A (Renewed) Case for Encryption

gpg encryptionI kind of hoped that this NSA/PRISM/wholesale government surveillance business would re-energize people into actually getting back into using encryption, and perhaps even trying to solve the problem of getting more people to actually use it.

One of the big problems with encryption – for example, email encryption using public key cryptography (PGP or GnuPG) – has been just getting enough people to start using it. With the way public key encryption works, you need to use encryption, AND the person you’re sending it to needs to use encryption, too.

In addition, there’s also the further complication of signing one another’s keys and assigning trust levels and so on… it’s just a bit too complicated and technical for your average user.

However, it doesn’t have to be complicated, and given what we’ve learned recently, it seems to me it really shouldn’t be - and that it is in all of our best interests to make it be as simple and easy as possible.

People have been harping on about the importance of encryption for ages, but widespread adoption has mostly been limited to SSL (for webmail & other web apps & services). This sort of encryption prevents a 3rd party from intercepting your communication with Google or Microsoft or Facebook or your bank or whatever, but none of that matters if your data is just going to be handed over to the government by the company on the other end anyway!

SSL encrypts your connection and your data during transmission, but the actual contents of your data are unencrypted at either end, and vulnerable to interception. It’s a good first step, but it isn’t enough – not anymore.

passwordOn the other hand, actually encrypting the contents of your communications – the email, the files, etc. – means that even if they are stored on a server (as your email is, for example), they are still encrypted – and most importantly, the server doesn’t have the decryption key –  only the recipient does.

What this would means in practice is that it would prevent the wholesale collection of data.  If the government wanted the contents of someone’s communications, they would need to go after that individual; they wouldn’t be able to just pull it out of a big database.

Since going after an individual takes effort and requires a subpoena or at least a court order of some sort, there’s protection built-in. Plus, now the government’s attempts to access your data would be limited in scope to one person at a time, and they can’t be done in secret – or, at least, they’d be less secretive.

The government may still collect other data about you, of course – encryption is not a cure-all. It may still collect “metadata” about you – times and dates and such – but at least the content of your data remains secure until specifically subpoenaed.

As a side note, the NSA has repeatedly said that this is what it does anyway, as part of an attempt to justify why we shouldn’t be worried about this – but because everything the NSA does is secret, we have no way to be sure that this is actually the case. All we have to go on is the NSA saying “trust us, we won’t read your email without a court order (that you aren’t allowed to see).” Doesn’t exactly inspire a lot of trust, now does it? Especially given the track record we’re dealing with.

Perhaps if our government had a long & strong history of being trustworthy, of being transparent with its behavior, of standing up for individual rights and privacy, and severely limiting the collection and access of people’s data to only what is explicitly needed for specific cases and actions, this whole wholesale surveillance thing wouldn’t be such an issue.

But sadly, this is not the case – our government has shown, again and again, that it cannot be trusted in this regard, and that when given the opportunity, it will make a grab for as much power as it possibly can get.

Given the recent revelations on exactly how much power (and, by extension, data) our government has grabbed as of late, making actual content encryption available, widespread, and easy to use seems like an absolute no-brainer.

Icons courtesy of the Crystal Icon Set.

10 Years of WordPress

wp10logoWow, has it really been 10 years?

Yes, it has – officially 10 years ago, on May 27th, 2003, WordPress was released.

As part of the WordPress 10th Anniversary Blogging Project, I figured I would  I’d share some of my memories of using WordPress over the years.

Back in 2003, when WordPress was first released:

  • I was still using Windows 2000 on my home computer (I did use XP at work – cutting edge at the time!)
  • We were only on the 2nd Matrix movie, “The Matrix Reloaded”
  • I was still using the “Mozilla Suite,” the descendent of “Netscape Communicator.” (It wasn’t until next year that it was split into Firefox & Thunderbird)
  • We had just lost the Space Shuttle Columbia a few months prior
  • The iPod was only on its 3rd iteration, and the iPhone was still a distant dream
  • Slim flip-phone cell phones were all the rage
  • The Concorde made its last commercial flight

I didn’t start using WordPress myself until a little bit after its release – until around December 1st, 2005, in fact.

When I started using WordPress in 2005:

  • We were just starting to lament that schools were switching to using Java (the horror!) to teach programming
  • I still had a CRT TV in my living room (and on my computer – though I had just gotten an LCD display at work, and I’d soon get one at home as well)
  • Digital Rights Management came into the spotlight with the discovery of Sony’s rootkit that silently installed when you inserted a music (!!) CD in your computer.
  • This was the year I took down my old hand-coded personal site (which was old, dated, and not really very good) in favor of this blog.
  • And, of course, 2005 is the year I unexpectedly found myself living with my two wonderful rabbits

In all that time, I’ve switched WordPress themes more times than I can count – and upgraded and installed numerous useful (and sometimes silly) plugins.

Still, it’s amazing to see how far WordPress has come. It’s been a great 10 years, and I’m looking forward to 10 more!

Happy 10th birthday, WordPress!

Still Blogging

There’s a reason I don’t use services like Tumblr (or LiveJournal, or Blogger, or any of a dozen other similar “free” services) and instead still post things here on my own blog – and that is: I own this blog, but I don’t own Tumblr*.

Now, this may not – scratch that, this will not apply to everyone, but for me, my words are my “product,” so to speak. They are the thing I spend time creating, and they are important to me – important enough that I would not want them to be lost.

Whenever I’m trying to decide whether to use some new web-based service (at least, the “free” ones), I ask myself, “if this service disappeared tomorrow, would it be a huge loss for me?” If the answer is “yes,” then I either won’t use the service, or I will only post low-importance things there (or I’ll duplicate the content elsewhere).

Naturally, there are some “free” services that I trust sufficiently to get over the “what if it disappeared” hurdle – things like Gmail, to name one example. (Though that doesn’t stop me from keeping a local, cached backup copy, just in case!)

Anyway, these are just some of my thoughts – and of course everyone else’s criteria will differ from mine. But it’s worth thinking about before you commit to creating a lot of content with whatever the next “cool” new web service is!

* This goes for any paid service, really. If I pay for it, I generally expect not to be left in the cold. With a free service, you can’t really expect anything.

Unsubscribe me NOW, Damnit!

If there’s one thing that really annoys me, it’s crappy methods of unsubscribing from email newsletters and the like. You’ve probably seen it before – you get some email from a company you’ve bought something from in the past, or maybe a website’s newsletter that you signed up for. It’s not spam, but you decide that you don’t really want these sorts of emails anymore, so you click the “Unsubscribe” link down at the bottom.

And then you’re greeted with something like this (emphasis mine):

Thanks for unsubscribing.
It may take up to 10 days to process your request.

Ten days? TEN DAYS?!? Seriously?

While the exact number of days may vary, the point is that you aren’t unsubscribed yet, even though you clicked the link to unsubscribe.

What’s worse is that sometimes the company or website will send you another email during that processing period!

Personally, whenever I see something like this it tends to send me into a sort of rage, where I vow never to do business with this company/organization/website ever again. Because really, saying that it’s going to take days (however many it may be) to do what should be instantaneous is just a giant middle finger to whomever is on the receiving end of the original email.

I could understand delays in processing an unsubscribe request back in the dark ages of the Internet – maybe even as recently as 5 years ago – when email mailing lists were cultivated manually, but honestly in this day and age there is absolutely no excuse for not automatically honoring an unsubscribe request immediately after a link is clicked.

I have to imagine that all of these “unsubscribe processing delay” messages come from old or home-grown email systems, because all the modern email marketing systems I know of will honor unsubscribe requests immediately.

When someone clicks an “unsubscribe” link (and I’m talking about a true “unsubscribe me from everything” link, not just a “stop receiving offers” or “stop sending me the monthly newsletter” type links), that person’s email address should be immediately marked as “DO NOT CONTACT” and no more bulk-type emails should ever be sent to that person’s address until they do something to opt-in to receiving them again.

In other words, when I click the “unsubscribe” link in your email, I expect you to unsubscribe me NOW, not 3 or 5 or 10 days later. Immediate unsubscribing may not be legally required (e.g., by the CAN SPAM Act), but I’d like to think it is morally required – it’s just common courtesy.

 

Why SOPA Must Die

[It's taken me a while to get my thoughts in order regarding this issue, especially since so many others have already spoken about it more eloquently than I ever could. But this is such an important topic, and it has been weighing on my mind so heavily as of late, that I just couldn't wait any longer - I had to put my thoughts down in words.]

SOPA (the Stop Online Piracy Act; H.R. 3261) is a bill before the United States House of Representatives. In brief, it allows both the Department of Justice and copyright holders to request court orders against websites that are allegedly distributing copyrighted material without permission, or are just enabling others to do so. These court orders can require payment processors (e.g., PayPal, Visa, MasterCard, etc.) to freeze accounts, force search engines to de-list the accused website, and require ISPs to block the site’s DNS records.

(Strangely enough, the act also contains some other similar provisions for websites selling discount prescription drugs and surplus military hardware, of all things.)

The freezing of accounts is bad enough, but the blocking of DNS records is perhaps the most frightening aspect of this bill, as this amounts to no less than outright censorship of the Internet, similar to that seen in places like China and Iran.

I have a number of concerns with this bill, but I will just stick to the top few, the ones I think are the most egregious.

Lack of Due Process

Perhaps the most offensive aspect of this bill is its removal of the protection of due process for the accused. The 5th Amendment to the U.S. Constitution guarantees the right to due process, but this bill almost completely denies that right to those accused under its terms.

The right to due process is one of those really important rights for any free society – right up there with freedom of speech, freedom of religion, and the right to a trial by jury.

SOPA circumvents due process by making it so that the government (on the say-so of a copyright holder) has the right to take away something of yours (your website, and/or your money) without giving you a chance to challenge this. The takedown actions authorized under SOPA are effective immediately, and there is little to no burden of proof on those asking for the takedown, and even less chance of retribution on those asking for the takedown should their claims later be proven false.

Immediate action can be understandable in some circumstances (child kidnapping, serial killers, etc.), but for something as mundane as copyright infringement, it seems a bit excessive.

Which brings me to my next point…

Excessively Broad

The text of SOPA is purposefully very, very, very broadly written. This, I think, stems from a desire to sort of “cover your bases,” by trying to be as broad as possible so there are no loopholes.

Unfortunately, in this case the broad language simply serves to make this bill applicable to almost everything, in the same way that a law that said “any type of death threat, no matter what counts as attempted murder” is applicable to almost anything. If our actual criminal statues were worded this broadly, every single one of us would be in jail by now, because there is not a one of us who hasn’t at some point in our lives done something that could be construed as a death threat – from angry words during an argument to giving a rude gesture while driving.

This sort of broad, sweeping language doesn’t work for criminal law, and it doesn’t work for SOPA either.

SOPA claims to be aimed at stopping large-scale for-profit copyright infringement, but the actual text means the law would apply to any type of copyright infringement, no matter how small or insignificant.

Stupidly Unenforceable

The Internet is a global network. But the people who wrote SOPA seem to think that the only part of the Internet that counts is the part that’s in the United States.

This is so stupidly untrue as to not require further elaboration.

SOPA would allow blocking of websites for copyright infringement… but it claims to be aimed at “foreign” websites. And the only blocking it authorizes is to block those sites from being seen by… Americans. So, it doesn’t actually “block” the sites, it just blocks them from being seen in America. Anyone in the rest of the world can keep on visiting the site, and download unauthorized copyrighted material to their hearts content.

Your guess as to how, exactly, this is supposed to “stop online piracy” is as good as mine.

Ultimately Ineffective

The website blocking authorized by SOPA is done at the DNS level – meaning that it simply stops DNS servers (only in the U.S., as I mentioned above) from resolving the site’s domain name to its numerical IP address.

Which means that if the site www.example.com was blocked, but you knew it’s IP address (e.g., 192.168.55.34), you could just type in the numerical address instead, and it would work just fine.

This is the most obvious example as to why SOPA would be ultimately ineffective at its stated purpose – that is, stopping “online piracy.”

This is a bit like covering your eyes while witnessing a crime, and saying  “I can’t see it, so it’s not happening.”

Some of the other aspects of the act – for example, forcing payment gateways (such as PayPal or Visa or MasterCard, etc.), to freeze the accounts of the website’s owners – might be somewhat effective, but again, remember that this only affects payment gateways within the United States. If a “foreign” website is distributing unauthorized copyrighted material for profit, chances are they are going to use a “foreign” payment gateway as well. So, once again, SOPA achieves nothing towards its stated goal.

It Is Censorship

Obviously, SOPA was not designed as censorship per se, but due to the way it is structured, it would effectively be censorship.

Remember, SOPA allows someone to claim you are violating their copyright, and have your site completely blocked.

This is true even if it turns out that you were not violating their copyright, or that your use of copyrighted material falls under “fair use.”

Now, imagine that you are a big website (like, say, YouTube, Facebook, Flickr, or Twitter) – are you going to want to run the risk of having your site suddenly blocked because one of your users uploaded something that is copyrighted (even if it is ultimately found to be fair use)? Of course not!

Even though sites like Facebook and YouTube are probably big enough to get unblocked fairly quickly, the simple threat of being blocked at a moments notice is enough to force them – out of simple self-preservation – to severely censor their users. They just can’t take the risk – the potential harm to them (having their site blocked) is too great to even risk letting users upload anything that might, possibly, maybe, be considered copyright infringement.

Out of Proportion

We’ve seen how SOPA is carrying a pretty big stick when it comes to enforcement. But let’s think for a moment about what it is meant to be stopping, exactly:

Copyright Infringement.

Not “piracy,” not “theft of intellectual property,” but simple infringement of copyright.

Copyright, remember, is not a “fundamental” or “universal” right. It is a (time-limited) government granted monopoly on things you create, to encourage people to create things, knowing that others can’t just take what you’ve done for free and make money from it. It’s an incentive to create – nothing more, and nothing less.

Now consider that SOPA would make copyright infringement a felony.

Think about that for a moment – this law would make illegally copying someone’s work be on the same criminal level as murder and kidnapping.

The other aspects of SOPA – blocking websites and freezing accounts – are also wildly out of proportion with the actual harm done.

Imagine if other laws worked the same way – for example, if a particular neighborhood was known to have a lot of shoplifters stealing, say, packs of gum. The whole neighborhood could find itself suddenly and without warning shut down – no power, no electricity, all roads blocked off and the whole neighborhood under martial law. And all this would happen on the say-so of the gum manufacturer who complained about their products being stolen frequently.

If that seems a bit excessive, consider that this is exactly what SOPA would do, except for copyright violation instead of petty shoplifting.

Online piracy – which is just shorthand for “copyright infringement on the Internet” – is not equivalent to physical theft, despite what some people would like you to believe. If anything, it is a lesser crime than physical theft, which is why SOPA is such a terrible idea – it is wildly out of proportion with the crime it is trying to prevent.

Unfairly Biased

If you have any doubt that the movie and music industries are the major reason why this bill exists, consider this: there is a clause in the act which specifically makes streaming copyrighted content a felony.

Remember that any type of content you can create is automatically covered by copyright. Your kindergartener’s crayon drawing? Covered by copyright. Your vacation photos and home movies? Covered by copyright. That sculpture you made back in art class in college? Covered by copyright. Even the words you’re reading right now are covered by copyright.

But what sorts of content can be “streamed?” Well, you can’t very well stream a drawing, or a photo, or a sculpture. But you can stream music and movies – which are the things that are specifically made into a felony by SOPA.

If that doesn’t convince you that this act was primarily written by and for the movie and music industries, I don’t know what will.

SOPA Must Die

There are so many things wrong with SOPA that I couldn’t hope to cover them all – but I’d like to think I’ve at least covered the big ones. On top of that, it doesn’t help that the people writing and debating this bill admit that they don’t understand the issues involved.

I’ve spent a lot of time trying to think of ways that SOPA could be revised to make it less awful, but there simply is too much wrong with it to be worth salvaging – which is why SOPA must die. It simply is not salvageable as a piece of legislation, and trying to revise it just risks having some of its harmful provisions slip through. It should just be thrown away, and some other more specific and less broad legislation could be drafted instead.

Now, let’s be clear – I’m not saying that online copyright infringement isn’t a problem; far from it. But SOPA is not the answer. We already have the DMCA, which is not perfect (far from it, in fact), but it at least does not have the same problems I’ve outlined here (in particular, the DMCA at least does provide for due process, and it is a much more “surgical” tool for combating copyright infringement, unlike SOPA, which is more like a tactical nuclear bomb in comparison).

Unfortunately, right now the only voices Congress is hearing in regards to these issues come from the movie and music industries, which as I’ve said before, are the ones for whom SOPA (and its Senate cousin, the PROTECT IP Act) was written.

SOPA must be stopped, and it is up to us to remind Congress of this simple and inarguable fact.

If you haven’t done so already, call or email your representative and let them know what you think. Hearing the voices of the people is the only way a democracy can work – so speak now, or forever hold your [CENSORED FOR COPYRIGHT INFRINGEMENT].