My Contempt Knows No Bounds: The Starbucks “Come Together” Petition.

October 13th, 2013

This petition was on a table by the doorway at a Starbucks near my house, and the top sheet had even collected a lot of signatures. I wonder what those people thought they were accomplishing. You can click on the photo to get an enlarged version, but here’s what the text says:

To our leaders in Washington DC,
now is the time to come together to:

  1. Reopen our government to serve the people.
  2. Pay our debts on time to avoid another financial crisis.
  3. Pass a bipartisan and comprehensive long-term budget deal by the end of the year.

It’s as though Starbucks CEO Howard Schultz hears someone getting mugged outside his window and shouts “Hey you all down there, quit fighting!”

The Starbucks 'Come Together' Petition

Memo to Starbucks: the way to solve this crisis is by taking a side. It’s literally true: as their poll numbers have dropped (i.e., as more people have taken sides), the Republicans have started to abandon their demands. When enough of them abandon enough of their hostage-taking ways, the government will re-open, the debt ceiling will be raised, and conversation will be possible. Humiliating defeat is also a bipartisan solution.

If you’re a gigantic publicly-held company and don’t feel you can afford to take a side, then at least don’t put out pointless petitions in favor of unicorns and rainbows and everbody getting along. That’s worse than useless. You might confuse some poor person who hasn’t yet had their morning coffee into thinking they’re actually participating in politics when all they’re doing is donating their name to your misguided and implicitly partisan publicity drive.

Refusal to take a side almost always equals taking one side. In this case, by legitimizing the Republicans’ extortionary tactics, Starbucks is supporting their side. All the people signing that petition are doing so too, but — especially knowing the demographics of Hyde Park, Chicago, where that particular Starbucks is located — they probably don’t think of themselves as doing that. That what makes this worse than useless.

I’m not sure how one conspicuously refuses to sign a petition. Maybe cross out one line? Sign your name and then cross over it? What I did at that Starbucks was write a note at the top of the petition about “false equivalency” and how the only constructive action to take here is to take a side. If you stop by a Starbucks today, please do the same :-).

Eben Moglen talks in New York City: “Snowden and the Future”

October 3rd, 2013

Eben Moglen speaking

Arrgh, I wish I could go to this!

Eben Moglen is giving a series of talks entitled “Snowden and the Future” on four Wednesday nights, spread across October, November, and December. I’d even fly into New York to attend some of them, but I have choir rehearsal on Wednesday nights (and I’ve already missed rehearsals due to travel, so don’t want to do more of that).

But if you’re in New York, you should go! They’ll be at Columbia Law School, Jerome Greene Hall room 101 (map), from 4:30pm – 5:30pm, on Wednesdays Oct 9th, Oct 30th, Nov 13th, and Dec 4th. More information at snowdenandthefuture.info. The talks will be live-streamed at that site too.

Dear Lazyweb: How long will it take you to fix the LOVEINT problem?

September 8th, 2013

Just for the record, I know I could have created the English-language wikipedia entry for LOVEINT myself. But I wanted to see how long it would take from tweeting (and denting) it until someone else creates the entry :-).


(I think the only Wikipedia article I’ve actually started is the one on William Binney, which has developed very nicely since then. This time I’m taking the lazy route, though, and calling it an “experiment” since people have more respect for science than for laziness.)

Update: Okay, looks like the deed was done on 12 September 2013, by Wikipedia editor Koavf (Justin A. Knapp). He did it as a redirect to the “2013 mass surveillance disclosures” article, which mentions & defines “LOVEINT”. No idea whether he ever saw this blog post, but anyway, thanks Justin!

My favorite RSS reader, Feedbin.me, goes open source!

August 27th, 2013

Feedbin.me logo

I’d been waiting for this! (N.b.: had inside information it was coming.) The code behind my favorite RSS reader, feedbin.me, has been open sourced. See the announcement, or grab the code from github.com/feedbin/feedbin.

Feedbin is the RSS reader I use every day now. The minimal design is a pleasure: nothing gets between me and the articles I’m trying to read, but at the same time the knobs I need are there when & where I need them. It supports import/export, and has a documented API.

I don’t host my own Feedbin instance, of course. I just use the service run by Feedbin’s author, Ben Ubois, at feedbin.me. At the eminently reasonable price of $3/month, it’s well worth it for me not to have to worry about configuration and hosting administrivia. At the same time, knowing that the code is open source is important: that means it can never be taken away from its users. It means that the investment I make as a user can’t be suddenly rendered obsolete by one party’s decision to yank the rug out from under everyone.

If for some reason Ben Ubois ever shut down his Feedbin commercial service (unlikely), that still wouldn’t mean I’d have to set up my own instance. Someone else would probably do so, and I’d just pay them instead. Or if no one did so immediately, well, that’s a market gap I might be interested in stepping into… but then many others would be having the same thought. Open source is not about doing it yourself; it’s about removing barries to people doing things for each other.

That’s why it’s important for commercial services like Feedbin to also be open source.

Congratulations to Ben! I hope he gets many new users from among those who feel that commerce and freedom taste better together.

Here’s a screenshot of Feedbin’s three-column layout (feeds, [un]read articles, then the current article in the rightmost large pane):

Feedbin.me screenshot
.

Offline.

July 31st, 2013

I’m taking a vacation from email for a few weeks, so please don’t worry if you don’t get a response — just resend in late August.

Credit where credit is due: LibreOffice is now ridiculously easy to build.

July 28th, 2013

LibreOffice logo

About fifty million years ago, I encountered a minor bug in the OpenOffice word processor. It was an easy fix, a menu layout problem or something like that, so I thought I’d have a go at patching it. Of course, the first step would be to build the latest development version of the code and see if the bug was still present.

Well, I got stopped on that step. I spent an entire day trying to build OpenOffice, and didn’t succeed. I don’t think I even came close, though it was hard to tell. I eventually concluded that to be an OpenOffice developer, you’d need to first get a Ph.D. in building OpenOffice, and gave up in frustration. It brought home to me the importance of making software easy for developers to build — especially in open source software, where you depend on developers who bring their own energy and who will quickly take that energy elsewhere if it is not rewarded.

Years later, the OpenOffice project forked — well, the actual story is a bit more complicated than that, but basically today there is LibreOffice and Apache OpenOffice. Both are active open source projects, and it’s fair to think of LibreOffice as one of two equally legitimate inheritors of the old OpenOffice mantle in the sense of development continuity. (Do search://apache openoffice libreoffice “document foundation”/ for the detailed story.)

I happened to be talking to some of the LibreOffice developers recently, and related my build experience from years ago, and how it had turned me off from ever considering OpenOffice development again, and from even considering LibreOffice development after the fork happened. The whole thing had left me scarred: buildability was such an obvious non-priority then that I didn’t see how a project could possibly ever get from there to something a normal mortal might build in finite time.

Wait, it’s gotten better, they said.

I expressed skepticism, but they swore it was true. Really?, I said. Okay, I’ll start from the top of the LibreOffice.org home page and see if I can find my way to useable build instructions, right now, right here, while we’re on the phone.

And you know what? They were right!

     $ sudo apt-get update
     $ sudo apt-get build-dep libreoffice
     $ git clone git://anongit.freedesktop.org/libreoffice/core libreoffice
     $ cd libreoffice
     $ ./autogen.sh
     $ make dev-install

The whole thing built. Without errors. I had working libreoffice debug binaries in six easy, well-documented steps.

That was amazing — it changed my mind about how much a project can improve its build experience if the developers really decide to prioritize it. (Disclaimer: I haven’t tried the same with Apache OpenOffice; it might well be equally easy.)

They asked me if as penance I’d fix another minor bug, since I wasn’t able to fix that menu bug all those years ago, and offered bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1141106 as the victim. This seemed like a completely fair request; I didn’t make any promises but I said I’d take a look. Sadly, I have to admit that I’m not going to fix it any time soon, only due to other commitments. It’s not a hard fix in theory, but verifying that it works everywhere could take some back-and-forth with various bug reporters and testers, since it’s a modification to run-time shell scripts, and right now I need to ruthlessly cut down on small-scale random commitments.

So as an apology for not fixing that bug, I wrote this blog post. Kudos to the LibreOffice team for having given such a complex piece of software such an easy build process. Although by not fixing bug 1141106 I guess I’m contradicting my own claim, still, I think that being so conveniently buildable must be a major ingredient in getting developers in the door, and that this pays off for the project in the long run.

Missing OSCON this year.

July 22nd, 2013

For those friends I’m not seeing in Portland this year: sorry to miss you this time!

I decided, for once (and hopefully once only), to not go to OSCON this year. Two main factors: I’ve already been traveling too much, and I’m greedy for time to concentrate on my book update.

Going to OSCON is always enjoyable, I always learn new things, and it’s wonderful to catch up with old friends and meet new people… but one can’t do everything everywhere. I wasn’t scheduled to speak this year, and there’s just too much on my plate. So, I decided to skip it this once.

See you next year!

Taking sides.

July 4th, 2013

US Declaration of Independence

Every Fourth of July, the New York Times prints the entire Declaration of Independence of the United States on the back page of its main section, in facsimile and in text. I read the whole thing on the subway this morning, just to remind myself what they were thinking of.

I’m pretty sure they were not thinking of a country where the government classifies the extent and nature of its surveillance, and even lies about it when citizens and their representatives ask. The distinction between discussing the overall process of surveillance and discussing individal targets of surveillance is crucial. Edward Snowden informed us about the process; he has been careful not to leak the targets (unless you count revelations of a very general nature, such as that we spy on the governments of our allies). No terrorist knows more today about whether they’re being watched than they did before Snowden’s leaks. Anyone trying to blow something up would naturally assume, and behave as if, they were under surveillance already.

Can anyone point to any real harm to national security from Snowden’s leaks? I have yet to hear of any. The leaks merely informed the citizenry of what we should have been informed of all along. It’s not a question of whether the government should sometimes be able to eavesdrop, or about whether there is rigorous enough judicial review or oversight. It’s that whatever we’re going to do, the policies about when and how we do it are legitimate matters of public debate — and we can’t debate them if we don’t know them. This is about civilian control over the military and intelligence services. Snowden himself said this eloquently enough, as have many others, so I won’t belabor the point.

But there is one slightly different argument I’d like to respond to:

Some people say that, even if in some abstract sense it is right that this information should come out and be debated, Snowden was wrong to leak it because in doing so he violated his oath to guard the secrets he had been entrusted with.

But he had a conflict of oaths: on the one hand, he and those around him were sworn to uphold the Constitution; on the other hand, he’d made a promise to keep secrets secret. What is the right thing to do when you promise to keep a secret, and then the secret they tell you is that some people aren’t keeping their promises?

For those who still don’t feel that conflict as Snowden felt it, on this July Fourth I’d like point out that George Washington was an officer of the British militia in the American colonies. Well before the American revolution of 1776, he led a military force acting on behalf of the British crown, defending first part and then all of the Virginia colony’s borders. I don’t know enough about colonial militias to know if holding those positions required swearing an oath of loyalty, but it seems likely that it did (the new United States Army itself instituted an oath of allegiance fairly early on during the Revolutionary War). In any case there is at least some conflict in serving in a country’s militia and then leading an army against that same country’s army. But by their nature revolutions involve broken promises. You can read the Declaration of Independence as one long justification for when and why they should be broken (seriously, take a look).

Oaths sometimes conflict with each other, and you don’t always find out how until it’s too late. Then you have to decide what to do. Edward Snowden did the right thing in a difficult situation, and the debate that has ensued is evidence of this.

(It’s interesting that people who fret that Snowden broke his oath don’t seem to get as worked up when people get divorced and thus, in many cases, break their marriage vows. Marriage isn’t about national security… but then again, neither were Snowden’s leaks.)

If you agree, please say so, preferably in public — on your blog, if you have one, or on Facebook, or on Twitter, or on the bumper of your car, or on the back of your laptop. It’s important. There are a lot of people right now, especially politicians who are worried either about being attacked on national security or about losing the trust of the intelligence community, who feel they have to condemn what Snowden did. In some cases they’re sincere; in other cases they sense which way the wind is blowing in their particular environment and they say what they need to say to keep their position. I don’t even blame them, but it’s important that they not be the only voices out there. Say you’re glad to have the information that Snowden leaked. Explain clearly why it’s important that the public be able to talk about these things. Don’t let anyone feel they’re alone in thinking this, and you won’t be alone either.

Happy Fourth of July.

PRISM: Why the “directly and unilaterally” mistake matters.

June 21st, 2013

PRISM logo

My post about how a central claim of the PRISM story turns out not to be true has drawn a wide range of comments. There’s one particular kind of comment I’d like to address here: the idea that, even if what I said was true, it was a mere technical detail and is not important in the larger story. (Here’s one such response.)

If the original claim about PRISM had been true, it would have had major implications for how we understand power and the nature of our political world.

The idea that the importance of a fact (or an error) would correlate to the number and familiarity of the words required to explain it is wrong. Just because life would be easier for reporters and readers if that were the case doesn’t make it the case. Sometimes, a thing is important even though it requires new words or concepts in order to be explained. This is one of those times. The number of syllables involved in causing a misunderstanding has no relationship to the significance of that misunderstanding.

Remember George W. Bush’s famous 16 words? “The British government has learned that Saddam Hussein recently sought significant quantities of uranium from Africa.” Those were just 16 words. The importance of the lie is unrelated to its length.

Greenwald and MacAskill did not lie. They simply misunderstood something. But what they misunderstood was very, very important. The issue in the PRISM reporting apparently arose because Greenwald and MacAskill misunderstood the meaning of this label on an NSA slide:

“Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple”

When the leaks first appeared, only two things really stood out as news, especially to the tech community — news in the sense of being something we fundamentally didn’t know before: the massive scale of phone call logs collection, and the claim that the NSA could “directly and unilaterally seize the communications off the companies’ servers” (referring to online services companies, not phone companies).

The latter claim about “directly and unilaterally” seizing communications from company servers was the more shocking one. This is partly because it was about data, not just metadata. But it was also because it meant that people we thought we knew — in many cases, people we’d worked with — had been hiding something big, something that, unlike (say) receiving and acting on National Security Letters, we didn’t think the law required them to hide and that we would not expect could be successfully hidden for long. It meant that not only did the system not work the way we thought it worked, it wasn’t even built the way we thought it was built. The moment I first read that quote, I straightened in my chair. If this is true, I thought, then we’re living in a very different place from the one we imagined.

The quote is from Glenn Greenwald’s and Ewan MacAskill’s original article in The Guardian on June 6th:

…defenders of the FAA argued that a significant check on abuse would be the NSA’s inability to obtain electronic communications without the consent of the telecom and internet companies that control the data. But the Prism program renders that consent unnecessary, as it allows the agency to directly and unilaterally seize the communications off the companies’ servers.

Looking at that text, what would you think it means? (Go ahead and read it in context in the original article, just to be sure.)

The most natural interpretation of “directly” and “unilaterally” — really, the only interpretation the authors could expect, given the context — is that the NSA could get anything it wants directly from the servers of major online services companies, without asking the company first (hence “unilaterally”). In other words, the companies’ lawyers don’t have a chance to review the request and push back. It means a monopolar world in which even commercial services are essentially an arm of the government, instead of a multipolar world where, even though the government may be heavy-handed, there are still competing pressures, negotiations, and compromises — a world where the possibility of saying “no” still exists.

The scarier, monopolar interpretation was the one reacted to by the very next person the article quotes, Jameel Jaffer, the director of the ACLU’s Center for Democracy:

“It’s shocking enough just that the NSA is asking companies to do this… The NSA is part of the military. The military has been granted unprecedented access to civilian communications.

This is unprecedented militarisation of domestic communications infrastructure. That’s profoundly troubling to anyone who is concerned about that separation.”

Glenn Greenwald and Ewen MacAskill say nothing to correct Jaffer’s interpretation. As the authors of the piece, and therefore the people who chose to quote Jaffer’s reaction in the first place, one can only assume that the reason they did not correct Jaffer’s interpretation is that they did not think Jaffer misunderstood.

Eventually, I, along with many others looking at the primary source materials and other sources, realized that Greenwald and MacAskill had overstated this part of the case — the NSA does not have direct, unilateral access. It doesn’t have a secret route around company lawyers. It doesn’t have engineers planted in senior positions in every major online service company (or at least if it does, the documents leaked so far do not contain evidence of that).

Instead, what’s going on is, more or less, what we thought was going on, just with more abuse and less restraint on the government side. That’s serious, but it’s comprehensibly serious, not “Oops, I guess we live in the shadowy power of the Deep State after all” serious. The true situation is one that can still respond to popular pressure and political dissatisfaction.

I think it’s clear by now that what I (and Mark Jaquith and Rick Perlstein) wrote is right as far as the facts are concerned. For some other analyses that have come out since then supporting the claim that there is not direct and unilateral access, see Ashkan Soltani, and Declan McCullagh at CNET, and Hunter Walker’s piece at Talking Points Memo, especially the quote from Ben Adida of Mozilla, and the New York Times (despite the misleading title on the piece, its content confirms the less alarmist interpretation).

So why do I care?

Adapting a comment I made in reply to a reader of the earlier post:

The big picture is about understanding the true dynamics of the world we live in, so we can decide how to act and what is most important to focus on. The picture Greenwald originally painted is, more or less, one of government-dominated oligopoly in which basically all the big players sat down at the same table and agreed to play by the NSA’s rules. I don’t think that was an accurate picture. I see instead multiple power bases, with some degree of internal dissent within each organization (including even the NSA and the FISA courts, but much more so within the companies), and on important issues even open dissent between actors. Yes, there’s a lot of coercion and compromise, and there is no doubt that some companies hand over more than they should without asking enough questions — but they don’t all do that. Of course we shouldn’t be happy that the average person’s most immediate choice is which big protector(s) to grant conditional trust to. But as I said in response to someone else in a blog comment, it’s not like Russia and North Korea are the same thing (and the U.S. is neither). There are meaningful differences among surveillance states, and understanding the kind you live in is important if you’re trying to figure out which risks to take for what goals.

This is a more complex picture than the one Greenwald painted, but if it is a truer one, then the paths available for resisting a surveillance state are quite different than they would be in a more monolithic situation. Do you take to the streets, or do you file lawsuits? If the latter, then against whom, a company or the government? (I don’t mean to suggest these are the only options; they’re just examples.)

Hence the importance of people understanding that the government does not do unmediated “direct” and “unilateral” collection from the servers of all major private-sector online service companies. How realistic was that idea ever? What U.S. company, that originated as a mass-market services company and not as a government contractor, would agree to give government IT staff unfettered access to its live-data servers? The business risk would be incredible, the risk of public embarrassment incredible… the proposition just doesn’t make sense to me. It never passed the smell test.

People in the U.S. following this story are trying to figure out what kind of country they live in, because after all, there are countries where the companies wouldn’t have a choice about granting that kind of access. If Glenn Greenwald succeeds in persuading U.S. readers that they live in one of those countries, and he is wrong, then he will unintentionally help to erode the feeling of collective empowerment and of individual rights that is crucial for resisting further encroachment.

That’s why I care.

Addenda: One critic’s claim that I “repackaged” Mark Jaquith’s (very fine) post isn’t true. I wrote the bulk of my post before finding out about Jaquith’s; when I saw Jaquith’s, I thought it expressed the problem very well and I decided to point to it (and restructured my post accordingly). Also, though I am a Fellow at the New America Foundation, I had no awareness (until some commenters on my original post mentioned it) that NAF receives Gates or Schmidt money. Anyway, the funding for my work with NAF doesn’t come from those sources. Though the place the funding does come from won’t assuage those critics, since it’s the Open Internet Tools Project, which is largely funded by the U.S. State Department. To reiterate: the views expressed on this blog are my own and are not influenced by nor attributable to the New America Foundation, the Open Internet Tools Project, or any other organization. Finally, Mark Jaquith has updated his post to account for Greenwald’s response. I think Mark’s analysis of that response (search for the phrase “Update: Greenwald response”) is very good, and have nothing to add except a big +1.

Parsing PRISM: Gen. Keith Alexander did not claim “dozens of attacks” were prevented.

June 14th, 2013

PRISM logo

Over and over we’ve read that Gen. Keith Alexander, the head of the NSA, claimed that its massive surveillance program has prevented “dozens” of terrorist attacks. Journalists are careful to report this claim as simply what Alexander said, not as a fact itself — we’re responsible journalists, far too wise in the ways of the world to believe something just because someone in the Administration said it! We know better than that.

Except that he didn’t say it. At least as far as I can tell — if anyone knows of a source for the claim other than the below, please let me know. So far, the only source I’m aware of is the exchange with Sen. Patrick Leahy referred to here.

What Gen. Alexander said was subtly but signicantly different, and he’s probably not surprised to see it being misinterpreted in the NSA’s favor right now. We shouldn’t look to the NSA for a correction on this, but do note that Alexander was careful not to lie. No doubt he would lie, if he had too, but this time we did the work for him.

(Not to take undue credit: this discrepancy was pointed out to me by a friend who prefers to remain unattributed. Later a mutual friend pointed us to this post, which has the quotes and the analysis and the video link. I’m really just repeating what that post has already pointed out.)

First of all, Gen. Alexander never said “dozens of attacks”. The dozens he referred to were dozens of call records that contributed to the discovery or disruption of… something, something he calls “events” (apparently elsewhere he’s only talked about two actual attacks disrupted; I don’t have the source for that, but if you do please leave it in the comments).

Watch how this works:

Gen. Keith Alexander: “…it’s dozens of terrorist events that these have helped prevent.”

Sen. Patrick Leahy: “OK, so dozens? Now we collect millions and millions and millions of records through 215, but dozens of them have proved crucial, critical, is that right?”

Gen. Keith Alexander: “For both here and abroad, in disrupting or contributing to the disruption of terrorist attacks.”

Sen. Patrick Leahy: “Out of those millions, dozens have been critical?”

Gen. Keith Alexander: “That’s correct.”

Fascinating. He didn’t say “dozens of attacks”. He does, at first, after a long and clearly thoughtful pause (see the video below), say “dozens of events” once. What’s an “event”? If you disrupt a terrorist meeting, that’s an event. If you disrupt a terrorist eating dinner, is that an event? Maybe. I don’t know. But I do know that when someone in national security wants to defend their work, they use the word “attacks”. Attacks are what matter. When they use the much weaker word “events”, it is not an accident — it is because the stronger word is not available.

Sen. Leahy then gives him the opening to subtly switch the subject to the call records, rather than the events or attacks or whatever they are. Whether Leahy did that by accident or not I don’t know either. But Alexander gratefully takes Leahy’s pivot, to the extent of avoiding even having an explicit subject in his next two sentences — he just grabs Leahy’s antecedent like a life raft and rides it the rest of the way.

He never said dozens of attacks. He very carefully did not say dozens of attacks.

Satisfied that he didn’t say dozens of attacks?

Now let’s look at some headlines:

NSA: ‘Dozens of attacks’ prevented by snooping (The Register)

NSA chief: Surveillance has stopped dozens of potential attacks (Chicago Tribune)

NSA head: Surveillance program prevented dozens of terrorist attacks (Salon)

Alexander: Phone Collection Has Prevented ‘Dozens’ of Attacks (Democracy Now)

And just today I saw it in the New York Times too:

In a robust defense of the phone program, General Alexander said that it had been critical in helping to prevent “dozens of terrorist attacks” both in the United States and abroad…

Current score:

Experienced Washington NSA directors:   1  
Experienced Washington Senators:   N/A  
Experienced Washington journalists:   0  

Here’s that video: