them more worrying than actions of the US’s opponents (eg. Russia and China).
Cynthia Wong discussed work by Internet Research and Human Rights Watch on documenting the harms of surveillance. One of the organisation’s case studies has focused on Ethiopia, which is interesting because of the network of informants available, and the extreme hostility to human rights documentation and research on the part of the Ethiopian government. Surveillance in Ethiopia is complex but not necessarily sophisticated, often relying on strategies like beating people up and demanding their Facebook passwords. However, the state also buys surveillance tools from foreign companies, and documenting the harms of surveillance may help in bringing action against both companies and Ethiopia itself. The organisation also has a new report out which looks at surveillance in the US, where it’s harder to document both surveillance and resultant harms: this report highlights the chilling effects of surveillance on lawyers and journalists.
August 7, 2013 § 1 Comment
I’m kicking myself for missing Observe. Hack. Make. – it sounds like it was an amazing event that brought together geek and activist communities in a really interesting and valuable way. Coverage coming through on Twitter also suggested that #OHM2013 hosted political discussions that were informed by a more complex political analysis than the ones I often see surrounding issues about digital security and civil rights. There was a lot of excitement around Eleanor Saitta’s talk in particular, Ethics and Power in the Long War. I encourage you to read the full transcript, but there were a few stand-out points that are worth emphasising.
- Saitta talked about the need for those involved in developing digital security to stop harassing each other and have “a polite technical conversation like professionals do in the real world. (Sarah Sharp’s recent calls for civility on the Linux mailing list give good insight into some of the culture surrounding this.) This is especially important to me because poor communication and unwelcoming discussion are one of the barriers between better inter-community engagement I’ve noticed coming up over and over in my research and activism. Aggressive communication styles within a community are not only unproductive and tiring for those involved, they also makes it harder for those outside the community to consider joining, or coming in and saying, “hey, we need some help with this tool” or “can we link up on this issue”.
- She also argued that “the user model is the thing that needs to come first”. There are some really useful security tools out there that people I know would benefit from, but they’re not using them because they require investing too much time and energy to learn, and the benefits aren’t clear.
- Linked to this is her injunction to value the “incredibly complex and very powerful pattern matching CPU hooked-up to your system that you are not using … the user”. Many activists on the ground don’t have the skills (or the interest) to work through complicated tools that aren’t user-friendly, but they do have other important skills and knowledge, including an awareness of their own needs and an informed political analysis.
- Saitta argued that we need new tools to be informed by a theory of change, an understanding of the larger battles and overall landscape in which tools will be deployed. Although her example focused on the brittleness of security systems (once stuff breaks, it really breaks), I’d argue that we also need to think about this in terms of a political theory of change. The theory of change for a lot of digital rights activism at the moment is, ‘more information will necessarily change politics’. More information helps, but we also need to understand that the system is sustained by powerful interests, not just ignorance, and our theory of change needs to be informed by that. (Which I think is happening, increasingly.)
- She also calls out the tech community’s claims to being apolitical: “we don’t get to be apolitical anymore. Because If you’re doing security work, if you’re doing development work and you are apolitical, then you are aiding the existing centralizing structure. If you’re doing security work and you are apolitical, you are almost certainly working for an organization that exists in a great part to prop up existing companies and existing power structures.”
In response to this, Saitta lays out her own politics, noting that the increased surveillance we’re seeing these days is an inherent function of the state as it exists today:
if we want to have something that resembles democracy, given that the tactics of power and the tactics of the rich and the technology and the typological structures that we exist within, have made that impossible, then we have to deal with this centralizing function. As with the Internet, so the world. We have to take it all apart. We have to replace these structures. And this isn’t going to happen overnight, this is decades long project. We need to go build something else. We need to go build collective structures for discussion and decision making and governance, which don’t rely on centralized power anymore. If we want to have democracy, and I am not even talking about digital democracy, if we want to have democratic states that are actually meaningfully democratic, that is simply a requirement now.
Conversations which make this their starting point are incredibly important right now. It’s necessary, but not sufficient, to talk about decentralising political power. We need to also be talking about what that means in practice, how it will work, what kinds of tools and systems will support it.
March 16, 2011 § Leave a comment
There’s been a lot of excitement among digital liberties types about the TPPA recently, as the US IP proposals were leaked last week. There’s an excellent analysis by Kim Weatherall over at LawFont, more analysis over at techdirt, and some opposition starting up by groups like the Pirate Party and EFA. Most of these activists have raised some great points – I particularly recommend Kim Weatherall’s article, which has identified some areas that might be particularly problematic, especially relating to copyright extensions and anti-circumvention provisions.
However, what I find strange about a lot of this, though, is the lack of connection with other anti-trade agreement activism. Left-wing activists have been critiquing “free trade” agreements for decades: the protests in Seattle in 1999 were some of the most visible examples of this in the global North, but they certainly haven’t been the only protests. When it comes to the TPPA, there are a number of groups continuing on from previous rounds of global justice activism, including TPPWatch (NZ) and AFTINET (AU). I’m not particularly well-linked to this activist scene, so I’m sure there are also plenty of less-visible groups.
There are a few reasons why digital liberties activists might not be connecting up with other strands of global justice activism, as I argued in my PhD. These include:
- Many (but not all!) digital liberties activists come from “geeky” backgrounds – they know a lot about copyright, or software, but not necessarily a lot about non-institutional politics or protest movements.
- Many digital liberties activists seem to want to avoid any association with left-wing politics, and often identify as libertarian, or as “apolitical” (despite the fact that they’re involved in intensely political projects).
- A significant proportion of digital liberties activism comes from a pro-capitalist perspective and is based on the assumption that we need to expand the economy and encourage more “innovation”. See, for example, techdirt‘s complaints that the TPPA is “against the basic principles of the free market and consumer rights”. This doesn’t tend to mesh well with anarchist/socialist perspectives, although there are some overlaps.
- As I’m learning more about digital liberties groups, it’s becoming clearer to me that many of those involved want to be identified as “serious” and capable of consultation. In fact, I suspect that many of them would resist the “activist” label, and would prefer to stick to formal lobbying activity, trying for inclusion in decision-making bodies.
However, while I can see the reasons that digital liberties activists might not want to link up with global justice activism against “free trade” agreements, I do think there are important arguments that they should at least consider:
- There’s no point reinventing the wheel. Activists around the world have been involved in building critiques the processes used to create free trade agreements, bringing attention to the fact that these processes are undemocratic and opaque. Digital liberties activists might not fully agree with the critiques put forward by global justice activists, but they can draw on them.
- Building coalitions can be helpful, especially if they bring together a range of demographics. Demonstrating that proposed agreements are likely to have effects on people beyond a relatively small band of “knowledge workers” is a good way to put pressure on governments.
- If you want to get bring attention to intellectual property issues, you need to convince people that these issues will have some effect on their lives. Analysing them within the broader context of other provisions of free trade agreements is one way to do this.
I’ve argued elsewhere that global justice activists should be paying attention to digital liberties. I think it’s also important that digital liberties activists pay attention to what global justice activists are doing.