Jillian C. York

Jillian C. York is a writer and activist.

Month: December 2011 (page 2 of 5)

To Regulate (Or Preferably Not): On Mueller’s claim of misdirected resistance to surveillance technology

A pair of blog posts this week from Milton Mueller have sparked multiple conversations filling my inbox (as well as an unprecedented amount of passive aggression, of which I do not approve, but the sheer number of people practicing it makes me reticent to name names). The posts take on the emerging cottage industry of opposition to the export of surveillance tech, largely produced by companies in Western countries and exported to some of the world’s worst human rights abusers. Now, I don’t mean to use the term “cottage industry” derogatorily, but the flurry of sudden interest around the issue is intriguing and spurred, it seems, in large part, by a series of stranger-than-fiction reports from Bloomberg and the Wall Street Journal this year documenting various cases.

Before I take on the task of rebutting some of the arguments in Mueller’s posts–which, by the way, I agree with in large part–I should note my own biases, for the sake of discussion. First, I have been amongst the throngs shouting opposition to the surveillance-industrial-complex. I have been doing it for about three years, while all the while not taking a particularly strong position toward any of the proposed solutions. Second, I largely oppose regulation of this industry by the United States government. This is for several reasons, but in a nutshell: I don’t trust them. If you require more detail, read this piece I wrote about it. Third, I think a lot of the current discussion/advocacy about this topic is unfocused and chaotic, which is a failure on our part. Though I have–along with other folks at some of the top human and digital rights organizations–coordinated a series of calls on the matter, it is admittedly a messy and complicated subject, and we don’t all agree on the solutions, which lends chaos to an already-chaotic situation.

Now, Mueller’s posts. The first, published on December 20 and entitled “Technology as symbol: Is resistance to surveillance technology being misdirected?“, starts strong with the premise that the movement against the sale of surveillance tech to repressive regimes–which Mueller applauds for both its publicizing of the issue and its awareness-raising of similar issues in democratic countries–has oversimplified the fight against the regimes using such technology, replacing the target (authoritarian regimes) with another, easier target (makers of the aforementioned technology).

As Mueller rightly points out, “It seems obvious, but gets lost in the shuffle: the problem lies in the users and uses of the technology, not in the equipment or software itself.” He continues, remarking that “this is not, at root, a problem of governments having or not having a specific device or piece of software. It is an institutional problem – one of balancing and routinizing social processes in ways that effectively limit, regulate and distribute political power and hold those who exercise it accountable.”

There is nothing disagreeable in either point, and it can certainly be said that some of the actors advocating for regulation in this space have focused heavily on certain regimes (Syria, Egypt, Libya) whilst turning a half-blind eye to the uses of surveillance technology in the United States, the UK, and other nations with the rule of law. Nonetheless, I would argue that the organizations leading the charge on this issue have been fairly even-handed, attacking restrictions on free expression in democratic and authoritarian countries alike.

Mueller then derides the call for regulation of surveillance technology, stating: “The problem with this approach is that information technology, unlike bombs or tanks, is fundamentally multi-purpose in nature.” On this point, I once again must agree. EFF has consistently chosen not to advocate for regulation of sales (by governments) for the same reason, opting instead to push for regulation at the corporate level and issuing a set of recommendations for companies wishing to do so.

Mueller also points out, as I have before:

Thus, there is little appreciation of the extent to which export controls and other restrictions might retard the overall diffusion and development of information and communication technology, cut off access to good people and good uses as well as bad ones, or restrict our own freedom to use the technology as and how we see fit.

Since I agree with Mueller on this, it’s worthwhile to put forth some of the counter-arguments. Essentially, those who argue for regulations tend to favor a licensing-style of such, in which companies must apply for licenses before being allowed to export their wares to a foreign government (or, in some variations, a foreign government on a particular list of “Internet-restricting countries”). This echoes the current sanctions placed on Cuba, Syria, Sudan, North Korea, and Iran to various degrees. Being well-versed in the regulations on Syria, what this means is that a company–such as Google–must apply for a license before it can release a product (either for sale or for download) in the country. Companies that fail to apply for a license but still make their product available can face severe penalties; violating the Commerce Department’s export controls on Syria, for example, can result in 20 years imprisonment and/or a $1 million fine. This, of course, has a chilling effect for Syrians, as many companies with limited resources find it not worthwhile to apply for the license and restrict their products from the country. Incidentally, EFF has also called for revision of export controls.

In the latter variation, as I mentioned, regulation would be restricted to “Internet-restricting countries,” a punishment for countries that block websites from their citizens’ view. This type of regulation has been presented before, multiple times, as the Global Online Freedom Act (for a timeless criticism of an earlier version of the bill, see Rebecca MacKinnon). The problems with such an approach should be, but somehow aren’t, obvious. First, a question: who creates the list of “good” and “bad” countries? Bahrain, a close ally of the United States, pervasively censors the Internet…would it make it on the “bad” list and would sanctions be levied thus? And even if the list were fair and just, what happens when such technology gets regulated? Do citizens of the “bad” countries suffer like Syrians have for years due to labyrinthine bureaucracy and poorly-worded export regs?

The primary concern about regulations should be, however, that they will do extremely little to curb the sale of surveillance tech. What happens when Cisco refuses to sell to Iran? Huawei steps in. And don’t forget all of those companies that have surreptitiously been selling to embargoed countries all along, such as American company BlueCoat to Syria and Israeli company Allot to Iran.

This is the point at which Mueller’s first post starts to annoy me. After his righteous concerns about export regulation are expressed, he goes on to throw up a giant straw man, advising advocates to “Stop focusing narrowly on information technology, and examine the tools of repression and aggression more generically,” and raising examples such as US arms sales to Saudi Arabia and Egypt.

Okay, so perhaps this is not exactly a straw man, but if–as Mueller seems to imply in his second post–his arguments are directed at activists and human rights organizations, rather than say, politicians and journalists, then this is simply unfair. The individual activists taking on this issue–many of whom, I’ve observed, live in the countries where such spyware is being sold–are surely not putting the technology before the arms. And as for the organizations, they’re either semi-single-issue (why would EFF talk about gun sales?) or have been holistically focused, tackling the gamut of human rights abuses, from surveillance to military repression. (I would also add here that current export restrictions on the aforementioned five countries include arms and airplane parts).

The second major argument in the first post is presented next. Mueller criticizes some of the advocacy around the sale of certain products, asking: “If you can blame a video surveillance camera for its misuse by repugnant governments, and argue for blocking the movement of those goods, what about integrated circuits, copper wires and lenses that go into them? What about the plastic housings? What about the shipping services that transported the material there?”

Now, if Mueller’s target here is those calling for regulation, I’m with him all the way. But if we’re talking about targeting companies, if we’re working on naming-and-shaming, then I do believe in a strategy of going after companies for their sale of complete products to governments, when the company has credible concern that the product will be used to commit human rights abuses. The vast majority of highly-publicized cases this year have involved the sale of complete systems to decidedly human-rights-abusing regimes like Libya, China, and Syria. I do see a moral obligation in calling out Cisco for its complicity in the Communist Party’s harassment of bloggers. I do see a moral obligation in calling out BlueCoat for its “oh noes, the embargoes!” response to the news that its products were sold to the Syrian regime (in the end, it turned out that BlueCoat was tracking the devices and was aware of their location, even if the sale was not intentional).

But alas, Mueller was talking about the would-be regulators, and therefore I agree:

If you really want to punish, isolate and sanitize your relationship to a repressive government, you cannot limit the sanctions to specific forms of ICT. There must be a comprehensive system of sanctions that prevents anyone in that country from doing any kind of business with the country involved. Even then, the regime may not change; think of North Korea. Even then, there will be leaks or route-arounds.

But then he concludes:

But activists concerned with real social change must think through this problem more deeply, and come up with strategies that strike more directly at the pillars of authoritarianism, censorship and arbitrary power, rather than lashing out at easy domestic targets.

This is why I accused him (a point he’ll refute in post 2) of taking cheap shots at activists. The assumption here is that those involved aren’t thinking about this problem more deeply, aren’t fighting these regimes from multiple angles. And as I wrote in my accusation, if Mueller’s target here is the journalists and the politicians whose shallow thinking culminates in the conclusion that Cisco is the the real enemy, then I digress. But if it’s the activists (again, many of whom are Egyptian, and Syrian, and Chinese), then I say “meh.”

Since Mueller’s second post starts with a refutation of something I said, I feel obliged to point something out. When Evgeny Morozov’s excellent Net Delusion was released this year, it was dismissed by some who felt that the use of the term “delusion” didn’t apply: after all, hadn’t Egyptians just toppled a dictator with the help of social media? I loved Morozov’s book, and so a point that irritated me throughout readings of both critiques of the book and reads through the man’s own columns was the idea that the main target of his arguments against “cyberutopians” were a very narrow subset of the population: namely, those working in the State Department, or even more specifically, Jared Cohen sycophants.

Mueller’s posts thus strike me the same way: Just as he claims his first post “hit a nerve” with advocates (presumably meaning me, since my comment is in the next line), he then goes on once again to target not the advocates but the journalists. And that’s the thing: Mueller’s arguments are largely ones that I agree with (read: no nerves were hit), but the presumed target is off: his real beef seems to be with the journalists who have kept this story going all year. And in a sense, I get it: after all, we digital rights advocates feed off the news reports, and no doubt we wouldn’t have been so loud on the topic were it not for their reporting. If anything, that’s a call for a more tempered approach (which is part of, I assume, Mueller’s point).

In any case, I have no real problems with the second post. Like Mueller, EFF recognized that the reporting on Israeli company Allot’s sale of their NetEnforcer product to an Iranian ISP was a bit overblown. In fact, the story should have served an even better lesson: Sanctions don’t work. But alas, it did not, for most.

Ultimately, as Mueller reiterates near the end of post #2, the problem with the movement (again, lead in large part by journalists, not advocates), is the transfer of target from regime to corporation:

Western corporations and their shareholders do have a moral obligation to refrain from actively pursuing business opportunities with dictatorships when those opportunities involve supplying products and services specifically designed to aid their crimes and repression. But very few technologies are constructed so as to be only usable for crime and repression.

Post-Script: I wrote this a bit stream-of-consciousness, so if in any way I appear to contradict myself, feel free to point out in the comments. Second, I would note that while I see very different targets in journalists vs. advocates, Mueller does not appear to at numerous points, including journalists in “the movement.” In a sense (as I hinted at above), this is fair, for journalists inform advocates on these topics. In another sense, it feels odd to include the supposedly neutral (though I obviously don’t believe that rubbish) journalist in the makeup of a movement such as this one. But again, therein lies the problem, Mueller might posit: the journalists are establishing a certain policy narrative.

I welcome your comments, discussion, debate, etc, below. Just don’t be an asshole and subtweet me. You know who you are.

A Letter to My Dad

This, my 30th Christmas, is the first without you. You always managed to find me somewhere, and I’ll never forget–beyond the many spent in Dover and Portsmouth, driving around or strolling in Prescott Park–the Christmases in New York, Boston, Amsterdam, and Marrakesh. I had hoped to spend my 31st Christmas with you in California, but instead I’m spending it thinking about you.

As you know, Christmas has always been my favorite day of the year, and perhaps you don’t know, but that’s because of you. How I loved watching your face…even more so than Mom’s…like me, she loves Christmas for the sake of watching other people’s excitement, but you, you loved opening presents from me just as much as Mom and I loved watching you.

Christmas in Haarlem, Netherlands (2006)

My obsession with sushi is because of Christmas with you. Don’t forget how, the first year we went to Taipei & Tokyo for Christmas (was I 16? Did I drive, too?) how you challenged me to a wasabi-eating contest, whereupon I discovered that wasabi-eating contests would be a great party trick for me for years to come. And my insistence this year on eating Christmas sushi with Anas here in San Francisco is also because of you. Even when you were in the hospital, you made me sneak sushi in to replace the heinous meals they were feeding you.

I’ve been doing okay, Dad. I work, and that gets me through it, because you know how much I love what I do. And I’ve got amazing friends. Some of them planted olive trees for you in Palestine, you know. I know that doesn’t mean as much to you as it does to me, but I know you respected my views anyway. Some have written beautiful things about you, things I’d forgotten: one of my old classmates remembered how you’d come to pick me up from jazz band, the only “cool” dad in a leather jacket and beard. Another remembered how you were always jovial. I know I’ve seen every side of you (a week together in a two-seat pickup truck will do that to you), but the only side I think about is that one. I think about your laughter at being called “Ali Baba” by nearly every Moroccan shopkeeper in Marrakesh; the tricks you played on me, like pretending to have Tourette’s in the line at Subway in the hopes of embarrassing me (you underestimated my ability to play along);and our ridiculous 5am (okay, 7am, but I know you waited two hours for me to get up) summer yard sale Saturdays filled with laughter and mocking other people together. You know, even though I bought that new bike, I still hold on to the one I watched you pack into the back of your Miata, cracking up the entire time as I snapped photo after photo.

My dad's version of a clown car

I’m getting through each day, but Christmas, Dad, is the hardest time of all. Perhaps partly because I’m in a new city, a warm(ish) city, without snow, but mostly because I didn’t spend December seeking out the perfect gift for you. I didn’t spend hours trolling online shops and I didn’t sneak out on Christmas Eve for that one last thing. And I knew that the end game this year didn’t include you and mom. We did that on purpose, Dad, I think it was easier for both of us to just do something different. Together, without you, it would have been too much.

But as I pack up the Christmas tree (fake–I know, I know) next week, so will a small bit of the weight be lifted off my chest. Because I will have survived my first Christmas without you.

Our Circumvention Research DOES NOT Support SOPA

Daniel Castro of The Information Technology & Innovation Fund recently published a paper supporting the Stop Online Privacy Act (SOPA) currently being debated in congress. In that report, he claims that research performed by us supports the domain name system (DNS) filtering mechanisms mandated by SOPA. This claim is a distortion of our work. We disagree with the use of our study to make the point that DNS-based Internet filtering works and that we should therefore use it as a means of stopping websites from distributing copyrighted content. The data we collected answer a completely different set of questions in a completely different context.

Among other provisions that seek to control the sharing of copyrighted material on the Internet, SOPA, if enacted, would call upon the U.S. government to require that Internet service providers remove from their DNS servers the names of any sites that either infringe copyright directly or merely “facilitate” copyright infringement. So, for example, the government could require that ISPs remove the name “twitter.com” from their DNS servers if twitter.com was not being sufficiently aggressive in preventing its users from tweeting information about places to download copyrighted materials. This practice is known as DNS filtering. DNS filtering is one of the most common modes of Internet-based censorship. As we and our collaborators in the OpenNet Initiative have shown over the past decade, practices of this sort are used extensively in autocratic countries, including China and Iran, to prevent access to a range of sites offensive to the governments of those countries.

Opponents of SOPA have argued that the DNS filtering, even though it will have a number of harmful effects on the technical and political structure of the Internet, will not be effective in preventing users from accessing the blocked sites. Mr. Castro cites our research as evidence that SOPA’s mandate to filter DNS will be effective. He quotes our finding that at most 3% of users in certain countries that substantially filter the Internet use circumvention tools and asserts that “presumably the desire for access to essential political, historical, and cultural information is at least equal to, if not significantly stronger than, the desire to watch a movie without paying for it. Yet only a small fraction of Internet users employ circumvention tools to access blocked information, in part because many users simply lack the skills or desire to find, learn and use these tools.”

In our report, we looked at three sets of censorship circumvention tools: complex, client-based tools like Tor; paid VPNs; and web proxies. We estimated usage of those three classes of tools. We used reports from the client tool developers, a survey to gather usage data from VPN operators and used data from Google Analytics to estimate usage of web proxy tools. Counting all three classes of tools, we estimated as many as 19 million users a month of circumvention tools. Given the large number of users in China, Iran, Saudi Arabia and other states where filtering is endemic, this represents a fairly small percentage of Internet users in those countries; 19 million people represents about 3% of the users in countries where Internet filtering is pervasive. We actually believe that 3% figure is high, as some of the tools we study are used by users in open societies to evade corporate or university firewalls, not just to evade government censorship.

We stand behind the findings in our study (with reservations that we detail in the paper), but we disagree with the way that Mr. Castro applies our findings to the SOPA debate. His presumption that people will work as hard or harder to access political content than they do to access entertainment content deeply misunderstands how and why most people use the Internet. Far more users in open societies use the Internet for entertainment than for political purposes; it is unreasonable to assume different behaviors in closed societies. Our research offers the depressing conclusion that comparatively few users are seeking blocked political information and suggests that the governments most successful in blocking political content ensure that entertainment and social media content is widely available online precisely because users get much more upset about blocking the ability watch movies than they do about blocking specific pieces of political content.

Rather than comparing usage of circumvention tools in closed societies to predict the activities of a given userbase, Mr. Castro would do better to consider the massive userbase of tools like bit torrent clients, which would make for a far cleaner analogy to the problem at hand. Likewise, the long line of very popular peer-to-peer sharing tools that have been incrementally designed to circumvent the technical and political measures used to prevent sharing copyrighted materials are a stronger analogy than our study of users in authoritarian regimes seeking to access political content.

Second, our research has consistently shown that those who really wish to evade Internet filters can do so with relatively little effort. The problem is that these activities can be very dangerous in certain regimes. Even though our research shows that relatively few people in autocratic countries use circumvention tools, this does not mean that circumvention tools are not crucial to the dissident communities in those countries. 19 million people is not large in relation to the population of the Internet, but it is still a lot of people absolutely who have freer access to the Internet through the tools. We personally know many people in autocratic countries for whom these tools provide a crucial (though not perfect) layer of security for their activist work. Those people would be at much greater risk than they already are without access to the tools, but in addition to mandating DNS filtering, SOPA would make many circumvention tools illegal. The single biggest funder of circumvention tools has been and remains the U.S. government, precisely because of the role the tools play in online activism. It would be highly counter-productive for the U.S. government to both fund and outlaw the same set of tools.

Finally, our decade-long study of Internet filtering and circumvention has documented the many problems associated with Internet filtering, not its overall effectiveness. DNS filtering is by necessity either overbroad or underbroad; it either blocks too much or too little. Content on the Internet changes its place and nature rapidly, and DNS filtering is ineffective when it comes to keeping up with it. Worse, especially from a First Amendment perspective, DNS filtering ends up blocking access to enormous amounts of perfectly lawful information. We strongly resist the claim that our research, and that of our collaborators, makes the case in favor of DNS-based Internet filtering.

Links:

Mr. Castro¹s report may be found here:

http://www.itif.org/publications/pipasopa-responding-critics-and-finding-path-forward

with the reference to our work on p. 8.

The study that is being misused by Mr. Castro is here:

http://cyber.law.harvard.edu/publications/2010/Circumvention_Tool_Usage

The findings of our decade-long studies are documented in three books,
published MIT Press and available freely online in their entirety at:

http://access.opennet.net/

– John Palfrey, Jillian York, Rob Faris, Ethan Zuckerman, and Hal Roberts

Older posts Newer posts

© 2017 Jillian C. York

Theme by Anders NorenUp ↑