Category: Politics

Gap year

What do Internet users want?

First, they want meaningful access. They want usability. They want not to be scammed, manipulated, lied to, exploited, or cheated.

It’s unlikely that any of the ongoing debates in either the US or UK will deliver any of those.

First and foremost, this week concluded two frustrating years in which the US Senate failed to confirm the appointment of Public Knowledge co-founder and EFF board member Gigi Sohn to the Federal Communications Commission. In her withdrawal statement, Sohn blamed a smear campaign by “legions of cable and media industry lobbyists, their bought-and-paid-for surrogates, and dark money political groups with bottomless pockets”.

Whether you agree or not, the result remains that for the last two years and for the foreseeable future the FCC will remain deadlocked and problems such as the US’s lack of competition and patchy broadband provision will remain unsolved.

Meanwhile, US politicians continue obsessing about whether and how to abort-retry-fail Section 230, that pesky 26-word law that relieves Internet hosts of liability for third-party content. This week it was the turn of the Senate Judiciary Committee. In its hearing, the Internet Society’s Andrew Sullivan stood out for trying to get across to lawmakers that S230 wasn’t – couldn’t have been – intended as protectionism for the technology giants because they did not exist when the law was passed. It’s fair to say that S230 helped allow the growth of *some* Internet companies – those that host user-generated content. That means all the social media sites as well as web boards and blogs and Google’s search engine and Amazon’s reviews, but neither Apple nor Netflix makes its living that way. Attacking the technology giants is a popular pasttime just now, but throwing out S230 without due attention to the unexpected collateral damage will just make them bigger.

Also on the US political mind is a proposed ban on TikTok. It’s hard to think of a move that would more quickly alienate young people. Plus, it fails to get at the root problem. If the fear is that TikTok gathers data on Americans and sends it home to China for use in designing manipulative programs…well, why single out TikTok when it lives in a forest of US companies doing the same kind of thing? As Karl Bode writes at TechDirt, if you really want to mitigate that threat, rein in the whole forest. Otherwise, if China really wants that data it can buy it on the open market.

Meanwhile, in the UK, as noted last week, opposition continues to increase to the clauses in the Online Safety bill proposing to undermine end-to-end encryption by requiring platforms to proactively scan private messages. This week, WhatsApp said it would withdraw its app from the UK rather than comply. However important the UK market is, it can’t possibly be big enough for Meta to risk fines of 4% of global revenues and criminal sanctions for executives. The really dumb thing is that everyone within the government uses WhatsApp because of its convenience and security, and we all know it. Or do they think they’ll have special access denied the rest of the population?

Also in the UK this week, the Data Protection and Digital Information bill returned to Parliament for its second reading. This is the UK’s post-Brexit attempt to “take control” by revising the EU’s General Data Protection Regulation; it was delayed during Liz Truss’s brief and destructive outing as prime minister. In its statement, the government talks about reducing the burdens on businesses without any apparent recognition that divergence from GDPR is risky for anyone trading internationally and complying with two regimes must inevitably be more expensive than complying with one.

The Open Rights Group and 25 other civil society organizations have written a letter (PDF) laying out their objections, noting that the proposed bill, in line with other recent legislation that weakens civil rights, weakens oversight and corporate accountability, lessens individuals’ rights, and weakens the independence of the Information Commissioner’s Office. “Co-designed with businesses from the start” is how the government describes the bill. But data protection law was not supposed to be designed for business – or, as Peter Geoghegan says at the London Review of Books, to aid SLAPP suits; it is supposed to protect our human rights in the face of state and corporate power. As the cryptography pioneer Whit Diffie said in 2019, “The problem isn’t privacy; it’s corporate malfeasance.”

The most depressing thing about all of these discussions is that the public interest is the loser in all of them. It makes no sense to focus on TikTok when US companies are just as aggressive in exploiting users’ data. It makes no sense to focus solely on the technology giants when the point of S230 was to protect small businesses, non-profits, and hobbyists. And it makes no sense to undermine the security afforded by end-to-end encryption when it’s essential for protecting the vulnerable people the Online Safety bill is supposed to help. In a survey, EDRi finds that compromising secure messaging is highly unpopular with young people, who clearly understand the risks to political activism and gender identity exploration.

One of the most disturbing aspects of our politics in this century so far is the widening gap between what people want, need, and know and the things politicians obsess about. We’re seeing this reflected in Internet policy, and it’s not helpful.

Illustrations: Andrew Sullivan, president of the Internet Society, testifying in front of the Senate Judiciary Committee.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Follow on Mastodon or Twitter.

Ghostwritten

This week’s deliberate leak of 100,000 WhatsApp messages sent between the retiring MP Matt Hancock (Con-West Suffolk) and his cabinet colleagues and scientific advisers offers several lessons for the future. Hancock was the health minister during the first year of the covid-19 pandemic, but forced to resign in June 2021, when he was caught on a security camera snogging an adviser in contravention of the social distancing rules.

The most ignored lesson relates to cybersecurity, and is simple: electronic messages are always at risk of copying and disclosure.

This leak happened to coincide with the revival of debates around the future of strong encryption in the UK. First, the pending Online Safety bill has provisions that taken together would undermine all encrypted communications. Simultaneously, a consultation on serious and organized crime proposes to criminalize “custom” encryption devices. A “dictionary attack”, Tim Cushing calls this idea at Techdirt, in that the government will get to define the crime at will.

The Online Safety Bill is the more imminent problem; it has already passed the House of Commons and is at the committee stage in the House of Lords. The bill requires service providers to protect children by proactively removing harmful content, whether public or private, and threatens criminal liability for executives of companies that fail to comply.

Signal, which is basically the same as WhatsApp without the Facebook ownership, has already said it will leave the country if the Online Safety bill passes with the provisions undermining encryption intact.

It’s hard to see what else Signal could do. It’s not a company that has to weigh its principles against the loss of revenue. Instead, as a California non-profit, its biggest asset is the trust of its user base, and staying in a country that has outlawed private communications would kill that off at speed. In threatening to leave it has company: the British secure communications company Element, which said the provisions would taint any secure communications product coming out of the UK – presumably even for its UK customers, such as the Ministry of Defence.

What the Hancock leak reminds us, however, is that encryption, even when appropriately strong and applied end-to-end, is not enough by itself to protect security. You must also be able to trust everyone in the chain to store the messages safely and respect their confidentiality. The biggest threat is careless or malicious insiders, who can undermine security in all sorts of ways. Signal (as an example) provides the ability to encrypt the message database, to disappear messages on an automated schedule, password protection, and so on. If you’re an activist in a hostile area, you may be diligent about turning all these on. But you have no way of knowing if your correspondents are just as careful.

In the case at hand, Hancock gave the messages to the ghost writer for his December 2022 book Pandemic Diaries, Isabel Oakeshott, after requiring her to sign a non-disclosure agreement that he must have thought would protect him, if not his colleagues, from unwanted disclosures. Oakeshott, who claims she acted in the public interest, decided to give the messages to the Daily Telegraph, which is now mining them for stories.

Digression: whatever Oakeshott’s personal motives, there is certainly public interest in these messages. The tone of many quoted exchanges confirms the public perception of the elitism and fecklessness of many of those in government. More interesting is the close-up look at decision making in conditions of uncertainty, which to some filled with hindsight looks like ignorance and impatience. It’s astonishing how quickly people have forgotten how much we didn’t know. As mathematician Christina Pagel told the BBC’s Newsnight, you can’t wait for more evidence when the infection rate is doubling every four days.

What they didn’t know and when they didn’t know it will be an important part of piecing together what actually happened. The mathematician Kit Yates has dissected another exchange, in which Boris Johnson queries his scientific advisers about fatality rates. Yates argues that in assessing this exchange timing ise everything. Had it been in early 2020, it would be understandable to confuse infection fatality rates and case fatality rates, though less so to confuse fractions (0.04) and percentages (4%). Yates pillories Johnson because in fact that exchange took place in August 2020, by which time greater knowledge should have conferred greater clarity. That said, security people might find familiar Johnson’s behavior in this exchange, where he appears to see the Financial Times as a greater authority than the scientists. Isn’t that just like every company CEO?

Exchanges like that are no doubt why the participants wanted the messages kept private. In a crisis, you need to be able to ask stupid questions. It would be better to have a prime minister who can do math and who sweats the details, but if that’s not what we’ve got I’d rather he at least asked for clarification.

Still, as we head into yet another round of the crypto wars, the bottom line is this: neither technology nor law prevented these messages from leaking out some 30 years early. We need the technology. We need the law on our side. But even then, your confidences are only ever as private as your correspondent(s) and their trust network(s) will allow.

Illustrations: The soon-to-be-former-MP Matt Hancock, on I’m a Celebrity.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Follow on Mastodon or Twitter.