April 2023 - net.wars

The privacy price of food insecurity

One of the great unsolved questions continues to be: what is my data worth? Context is always needed: worth to whom, under what circumstances, for what purpose? Still, supermarkets may give us a clue.

At Novara Media, Jake Hurfurt, who runs investigations for Big Brother Watch, has been studying suprmarket loyalty cards. He finds that increasingly only loyalty card holders have access to special offers, which used to be open to any passing customer.

Tesco now and Sainsburys soon, he says, “are turning the cost-of-living crisis into a cost-of-privacy crisis”,

Neat phrasing, but I’d say it differently: these retailers are taking advantage of the cost-of-living crisis to extort desperate people ito giving up their data. The average value of the discounts might – for now – give a clue to the value supermarkets place on it.

But not for long, since the pattern going forward is a predictable one of monopoly power: as the remaining supermarkets follow suit and smaller independent shops thin out under the weight of rising fuel bills and shrinking margins, and people have fewer choices, the savings from the loyalty card-only special offers will shrink. Not so much that they won’t be worth having, but it seems obvious they’ll be more generous with the discounts – if “generous” is the word – in the sign-up phase than they will once they’ve achieved customer lock-in.

The question few shoppers are in a position to answer while they’re strying to lower the cost of filling their shopping carts is what the companies do with the data they collect. BBW took the time to analyze Tesco’s and Sainsburys’ privacy policies, and found that besides identity data they collect detailed purchase histories as well as bank accounts and payment information…which they share with “retail partners, media partners, and service providers”. In Tesco’s case, these include Facebook, Google, and, for those who subscribe to them, Virgin Media and Sky. Hyper-targeted personal ads right there on your screen!

All that sounds creepy enough. But consider what could well come next. Also this week, a cross-party group of 50 MPs and peers and cosinged by BBW, Privacy International and Liberty, wrote to Frasers Group deploring that company’s use of live facial recognition in its stores, which include Sports Direct and the department store chain House of Fraser. Frasers Group’s purpose, like retailers and pub chains were trialing a decade ago , is effectively to keep out people suspected of shoplifting and bad behavior. Note that’s “suspected”, not “convicted”.

What happens as these different privacy invasions start to combine?

A store equipped with your personal shopping history and financial identity plus live facial recognition cameras, knows the instant you walk into the store who you are, what you like to buy, and how valuable a customer your are. Such a system, equipped with some sort of socring, could make very fine judgments. Such as: this customer is suspected of stealing another customer’s handbag, but they’re highly profitable to us, so we’ll let that go. Or: this customer isn’t suspected of anything much but they look scruffy and although they browse they never buy anything – eject! Or even: this journalist wrote a story attacking our company. Show them the most expensive personalized prices. One US entertainment company is already using live facial recognition to bar entry to its venues to anyone who works for any law firm involved in litigation against it. Britain’s data protection laws should protect us against that sort of abuse, but will they survive the upcoming bonfire of retained EU law?

And, of course, what starts with relatively anodyne product advertising becomes a whole lot more sinister when it starts getting applied to politics, voter manipulation and segmentation, and the “pre-crime” systems

Add the possibilities of technology that allows retailers to display personalized pricing in-store, just like an online retailer could do in the privacy of your own browser, Could we get to a scenario where a retailer, able to link your real world identity and purchasing power to your online nd offline movements could perform a detailed calculation of what you’d be willing to pay for a particular item? What would surge pricing for the last remaining stock of the year’s hottest toy on Christmas Eve look like?

This idea allows me to imagine shopping partnerships, where the members compare prices and the partner with the cheapest prices buys that item for the whole group. In this dystopian future, I imagine such gambits would be banned.

Most of this won’t affect people rich enough to grandly refuse to sign up for loyalty cards, and none of it will affect people rich and eccentric enough to do source everything from local, independent shops – and, if they’re allowed, pay cash.

Four years ago, Jaron Lanier toured with the proposal that we should be paid for contributing to commercial social media sites. The problem with this idea was and is that payment creates a perverse incentive for users to violate their own privacy even more than they do already, and that fair payment can’t be calculated when the consequences of disclosure are perforce unknown.

The supermarket situation is no different. People need food security and affordability, They should not have to pay for that with their privacy.

Illustrations: .London supermarket checkout, 2006 (via Wikimedia.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Follow on Mastodon or Twitter.

Breaking badly

This week, the Online Safety Bill reached the House of Lords, which will consider 300 amendments. There are lots of problems with this bill, but the one that continues to have the most campaigning focus is the age-old threat to require access to end-to-end encrypted messaging services.

At his blog, security consultant Alec Muffett predicts the bill will fail in implementation if it passes. For one thing, he cites the argument made by Richard Allan, Baron of Hallam that the UK government wants the power to order decryption but will likely only ever use it as a threat to force the technology companies to provide other useful data. Meanwhile, the technology companies have pushed back with an open letter saying they will withdraw their encrypted products from the UK market rather than weaken them.

In addition, Muffett believes the legally required secrecy when a service provider is issued with a Technical Capability Notice to provide access to communications, which was devised for the legacy telecommunications world, is impossible in today’s world of computers and smartphones. Secrecy is no longer possible, given the many researchers and hackers who make it their job to study changes to apps, and who would surely notice and publicize new decryption capabilities. The government will be left with the choice of alienating the public or failing to deliver its stated objectives.

At Computer Weekly, Bill Goodwin points out that undermining encryption will affect anyone communicating with anyone in Britain, including the Ukrainian military communicating with the UK’s Ministry of Defence.

Meanwhile, this week Ed Caesar reports at The New Yorker on law enforcement’s successful efforts to penetrate communications networks protected by Encrochat and Sky ECC. It’s a reminder that there are other choices besides opening up an entire nation’s communications to attack.

***

This week also saw the disappointing damp-squib settlement of the lawsuit brought by Dominion Voting Systems against Fox News. Disappointing, because it leaves Fox and its hosts free to go on wreaking daily havoc across America by selling their audience rage-enhanced lies without even an apology. The payment that Fox has agreed to – $787 million – sounds like a lot, but a) the company can afford it given the size of its cash pile, and b) most of it will likely be covered by insurance.

If Fox’s major source of revenues were advertising, these defamation cases – still to come is a similar case brought by Smartmatic – might make their mark by alienating advertisers, as has been happening with Twitter. But it’s not; instead, Fox is supported by the fees cable companies pay to carry the channel. Even subscribers who never watch it are paying monthly for Fox News to go on fomenting discord and spreading disinformation. And Fox is seeking a raise to $3 per subscriber, which would mean more than $1,8 billion a year just from affiliate revenue.

All of that insulates the company from boycotts, alienated advertisers, and even the next tranche of lawsuits. The only feedback loop in play is ratings – and Fox News remains the most-watched basic cable network.

This system could not be more broken.

***

Meanwhile, an era is ending: Netflix will mail out its last rental DVD in September. As Chris Stokel-Walker writes at Wired, the result will be to shrink the range of content available by tens of thousands of titles because the streaming library is a fraction of the size of the rental library.

This reality seems backwards. Surely streaming services ought to have the most complete libraries. But licensing and lockups mean that Netflix can only host for streaming what content owners decree it may, whereas with the mail rental service once Netflix had paid the commercial rental rate to buy the DVD it could stay in the catalogue until the disk wore out.

The upshot is yet another data point that makes pirate services more attractive: no ads, easy access to the widest range of content, and no licensing deals to get in the way.

***

In all the professions people have been suggesting are threatened by large language model-based text generation – journalism, in particular – no one to date has listed fraudulent spiritualist mediums. And yet…

The family of Michael Schumacher is preparing legal action against the German weekly Die Aktuelle for publishing an interview with the seven-time Formula 1 champion. Schumacher has been out of the public eye since suffering a brain injury while skiing in 2013. The “interview” is wholly fictitious, the quotes created by prompting an “AI” chat bot.

Given my history as a skeptic, my instinctive reaction was to flash on articles in which mediums produced supposed quotes from dead people, all of which tended to be anodyne representations bereft of personality. Dressing this up in the trappings of “AI” makes such fakery no less reprehensible.

An article in the Washington Post examines Google’s C4 data set scraped from 15 million websites and used to train several of the highest profile large language models. The Post has provided a search engine, which tells us that my own pelicancrossing.net, which was first set up in 1996, has contributed 160,000 words or phrases (“tokens”), or 0.0001% of the total. The obvious implication is that LLM-generated fake interviews with famous people can draw on things they’ve actually said in the past, mixing falsity and truth into a wasteland that will be difficult to parse.

Illustrations: The House of Lords in 2011 (via Wikimedia).

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Follow on Twitter.

Ex libris

So as previously discussed here three years ago and two years ago, on March 24 the US District Court for the Southern District of New York found that the Internet Archive’s controlled digital lending fails copyright law. Half of my social media feed on this subject filled immediately with people warning that publishers want to kill libraries and this judgment is a dangerous step limiting access to information; the other half is going “They’re stealing from authors. Copyright!” Both of these things can be true. And incomplete.

To recap: in 2006 the Internet Archive set up the Open Library to offer access to digitized books under “controlled digital lending”. The system allows each book to be “out” on “loan” to only one person at a time, with waiting lists for popular titles. In a white paper, lawyers David R. Hansen and Kyle K. Courtney call this “format shifting” and say that because the system replicates library lending it is fair use. Also germane: the Archive points to a 2007 California decision that it is in fact a library. Other countries may beg to differ.

When public libraries closed at the beginning of the covid19 pandemic, the Internet Archive announced the National Emergency Library, which suspended the one-copy-at-a-time rule and scrubbed the waiting lists so anyone could borrow any book at any time. The resulting publicity was the first time many people had heard of the Open Library, although authors had already complained. Hachette Book Group, Penguin Random House, HarperCollins, and Wiley filed suit. Shortly afterwards, the Archive shut down the National Emergency Library. The Open Library continues, and the Archive will appeal the judge’s ruling.

On the they’re-killing-the-libraries side: Mike Masnick and Fight for the Future. At Walled Culture, Glyn Moody argues that sharing ebooks helps sell paid copies. Many authors agree with the publishers that their living is at risk; a group of exceptions including Neil Gaiman, Naomi Klein, and Cory Doctorow, have published an open letter defending the Archive.

At Vice, Claire Woodstock lays out some of the economics of library ebook licenses, which eat up budgets but leave libraries vulnerable and empty-shelved when a service is withdrawn. She also notes that the Internet Archive digitizes physical copies it buys or receives as donations, and does not pay for ebook licenses.

Brief digression back to 1996, when Pamela Samuelson warned of the coming copyright battles in Wired. Many of its key points have since either been enshrined into law, such as circumventing copy protection; others, such as requiring Internet Service Providers to prevent users from uploading copyrighted material, remain in play today. Number three on her copyright maximalists’ wish listeliminating first-sale rights for digitally transmitted documents. This is the doctrine that enables libraries to lend books.

It is therefore entirely believable that commercial publishers believe that every library loan is a missed sale. Outside the US, many countries have a public lending right that pays royalties on loans for that sort of reason. The Internet Archive doesn’t pay those, either.

It surely isn’t facing the headwinds public libraries are. In the UK, years of austerity have shrunk library budgets and therefore their numbers and opening hours. In the US, libraries are fighting against book bans; in Missouri, the Republican-controlled legislature voted to defund the state’s libraries entirely, apparently in retaliation.

At her blog, librarian and consultant Karen Coyle, who has thought for decades about the future of libraries, takes three postings to consider the case. First, she offers a backgrounder, agreeing that the Archive’s losing on appeal could bring consequences for other libraries’ digital lending. In the second, she teases out the differences between academic/research libraries and public libraries and between research and reading. While journals and research materials are generally available in electronic format, centuries of books are not, and scanned books (like those the Archive offers) are a poor reading experience compared to modern publisher-created ebooks. These distinctions are crucial to her third posting, which traces the origins of controlled digital lending.

As initially conceived by Michelle M. Wu in a 2011 paper for Law Library Journal, controlled digital lending was a suggestion that law libraries could, either singly or in groups, buy a hard copy for their holdings and then circulate a digitized copy, similar to an Inter-Library Loan. Law libraries serve limited communities, and their comparatively modest holdings have a known but limited market.

By contrast, the Archive gives global access to millions of books it has scanned. In court, it argued that the availability of popular commercial books on its site has not harmed publishers’ revenues. The judge disagreed: the “alleged benefits” of access could not outweigh the market harm to the four publishers who brought the suit. This view entirely devalues the societal role libraries play, and Coyle, like many others, is dismayed that the judge saw the case purely in terms of its effect on the commercial market.

The question I’m left with is this: is the Open Library a library or a disruptor? If these were businesses, it would obviously be the latter: it avoids many of the costs of local competitors, and asks forgiveness not permission. As things are, it seems to be both: it’s a library for users, but a disruptor to some publishers, some authors, and potentially the world’s libraries. The judge’s ruling captures none of this nuance.

Illustrations: 19th century rendering of the Great Library of Alexandria (via Wikimedia).

Review: Cloudmoney

Cloudmoney: Cash, Cards, Crypto, and the War for our Wallets
By Brett Scott
Publisher: Bodley Head
ISBN: 978-1-847-92587-9

Three years ago, the area around the local tube station included a bank and four ATMs. Come the pandemic, the bank closed, never to return, and so did two of the ATMs. The loss of the bank gave a couple of the chain stores an excuse to refuse to take cash. But they’re a minority in an area full of independent local shops, who recognize that many of their customers are cash users. Journey into some parts of central London, however, and cash gets you ghosted.

We are told that the cashless future is what we want: it’s more convenient (except when the system is down, the app needs to be rebooted, or there’s no Internet connection). The reality, as “monetary anthropologist” and former broker Brett Scott points out in his book Cloudmoney, is that despite this inevitability narrative, one reason electronic/digital payments are more convenient is a deliberate effort to make cash harder to access. Often, promoters claim the cashless society is – or will be – more financially inclusive. Yet, as Scott recounts, that “inclusion” in the remote global economy often brings with it the exclusion of locally-controlled, less formal economies. Less financial inclusion, more *enclosure* and “corporate seep”.

Scott’s central thesis is simple: once the forces of Big Tech and Big Finance have merged, they will have a hitherto unimaginable amount of power over all of us. I have some sympathy with this argument. People forget that it was through the banks that Gilead was brought into being in Margaret Atwood’s The Handmaid’s Tale. All they had to do was locate all the accounts tagged “F” and turn off access until a suitable male came forward to claim them. This is the power of cloudmoney – money that exists for us only in the form of numbers that represent promises to pay. Scott is not predicting a specific dystopia; but he does want to propagate a counterbalancing narrative to the “liberation” every new fintech app pretends to promise while scarfing up all our personal data. In his campaign to protect the public system of cash, he sometimes finds himself in the company of conspiracy theorists whose other ideas he rejects.

What is less clear is where bitcoin and other cryptocurrencies fit in. They also started with rhetoric: they were digital cash, digital gold, a mechanism for bypassing the world’s banks and governments. In practice, so far, they haven’t succeeded at any of these things, and even in El Salvador, where bitcoin is legal tender, you can’t use it to buy a box of oatmeal in a supermarket.

The story technology companies tell is, of course, that they are disrupting the stodgy, antiquated world of traditional finance. Instead, what Scott sees is plain old automation that serves that world and tightens its control. Almost every new service, whatever the rhetoric it starts with, from credit cards to Paypal to Apple Pay to Facebook’s failed Libra cryptocurrency, becomes a front end for bank accounts for the same reason that robbers always focused on them: that’s where the money is. The exception is cash – slow, partially disconnected cash that enables transactions that aren’t caught in what Scott calls the “digital mesh” of corporate capitalism. No wonder they hate it.

Excluding the vote

“You have to register at home, where your parents live,” said the clerk at the Board of Elections office.

I was 18, and registering to vote for the first time. It was 1972.

“I don’t live there,” I said. “I live here.” “Here” was Ithaca, NY, a town that, I learned later, was hyper-conscious that college students – Cornell, Ithaca College – outnumbered local residents. They didn’t want us interlopers overwhelming their preferences.

We had a couple more back-and-forths like this, and then she picked up the phone and called the state authorities in Albany for an official ruling. I knew – or thought I knew – that the law was on my side.

It was. I registered. I voted.

In about a month, the UK will hold local elections. For the first time, anyone presenting themselves to vote at the polls will be required to show an ID card with a photograph. This is a policy purely imported from American Republicans, and it has no basis in necessity. The Electoral Commission, in recommending its introduction, admitted that the issue was public perception. The big issues with respect to elections are around dark money and the processes by which candidates are chosen.

For 49 days in the fall of 2022, Liz Truss served as prime minister; she was chosen by 81,326 Tory party members. Out of the country’s roughly 68 million people, only 141,725 (out of an estimated 172,000 party members) voted in that contest because, since the Conservatives had decisively won the 2019 election, they were just electing a new leader. Rishi Sunak was voted in by 202 MPs.

The government’s proximate excuse for bringing in voter ID is the fraud-riddled May 2014 mayoral election in the London borough of Tower Hamlets. Four local residents risked their own money to challenge the outcome, and in 2015 won an Election Court ruling voiding the election and barring the cheating winner from standing for public office for five years. Their complaints; included vote-rigging, false statements made by the winning candidates about his rival, bribery, and religious influence.

The High Court of Justice’s judgment in the case says: “…in practice, where electoral malpractice is established, particularly in the field of vote-rigging, it is very rare indeed to find members of the general public engaging in DIY vote-rigging on behalf of a candidate. Generally speaking, if there is widespread personation or false registration or misuse of postal votes, it will have been organised by the candidate or by someone who is, in law, his agent.”

Surely a more logical response to the Tower Hamlets case would be to make it easier – or at least quicker – for individuals to challenge election results and examine ways to ensure better behavior by *candidates*, not voters.

The judgment also notes that personation – assuming someone else’s identity in order to vote – was far more of a risk when fewer people qualified to vote. There followed a long period when it was too labor-intensive for too little reward; you need a lot of impersonators to change the result. In recent years, however, postal voting has made it viable again; in two wards of a 2008 Birmingham election Labour candidates committed 15 types of fraud involving postal ballots. The election in those two wards was re-run.

In his book Security Engineering, Cambridge professor Ross Anderson notes that the likelihood that expanded use of postal ballots would open the way for vote-buying an intimidation was predicted even as first Margaret Thatcher and then Tony Blair pursued the policy. But the main point is clear: the big problem is postal ballots, which you can’t solve by requiring voter ID from those who vote in person. It’s the wrong threat model. As Anderson observes, “…it’s typically the incumbent who tweaks the laws, buys the voting machines, and creates as many advantages for their own side, small and large, as the local political culture will tolerate.”

But voter ID is the policy that Boris Johnson used his 80-seat majority to push through in the form of the Elections Act (2022), which also weakens the independence of the Electoral Commission. As the bill went through Parliament, estimates were that about 3.5 million people lacked any qualifying form of ID, and that those 3.5 million skew heavily toward people who are not expected to vote Conservative.

This was all maddening enough – and then they published the list of acceptable forms of ID. Tl;dr: the list blatantly skews in favor of older and richer people, who are presumed to be more likely to vote Conservative. Passports, driving licenses, and travel passes 60+ for people are all acceptable. Student ID cards and travel cards and passesare not. The government says they are not secure enough, a bit like saying a lock on the door is pointless because it’s not a burglar alarm.

There is a scheme for issuing free voter cards; applications must be in by April 25. People can also vote by post or by proxy without ID. And there are third parties pushing paid ID cards, too. But what it comes down to is next month a bunch of people are going to go to vote and will be barred. And this from the same people who wanted online voting to “increase access”.

Illustrations: London polling station 2017 (by Mramoeba at Wikimedia.