A (Renewed) Case for Encryption

gpg encryptionI kind o' hoped that this NSA/PRISM/wholesale government surveillance business would re-energize people into actually gettin' back into usin' encryption, and perhaps even tryin' t' solve th' problem o' gettin' more people t' actually use it.

One o' th' big problems with encryption – fer example, email encryption usin' public key cryptography (PGP or GnuPG) – has been just gettin' enough people t' start usin' it. With th' way public key encryption works, ye need t' use encryption, AND th' person ye’re sendin' it t' needs t' use encryption, too.

In addition, there’s also th' further complication o' signin' one another’s keys and assignin' trust levels and so on… it’s just a bit too complicated and technical fer yer average user.

However, it doesn’t have t' be complicated, and given what we’ve learned recently, it seems t' me it really shouldn’t be - and that it is in all o' our best interests t' make it be as simple and easy as possible.

People have been harpin' on about th' importance o' encryption fer ages, but widespread adoption has mostly been limited t' SSL (fer webmail & other web apps & services). This sort o' encryption prevents a 3rd party from interceptin' yer communication with Google or Microsoft or Facebook or yer bank or whatever, but none o' that matters if yer data is just goin' t' be handed o'er t' th' government by th' company on th' other end anyway!

SSL encrypts yer connection and yer data durin' transmission, but th' actual contents o' yer data are unencrypted at either end, and vulnerable t' interception. It’s a good first step, but it isn’t enough – not anymore.

passwordOn th' other hand, actually encryptin' th' contents o' yer communications – th' email, th' files, etc. And hoist the mainsail! – means that even if they are stored on a server (as yer email is, fer example), they are still encrypted – and most importantly, th' server doesn’t have th' decryption key –  only th' recipient does.

What this would means in practice is that it would prevent th' wholesale collection o' data.  If th' government wanted th' contents o' someone’s communications, they would need t' go after that individual; they wouldn’t be able t' just pull it out o' a big database.

Since goin' after an individual takes effort and requires a subpoena or at least a court order o' some sort, there’s protection built-in. Plus, now th' government’s attempts t' access yer data would be limited in scope t' one person at a time, and they can’t be done in secret – or, at least, they’d be less secretive.

The government may still collect other data about ye, o' course – encryption is not a cure-all. It may still collect “metadata” about ye – times and dates and such – but at least th' content o' yer data remains secure until specifically subpoenaed.

As a side note, th' NSA has repeatedly said that this is what it does anyway, as part o' an attempt t' justify why we shouldn’t be worried about this – but because everythin' th' NSA does is secret, we have no way t' be sure that this is actually th' case, with a chest full of booty. All we have t' go on is th' NSA sayin' “trust us, we won’t read yer email without a court order (that ye aren’t allowed t' see).” Doesn’t exactly inspire a lot o' trust, now does it? Fire the cannons! Especially given th' track record we’re dealin' with.

Perhaps if our government had a long & strong history o' bein' trustworthy, o' bein' transparent with its behavior, o' standin' up fer individual rights and privacy, and severely limitin' th' collection and access o' people’s data t' only what is explicitly needed fer specific cases and actions, this whole wholesale surveillance thin' wouldn’t be such an issue.

But sadly, this is not th' case – our government has shown, again and again, that it cannot be trusted in this regard, and that when given th' opportunity, it will make a grab fer as much power as it possibly can get.

Given th' recent revelations on exactly how much power (and, by extension, data) our government has grabbed as o' late, makin' actual content encryption available, widespread, and easy t' use seems like an absolute no-brainer.

Icons courtesy o' th' Crystal Icon Set.

10 Years of WordPress

wp10logoWow, has it really been 10 years?

Aye, it has – officially 10 years ago, on May 27th, 2003, WordPress were bein' released.

As part o' th' WordPress 10th Anniversary Bloggin' Project, I figured I would  I’d share some o' me memories o' usin' WordPress o'er th' years.

Back in 2003, when WordPress were bein' first released:

  • I were bein' still usin' Windows 2000 on me home computer (I did use XP at work – cuttin' edge at th' time!)
  • We were only on th' 2nd Matrix movie, “The Matrix Reloaded”
  • I were bein' still usin' th' “Mozilla Suite,” th' descendent o' “Netscape Communicator.” (It wasn’t until next year that it were bein' split into Firefox & Thunderbird)
  • We had just lost th' Space Shuttle Columbia a few months prior
  • The iPod were bein' only on its 3rd iteration, and th' iPhone were bein' still a distant dream
  • Slim flip-phone cell phones were all th' rage
  • The Concorde made its last commercial flight

I didn’t start usin' WordPress meself until a little bit after its release – until aroun' December 1st, 2005, in fact.

When I started usin' WordPress in 2005:

  • We were just startin' t' lament that schools were switchin' t' usin' Java (th' horror!) t' teach programmin'
  • I still had a CRT TV in me livin' room (and on me computer – though I had just gotten an LCD display at work, and I’d soon get one at home as well)
  • Digital Rights Management came into th' spotlight with th' discovery o' Sony’s rootkit that silently installed when ye inserted a music (!!) CD in yer computer.
  • This were bein' th' year I took down me auld hand-coded personal site (which were bein' auld, dated, and not really very good) in favor o' this blog.
  • And, o' course, 2005 is th' year I unexpectedly found meself livin' with me two wonderful rabbits

In all that time, I’ve switched WordPress themes more times than I can count – and upgraded and installed numerous useful (and sometimes silly) plugins.

Still, it’s amazin' t' see how far WordPress has come, pass the grog, with a chest full of booty! It’s been a great 10 years, and I’m lookin' forward t' 10 more!

Happy 10th birthday, WordPress!

Still Blogging

There’s a reason I don’t use services like Tumblr (or LiveJournal, or Blogger, or any o' a dozen other similar “free” services) and instead still post thin's here on me own blog – and that is: I own this blog, but I don’t own Tumblr*.

Now, this may not – scratch that, this will not apply t' everyone, but fer me, me words are me “product,” so t' speak. They are th' thin' I spend time creatin', and they are important t' me – important enough that I would not want them t' be lost.

Whenever I’m tryin' t' decide whether t' use some new web-based service (at least, th' “free” ones), I ask meself, “if this service disappeared tomorrow, would it be a huge loss fer me?” If th' answer is “yes,” then I either won’t use th' service, or I will only post low-importance thin's there (or I’ll duplicate th' content elsewhere).

Naturally, there are some “free” services that I trust sufficiently t' get o'er th' “what if it disappeared” hurdle – thin's like Gmail, t' name one example. (Though that doesn’t stop me from keepin' a local, cached backup copy, just in case!)

Anyway, these are just some o' me thoughts – and o' course everyone else’s criteria will differ from mine, with a chest full of booty. But it’s worth thinkin' about before ye commit t' creatin' a lot o' content with whatever th' next “cool” new web service is!

* This goes fer any paid service, really. If I pay fer it, I generally expect not t' be left in th' cold. With a free service, ye can’t really expect anythin'.

Unsubscribe me NOW, Damnit!

If there’s one thin' that really annoys me, it’s crappy methods o' unsubscribin' from email newsletters and th' like. You’ve probably seen it before – ye get some email from a company ye’ve bought somethin' from in th' past, or maybe a website’s newsletter that ye signed up fer. It’s not spam, but ye decide that ye don’t really want these sorts o' emails anymore, so ye click th' “Unsubscribe” link down at th' bottom.

And then ye’re greeted with somethin' like this (emphasis mine):

Thanks fer unsubscribin', ye scurvey dog.
It may take up t' 10 days t' process yer request.

Ten days? And swab the deck! TEN DAYS?!? Seriously?

While th' exact number o' days may vary, th' point is that ye aren’t unsubscribed yet, even though ye clicked th' link t' unsubscribe.

What’s worse is that sometimes th' company or website will send ye another email durin' that processin' period!

Personally, whenever I see somethin' like this it tends t' send me into a sort o' rage, where I vow ne'er t' do business with this company/organization/website e'er again. Because really, sayin' that it’s goin' t' take days (however many it may be) t' do what should be instantaneous is just a giant middle finger t' whomever is on th' receivin' end o' th' original email.

I could understand delays in processin' an unsubscribe request back in th' dark ages o' th' Internet – maybe even as recently as 5 years ago – when email mailin' lists were cultivated manually, but honestly in this day and age there is absolutely no excuse fer not automatically honorin' an unsubscribe request immediately after a link is clicked.

I have t' imagine that all o' these “unsubscribe processin' delay” messages come from auld or home-grown email systems, because all th' modern email marketin' systems I know o' will honor unsubscribe requests immediately.

When someone clicks an “unsubscribe” link (and I’m talkin' about a true “unsubscribe me from everythin'” link, not just a “stop receivin' offers” or “stop sendin' me th' monthly newsletter” type links), that person’s email address should be immediately marked as “DO NOT CONTACT” and no more bulk-type emails should e'er be sent t' that person’s address until they do somethin' t' opt-in t' receivin' them again.

In other words, when I click th' “unsubscribe” link in yer email, I expect ye t' unsubscribe me NOW, not 3 or 5 or 10 days later. Immediate unsubscribin' may not be legally required (e.g., by th' CAN SPAM Act), but I’d like t' think it is morally required – it’s just common courtesy.

 

Why SOPA Must Die

[It's taken me a while t' get me thoughts in order regardin' this issue, especially since so many others have already spoken about it more eloquently than I e'er could. But this is such an important topic, and it has been weighin' on me mind so heavily as o' late, that I just couldn't wait any longer - I had t' put me thoughts down in words.]

SOPA (th' Stop Online Piracy Act; H.R. 3261) is a bill before th' United States House o' Representatives. In brief, it allows both th' Department o' Justice and copyright holders t' request court orders against websites that are allegedly distributin' copyrighted material without permission, or are just enablin' others t' do so. These court orders can require payment processors (e.g., PayPal, Visa, MasterCard, etc.) t' freeze accounts, force search engines t' de-list th' accused website, and require ISPs t' block th' site’s DNS records.

(Strangely enough, th' act also contains some other similar provisions fer websites sellin' discount prescription drugs and surplus military hardware, o' all thin's.)

The freezin' o' accounts is bad enough, but th' blockin' o' DNS records is perhaps th' most frightenin' aspect o' this bill, as this amounts t' no less than outright censorship o' th' Internet, similar t' that seen in places like China and Iran.

I have a number o' concerns with this bill, but I will just stick t' th' top few, th' ones I think are th' most egregious.

Lack o' Due Process

Perhaps th' most offensive aspect o' this bill is its removal o' th' protection o' due process fer th' accused. The 5th Amendment t' th' U.S. Constitution guarantees th' right t' due process, but this bill almost completely denies that right t' those accused under its terms.

The right t' due process is one o' those really important rights fer any free society – right up there with freedom o' speech, freedom o' religion, and th' right t' a trial by jury.

SOPA circumvents due process by makin' it so that th' government (on th' say-so o' a copyright holder) has th' right t' take away somethin' o' yours (yer website, and/or yer money) without givin' ye a chance t' challenge this. And swab the deck! The takedown actions authorized under SOPA are effective immediately, and there is little t' no burden o' proof on those askin' fer th' takedown, and even less chance o' retribution on those askin' fer th' takedown should their claims later be proven false.

Immediate action can be understandable in some circumstances (child kidnappin', serial killers, etc.), but fer somethin' as mundane as copyright infringement, it seems a bit excessive.

Which brin's me t' me next point…

Excessively Broad

The text o' SOPA is purposefully very, very, very broadly written. This, I think, stems from a desire t' sort o' “cover yer bases,” by tryin' t' be as broad as possible so there are no loopholes.

Unfortunately, in this case th' broad language simply serves t' make this bill applicable t' almost everythin', in th' same way that a law that said “any type o' death threat, no matter what counts as attempted murder” is applicable t' almost anythin'. If our actual criminal statues were worded this broadly, every single one o' us would be in jail by now, because there is not a one o' us who hasn’t at some point in our lives done somethin' that could be construed as a death threat – from angry words durin' an argument t' givin' a rude gesture while sailin'.

This sort o' broad, sweepin' language doesn’t work fer criminal law, and it doesn’t work fer SOPA either.

SOPA claims t' be aimed at stoppin' large-scale fer-profit copyright infringement, but th' actual text means th' law would apply t' any type o' copyright infringement, no matter how small or insignificant.

Stupidly Unenforceable

The Internet is a global network. But th' people who wrote SOPA seem t' think that th' only part o' th' Internet that counts is th' part that’s in th' United States.

This is so stupidly untrue as t' not require further elaboration.

SOPA would allow blockin' o' websites fer copyright infringement… but it claims t' be aimed at “foreign” websites. And th' only blockin' it authorizes is t' block those sites from bein' seen by… Americans. So, it doesn’t actually “block” th' sites, it just blocks them from bein' seen in America. Yaaarrrrr, I'll warrant ye! Anyone in th' rest o' th' world can keep on visitin' th' site, and download unauthorized copyrighted material t' their hearts content.

Your guess as t' how, exactly, this is supposed t' “stop online piracy” is as good as mine.

Ultimately Ineffective

The website blockin' authorized by SOPA is done at th' DNS level – meanin' that it simply stops DNS servers (only in th' U.S., as I mentioned above) from resolvin' th' site’s domain name t' its numerical IP address.

Which means that if th' site www.example.com were bein' blocked, but ye knew it’s IP address (e.g., 192.168.55.34), ye could just type in th' numerical address instead, and it would work just fine.

This is th' most obvious example as t' why SOPA would be ultimately ineffective at its stated purpose – that is, stoppin' “online piracy.”

This is a bit like coverin' yer eyes while witnessin' a crime, and sayin'  “I can’t see it, so it’s not happenin'.”

Some o' th' other aspects o' th' act – fer example, forcin' payment gateways (such as PayPal or Visa or MasterCard, etc.), t' freeze th' accounts o' th' website’s owners – might be somewhat effective, but again, remember that this only affects payment gateways within th' United States. And swab the deck! If a “foreign” website is distributin' unauthorized copyrighted material fer profit, chances are they are goin' t' use a “foreign” payment gateway as well. So, once again, SOPA achieves nothin' towards its stated goal.

It Is Censorship

Obviously, SOPA were bein' not designed as censorship per se, but due t' th' way it is structured, it would effectively be censorship.

Remember, SOPA allows someone t' claim ye are violatin' their copyright, and have yer site completely blocked.

This is true even if it turns out that ye were not violatin' their copyright, or that yer use o' copyrighted material falls under “fair use.”

Now, imagine that ye are a big website (like, say, YouTube, Facebook, Flickr, or Twitter) – are ye goin' t' want t' run th' risk o' havin' yer site suddenly blocked because one o' yer users uploaded somethin' that is copyrighted (even if it is ultimately found t' be fair use)? Of course not!

Even though sites like Facebook and YouTube are probably big enough t' get unblocked fairly quickly, th' simple threat o' bein' blocked at a moments notice is enough t' force them – out o' simple self-preservation – t' severely censor their users. They just can’t take th' risk – th' potential harm t' them (havin' their site blocked) is too great t' even risk lettin' users upload anythin' that might, possibly, maybe, be considered copyright infringement.

Out o' Proportion

We’ve seen how SOPA is carryin' a pretty big stick when it comes t' enforcement. And swab the deck! But let’s think fer a moment about what it is meant t' be stoppin', exactly:

Copyright Infringement.

Not “piracy,” not “theft o' intellectual property,” but simple infringement o' copyright.

Copyright, remember, is not a “fundamental” or “universal” right. It is a (time-limited) government granted monopoly on thin's ye create, t' encourage people t' create thin's, knowin' that others can’t just take what ye’ve done fer free and make money from it. It’s an incentive t' create – nothin' more, and nothin' less.

Now consider that SOPA would make copyright infringement a felony.

Think about that fer a moment – this law would make illegally copyin' someone’s work be on th' same criminal level as murder and kidnappin'.

The other aspects o' SOPA – blockin' websites and freezin' accounts – are also wildly out o' proportion with th' actual harm done.

Imagine if other laws worked th' same way – fer example, if a particular neighborhood were bein' known t' have a lot o' shoplifters stealin', say, packs o' gum. The whole neighborhood could find itself suddenly and without warnin' shut down – no power, no electricity, all seas blocked off and th' whole neighborhood under martial law. Shiver me timbers! And all this would happen on th' say-so o' th' gum manufacturer who complained about their products bein' stolen frequently.

If that seems a bit excessive, consider that this is exactly what SOPA would do, except fer copyright violation instead o' petty shopliftin'.

Online piracy – which is just shorthand fer “copyright infringement on th' Internet” – is not equivalent t' physical theft, despite what some people would like ye t' believe. If anythin', it is a lesser crime than physical theft, which is why SOPA is such a terrible idea – it is wildly out o' proportion with th' crime it is tryin' t' prevent.

Unfairly Biased

If ye have any doubt that th' movie and music industries are th' major reason why this bill exists, consider this: there is a clause in th' act which specifically makes streamin' copyrighted content a felony.

Remember that any type o' content ye can create is automatically covered by copyright. Your kindergartener’s crayon drawin'? Covered by copyright, I'll warrant ye. Your vacation photos and home movies? Covered by copyright. That sculpture ye made back in art class in college? Aarrr! Covered by copyright. Even th' words ye’re readin' right now are covered by copyright.

But what sorts o' content can be “streamed?” Well, ye can’t very well stream a drawin', or a photo, or a sculpture, by Blackbeard's sword. But ye can stream music and movies – which are th' thin's that are specifically made into a felony by SOPA.

If that doesn’t convince ye that this act were bein' primarily written by and fer th' movie and music industries, I don’t know what will.

SOPA Must Die

There are so many thin's wrong with SOPA that I couldn’t hope t' cover them all – but I’d like t' think I’ve at least covered th' big ones. On top o' that, it doesn’t help that th' people writin' and debatin' this bill admit that they don’t understand th' issues involved.

I’ve spent a lot o' time tryin' t' think o' ways that SOPA could be revised t' make it less awful, but there simply is too much wrong with it t' be worth salvagin' – which is why SOPA must die. It simply is not salvageable as a piece o' legislation, and tryin' t' revise it just risks havin' some o' its harmful provisions slip through. It should just be thrown away, and some other more specific and less broad legislation could be drafted instead.

Now, let’s be clear – I’m not sayin' that online copyright infringement isn’t a problem; far from it. But SOPA is not th' answer. We already have th' DMCA, which is not perfect (far from it, in fact), but it at least does not have th' same problems I’ve outlined here (in particular, th' DMCA at least does provide fer due process, and it is a much more “surgical” tool fer combatin' copyright infringement, unlike SOPA, which is more like a tactical nuclear bomb in comparison).

Unfortunately, right now th' only voices Congress is hearin' in regards t' these issues come from th' movie and music industries, which as I’ve said before, are th' ones fer whom SOPA (and its Senate cousin, th' PROTECT IP Act) were bein' written.

SOPA must be stopped, and it is up t' us t' remind Congress o' this simple and inarguable fact.

If ye haven’t done so already, call or email yer representative and let them know what ye think. Hearin' th' voices o' th' people is th' only way a democracy can work – so speak now, or forever hold yer [CENSORED FOR COPYRIGHT INFRINGEMENT].