Nederlands
English
Category: privacy
ACTA and SOPA are great!
<originally a Dutch Webwereld.nl column>
Socially aware people are, often justifiably, very good at moral indignation, but they just as often display a touching naivety. I recently watched with some surprise the American Occupy activists who were shocked (shocked I tell you!) as policemen (or university rent-a-cops) launched unprovoked attacks using batons and pepper spray.
It is indeed despicable that these officials use so much violence. But if people are still shocked by this in 2011, one has to wonder where they’ve been hiding for the last 10 years – have they not watched the news? Did they think that they could let stolen elections, illegal wars of aggression, shooting children with anti-tank weapons and the torture of innocent civilians happen without the ultimate consequence of their govenment using the same force against them?
But even the naive indignation of some Occupy activists about their government and its boot boys, is nothing compared to the childish surprise of the IT press about ACTA and SOPA. The copyright industry has for decades lobbied for the length of copyright to stretch to the end-of-time-plus-a-day extra.
Sony has no problems with infecting computers of their customers with what amounts to a virus. A torrent of writs has poured forth from the offices of copyright enforcement. Babies and the elderly without a PC, deceased persons, and even a HP laser printer have been falsely accused of copyright infringement (labeled as “theft” by the lawyers of the industry). Surely we all know the kinds of organisations we are facing now?
That’s why I’m happy that the Kafkaesque combo of ACTA / SOPA has become clear. Now ACTA and SOPA have almost been rammed through, at least we all know where we stand. The wolves have thrown off their sheep’s clothing and shown themselves for what they are: predators with no interest in our welfare. We therefore need not be quasi-shocked about the fact that some large companies behave like predators.
Now we have determined that we are dealing with predators, we can take action. Acting all shocked and angry once a wolf reveals himself in a kindergarten playroom is not an effective measure – he is a predator. If you want to prevent a bloodbath, you need to build a fence around the playroom – or perhaps even around the wolf.
If we want IT to work for us, we must ensure that the technology is designed around our interests rather than the interests of software vendors or copyright serfs. We need computers and network devices that do what we want them to do, even if that is not in the commercial interests of a handful of large companies or the political will of illegal government lobbyists.
For over 25 years the Free Software Foundation has been the only organization calling for this. During the last 15 years the debate about the principles of free software has been almost completely overshadowed by the much more business-orientated and pragmatic approach of the Opensource Initiative. The reason to found the Opensource Initiative was literally the ‘too principled’ attitude of the Free Software Foundation.
Meanwhile, all the things that the FSF has warned us about for so long have become the new and ugly reality. The complete lack of principle in discussing the applications of our technology is now starting to bite in very nasty ways. Almost all PCs (and I include Macs here), phones and game consoles have onboard functions that are not there for our benefit but for companies that want to earn our money. When you’re not in contol of your computer, is it still your computer / phone / console / router / etc … ?
This is an old political lesson: if you wait too long to protest, maybe you will no longer able or allowed to protest. This applies not only to addressing governments that start wars or the state stupidly bailing out the banks. This applies equally to the question of who is in charge of the computers and networks that we now all depend on. If we collectively do not demand principles as part of our tech, then we will get technology without them.
The ideas of the Free Software Foundation have never been more important. Not because proprietary software is worse (sometimes) nor because Free Software has become so much better (much!), but because our own systems, our digital home, is where we should all have have a say.
Only principled thinking (in addition to technical function) about our IT will keep the wolves from the door.
DIY privacy, because the law no longer works
<originally a Webwereld column – in Dutch>
Over the last few years it seems as though everything that is centralised fails. Governments fail to solve societal problems (or even just complete a successful IT project), central banks fail to monitor the behaviour of ordinary banks, IT companies fail to offer us solutions that are safe and respect our privacy somewhat …
Decentralisation works better: bittorrent, non-Western popular revolts, open source software, hacktivism and to a certain extent the Occupy movement. I’m glad Bits of Freedom and international counterparts such as the EFF exist because they put issues on the agenda that most of the over-50 politicians would not otherwise consider. In Berlin, the Pirate Party has over 9% of the seats in local government and is spreading rapidly across Germany.
But is all this really upholding our "rights"? Because despite all petitions, motions, actions and other initiatives our (digital) civil liberties are still evaporating. In the Netherlands it is virtually impossible to finish high school without buying Microsoft or Apple products, despite a long string of promises and agreements about this from our government. There are so many PCs that are controlled by cyber criminals that Microsoft had to set up a specific spring-cleaning for the Netherlands without user consent. This also makes it immediately apparent who really controls all these systems. Meanwhile, the government uses its own catastrophic Diginotar failure as a pretext for yet more government regulation of the online world.
The way the ACTA treaty brutally sweeps all issues of democratic control off the table clearly indicates where the interests of our Atlantic partners lie. SOPA is just the cherry on the icecream to show why we should no longer be dealing with the US-based IT services: Unsuitable.
It might be a better use of our time just to accept that our government is no (longer?) capable of resisting corporate power. Somehow or other a slow-motion palace revolution has occurred where the government wants to increase “efficiency” by relying on lots of MBA-speak and corporate management wisdoms that worked so well for the banking sector. The fact that the government’s primary function thereby evaporates does not seem to bother it. And meanwhile the companies themselves are apparently too busy making profits and fighting each other to worry about civil rights and other archaic concepts from the second half of the 20th century.
So rather than always trying to influence a system that ignores our interests, we can simply take care of ourselves and each other. This conclusion is not pleasant, but it gives clarity to what we have to do.
One good example is the Bits of Freedom weekly workshops on how to install encryption software and its publications that help people get to grips with these tools. The organisation should use its clout to get the slogan of "crypto is cool” on everyone’s lips. The NLnet Foundation should focus its energies on promoting the hip and user-friendly aspects of these pieces of software. Webwereld journalists should be looking for a modern, technical Deepthroat to make anonymous-advanced-OV-chip-card-hacking available to the general public.
Civil rights organizations and hacktivists can play a very different but probably even more effective role. Since 2006 I have ensured my own email privacy by no longer relying on the law, but by using a server outside the EU, SSL connection to it through a VPN tunnel entering the open Internet also outside the EU. And then I encrypt as many emails as possible individually with GPG. I suppose the fact that all those hordes of terrorists (who, our government asserts, are swamping Europe) have no doubt adopted such measures – for less than 20 Euros a month – making all the data retention measures a complete and pointless waste of resources.
What is possible now with email will soon be possible with telephony by using VOIP through international VPNs. This will even happen soon with mobiles (although your location information will remain a problem).
Then add an anonymous public transport card hack, a future version of Bitcoin for money transfers, and all you will need is a freshly installed Linux laptop (with an encrypted hard disk) and Bob’s your uncle. Just resist the temptation to put your whole life on Facebook and auto-tweet your GPS-data from you phone.
Then you can forget about any digital privacy legislation. You do not need government. You empower yourself as a modern citizen – better living through technology. Too bad it had to come to this – that old democracy concept seemed a really nice idea.
Update 2012: At Cryptoparty.org you can find places where citizens are teaching each other how to use privacy enhacing tools. If your locale is not on the list then add it and find people to get going where you live!
Waiting for the big one
<originally a Webwereld column – in Dutch>
Diginotar’s multiple IT failures in the public sector have been swept under the carpet. So far, nothing indicates that there will be any real change to the Dutch government’s overdue IT projects. During the hearing (mp3 – in Dutch) in the Lower House it was apparent that neither the government overseer OPTA or auditor Price Waterhouse Coopers believe themselves at fault, despite the fact that for years as regulators they have rubber stamped the work of Diginotar. The decisions of the PwC auditors were obviously good because "they are executed by responsible professionals". This will be heartening for all those Iranian citizens who are suffering the consequences of this (think of an unpleasant convergence of kneecaps and power tools).
But because of the chaos at Diginotar, we may never know for certain the full horror of those consequences. It is very simple for someone to take over an entire network and manipulate all the logs. The only thing we can really say with any certainty is that so far we have no reason to believe that IT security was any better in the past than the recently discovered FoxIT mess. The PwC audits are obviously not able to detect such a mess and OPTA apparently did not even look. Possibly Diginotar has been totally hacked for many years, and nobody noticed. A really smart spy or cyber criminal does his job and leaves no traces. The many detailed discussions about the exact scale and timeline of the hack have completely ignored this fact. From his grave Socrates is smiling at the idea that we only certainly know what we certainly do not know.
The most important question is surely: "how can we prevent such a critical part of our IT infrastructure from falling into foreign hands?". But this question was apparently not even on the radar of our regulators or MPs. Recent discussions about the USA browsing through our systems without judicial oversight make this question particularly pertinent. But perhaps I am somewhat naive to expect that my government to be both capable and motivated to protect the interests of its citizens.
Teamwork: it spreads the blame
Diginotar is yet another egregious example of a public IT function going terribly wrong at every conceivable level (selection, implementation, monitoring), and yet nobody being held responsible for the consequences. It is important to recognise that we shall probably never know how serious the real consequences were – especially for that unknown number of Iranian citizens. As a direct result, we must also recognise that we need to replace the people who did this “monitoring”and the "methods" they used. To continue to do the same and yet expect different results is one of the definitions of insanity.
Know nothing, do nothing
If a key IT organisation appointed by the government fails, it is down to a lack of crucial expertise in the government. Everything is privatized and the resulting lack of expertise is an unfortunate consequence of a principle of degraded policy-making. Instead of identifying and solving this lack of substantive expertise, it is dismissed as an immutable law of nature. "It just is" that the government has no employees who have relevant expertise to evaluate, manage and oversee IT projects (or evaluate and oversee the hired vendors). Simultaneously, our citizens trust that same government to properly assess the feasibility and implications of increasingly megalomaniacal IT projects – another symptom of institutional madness.
I therefore see the debate about any special protection for hackers as whistleblowers, however well intentioned, as only a symptom. The government needs to “own” the information, at least to have the right to ask questions and to independently evaluate the answers to these questions. Or should we simply give away control of our sea dykes and hope that a few public-spirited people will report the hole in a dyke on their Sunday off?
Nothing can be leaked that could change the way the people in The Hague deal with these problems. Nobody loses their head, even after such a mega-failure as Diginotar: and in comparison the implementation of both the electronic medical records and the public transport Chipcard pales into insignificance, butno doubt these projects also continue despite faillure after faillure.
What is necessary for a real breakthrough? Like I said in a debate about the EMR in 2005: an event that is too terrible to ignore. Because that is always what it takes in the Netherlands to shift our political-administrative system down a different path. It is always susceptible to the pressures of existing commercial interests or the idea of a couple of people losing their jobs. The complexity of Dutch society and the economy might itself bring about that change: something like a national breakdown of hospital systems, or something like an exploding refinery in the Rotterdam area. There are so many vulnerabilites to choose from.
I suspect there is a “sweet spot” in terms of deaths versus effective political impact. Somewhere between the Enschede fireworks disaster (23 dead) and the 1953 flood (1835 dead), so to speak. I share Rop Gongrijp’s analysis that after Diginotar nothing will change (because there were no deaths on TV). We are waiting for the big blow that is strong enough to make real change possible. Only then will there room for other people with more technical expertise, involving a much higher level of technical requirements and transparency of all the inter-related processes such as design, selection and implementation of new systems.
Perhaps a cruel cyber attack with cute little piglets?
Unsuitable
<originally a webwereld column in Dutch>, <also on HuffPo UK>
Over nine years ago, I was talking to Kees Vendrik <Dutch MP) about the broken Dutch software market. Not only was it impossible to buy a top brand laptop without buying a Microsoft Windows licence, it was also impossible to visit many websites (municipalities, Dutch railways and many others) without using Internet Explorer. The latter area has greatly improved and I can lead my life using my OS and browser of choice. Only occasionally do I have to just swallow a Windows licence when buying a new laptop. Not much has improved in that area. Our national dependence on products such as MS Office has not really diminished either, despite all the wishes of our Parliament and its related governments policies.
Meanwhile, the technological seismic shift that frightened Bill Gates so much back in ’95 (the web makes the operating system irrelevant) is fast becoming reality. Almost all new developments discussed by IT power players and specialists are web-based or based on open specifications and the most commonly used applications are running quite well as service in a browser.
So while the 15-20 year old problem of software dependency is not yet solved (our government, with its tens of thousands of IT workers, is still unable to wean itself off the familiar Microsoft technology stack) its impact is becoming less relevant. Meanwhile, new dependencies based on cloud providers are promising to be even more detrimental.
While excessive use of proprietary software creates the risk of foreign manipulation and potential attacks on critical infrastructure (eg Stuxnet). But at least if your systems are attacked in this way, there are some ways to track this. If you are working on the computer that does not belong to you, that is based in a foreign country and is managed in ways you cannot know, it will be very difficult to have any control over what happens to your data.
The old assumption, that using local servers could be part of the solution, seems unfortunately to be an illusion. All cloud services offered by companies based in the US are subject to US legislation, even if the servers are physically in another country. And US law is now somewhat, shall we say, problematic. With no evidence, but with an allegation of involvement in "terrorism", systems can be closed down or taken over – without any warning, or the possibility of adversarial judicial review. The term ‘terrorism’ has been stretched so far in that anyone who allegedly breaks US law, even if they’re not a US citizen and even if they’re not in the US can still a deemed "terrorist", just on the word of one of the many three-letter services (FBI, CIA, NSA, DIA, DHS, TSA, etc.). The EU is not happy about this but does not want to go so far as reccomending its citizens and other governments to no longer use such services.
The long arm of the US Patriot Act goes even further than merely the servers of US companies on European soil. Thus domains can be "seized" and labelled: "this site was involved in handling child pornography". Try explaining that as a business or non-profit organisation to your clients and (business)partners. Just using one .com, .org or .net extension as your domain name now makes you liable under US law. All Europeans can now be seized from their homes for breaking US law. So a .com domain name makes your server effectively US territory.
We were already aware that proprietary platforms like Windows and Google Docs were not suitable systems for important things such as running public or critical infrastructure. However, now it turns out, that every service delivered through a .com / .org / .net domain places you under de facto foreign control.
Solution? As much as possible, change to open source software on local servers. Fortunately there quite a few competent hosting companies and businesses in the Netherlands and Europe. Use local country domains like .nl/.de./.fr or, if you really want to be bullet proof, take a .ch domain. These are managed by a Swiss foundation and these people take their independence seriously. Wikileaks today is running on wikileaks.ch after its domains such as .org got a one-way ticket to Guantanamo Bay.
If you still want to use Google Docs, Facebook, Evernote, Mind Meister, Ning.com, Hotmail or Office 365 – please do so with the awareness that you no longer have any expectation of privacy or any other form of civil rights. Good for the administration of the tennis club but completely unsuitable for anything that really matters.
Gran knows why
My grandmother was born in 1920 and left school at the age of 12 to work in her father’s shop. She has never used a computer (but has tried an iPod for audio books). She is now 90 and is still interested in what I do.
Usually I just quickly skip over the technical aspects, because it’s difficult for her to understand. The “why” is much more relevant. Privacy, civil rights and the control of your own details/information. She understands this easily, without having to follow all the technical details of open source codes and cryptography.
Last Sunday, Bits of Freedom in Amsterdam organized a lecture and discussion with Prof. Eben Moglen, a former programmer who is now a law professor and advocate for the use of free software. Part of his lecture was about the risks of cloud computing (see a previous lecture in New York on the same theme).
Besides his new plans for a technical project (the Freedom Box) , Moglen spoke mainly about the principles of digital freedom. Explaining this concept in The Netherlands remains difficult.
A video that Bits of Freedom tweeted about shows this problem. It’s a short list of recent privacy breaches but does not explain why these are problematic. For many viewers there is still a pervasive feeling of "so what?”.
In The Netherlands, the problem explaining this issue is that we have no recent experience of a government that has seriously gone off the rails (unlike Spain and Eastern Europe). The use of a good recent example can be seen in an employee of the German T-Mobile explaining why the British government’s Stasi-style tapping of all mobile phone traffic might not be a good idea. Churchill must be turning in his grave.
As we have only experienced two real disasters in The Netherlands in the last 100 years (the German occupation and the 1953 flood), we as a people fall back on WW2 to explain the importance of civil rights. And then the Godwin-accusations fly. For the post-baby boom generations the war is a (his)story that we read about, but which is not quite real. And the possibility that such a thing could happen again is inconceivable, and therefore unmentionable.
My grandmother has no such problem because she lived through it. A real war – where the previous government was suddenly replaced by a new administration that energetically started using data collected in previous decades, and which found the accurate ethnic records extremely useful: an administration which could put your neighbours on a train to Westerbork concetrationcamp, and would shoot you for owning a radio.
Eben Moglen suggested that we all ask our grandparents why privacy and other civil rights are important. People who have lived through an oppressive state are largely immune to Godwin’s rules. They can speak out from a personal, rather than an abstract, historical perspective. My grandmother is not well enough to speak out, but hopefully there are some grandparents out there who can explain to the younger, Facebooking and tweeting generation in The Netherlands the vital importance of privacy and other civil liberties.
When I’m done explaining things Gran always grabs my hand and whispers "just you be careful!". Because you never know what could happen when you are critisizing governments. She knows this, so take a bit of time to listen to your gran.
Dedicated to my grandmother, Tet de Boer – Olij,
Kollum 1920 – Leidschendam 2010
Article in Surgeon’s journal
The Dutch Journal for Surgeons, publishes an article written by my collegue Younass and myself. We wrote this article to further explain some of the points we made during our keynote at the natinal Convention of Surgeons last month. The entire article here in English and Dutch, the PDF of the journal here. Background links and articles here (mostly Dutch).
Get a famous fingerprint
The German Chaos Computer Club, the oldest and largest hacker group of Europe, made available to the public the fingerprint of the German Minister Schäuble for the Interior. They wanted to show how easy it is to obtain someone’s identity when identity is based on fingerprints.
The German government is preparing to build a national database containing the fingerprints of all its citizens for the purposes of fraud-prevention and national security. Minister Schäuble is very angry about the release of his fingerprints and has stated he will take legal measures against the CCC. Dutch hacker Rop Gongrijp pointed out that the Minister’s anger was curious since it was the minister after all who wanted to collect the fingerprints of over 82 million Germans and the CCC only collected one.
The CCC has been demonstrating for several years how easy it is to ‘steal’ someone’s fingerprint and use is to fool all kinds of security measures such as payment systems, physical access controls and computer security systems. As with the doomed RFID cards these demonstrations need to be very ‘in your face’ before media and governments take notice. Worldwide there are over 200 million devices in use of the 20 different types that were fooled by the CCC experts. As with the 100 million RFID cards they are all essentially worthless as serious methods for securing transactions or granting access.
It is curious how we as citizens are constantly required to trust governments to handle our most private data when these governments often are not that trustworthy themselves and also not very technically competent in guarding our information. Passports are easy to fake, RFID cards are easy to copy, fingerprint readers can be fooled. Before we base our entire lives on these technologies we’d better make sure they actually provide a minimum level of security. For now I’m sticking to encrypted mail and strong passwords.
German TV broadcast an item about the possibility of stealing a fingerprint and using it to go shopping at someone else’s expense at a large German supermarket chain.
Since the TV piece did not include the entire method for making your own fingerprints I include it here. As with the RFID cards, these vulnerabilities have been known for several years, it’s just that some companies and governments are a bit slow in picking up on them. If you want to go shopping as Minister Schäuble, just click on the picture at the top and follow the procedure from the movie.
A friend and IT security expert pointed out that since anyone can now pretend to be Minister Schäuble, that pretty much makes his fingerprint useless as evidence in court. Maybe we should all publish our fingerprints (and retina scans and DNA profiles) to gain plausible deniability on future accusations of anything …