Smári McCarthy

Building social, political and technical infrastucture

Where States Go to Die: Military Artifacts, International Espionage and the End of Liberal Democracy

This was originally published at the Center for a Stateless Society on October 12th, 2013. It is a transcript of a talk I gave at the SHARE Boat Camp in Croatia in August 2013, on board the Galeb

Military Artifacts

All over the world, landscapes both urban and rural are littered with military artifacts from bygone times. These artifacts have completed their lifecycle as objects of power, force and control, and have either been repurposed or forgotten.

Repurposed artifacts gain new meaning in the world, as they take on new roles. The former military base of Christiania in Copenhagen became a self-organizing free town. In Keflavík, a former US Navy base was converted into a university. In Florence, a former juvenile prison was turned into a safe haven for human rights defenders. In many places, former strongholds with relatively little public value have become tourist attractions, such as the tunnels inside the rock of Gibraltar, the castle in Ljubljana and the fortress of Komárom.

Some of these military artifacts don’t need to be explicitly repurposed to retain public value. In Europe, roads built by and for Roman armies up to two thousand years ago still form many of the transportation backbones of the continent. Without roads, there could be no trade.

But as time has gone on, military artifacts have become less amenable to public repurposing. While we might find some potentially beneficial use for the odd warship, the NORAD facility in Cheyenne Mountain isn’t going to become a theme park anytime soon, and despite Arnold Schwarzenegger’s suggestions, thermonuclear devices cannot be turned into snow cone makers. And while it is also conceivable that some guy might come along one day and convert an ICBM into a spaceship for faster-than-light travel, I’m not going to hold my breath.

Nuclear Democracy

Nuclear weapons are interesting artifacts. It is a matter of public record that almost ten thousand Nuclear weapons have been constructed. How many were constructed outside of the public record is anyone’s guess. Where they are is also an open question. A Nuclear device belonging to the US military was found in the sea off the coast of Greenland a couple of years ago, and nobody could publicly explain how it got there. And that’s the US – a country that at appears to have at least a vaguely competent military and relatively stable political atmosphere. Consider the artifacts left behind from the USSR. Not all visually accounted for, I’d venture to guess.

It has been said that the Nuclear bomb is a fundamentally undemocratic device: It has widespread impact, it is unspecific as to which humans it harms, it is expensive to source materials for and complicated to build. While an Ulam-style trigger mechanism is really just a question of getting enough dynamite in the right place, plutonium isn’t something you can pick up at the next convenience store.

Contrast these to rifles: Easy to build, easy to use, limited range and action, fairly focused on a particular target, unless you’re using an AK-47, in which case the only serviceable objective is chaos. As such, they are a much more democratic form of military artifact. Although they cannot directly be repurposed beyond a certain degree, there may be legitimate use for them outside of warfare.

What unites all of the artifacts I’ve mentioned so far is that they are physical. They can be visually accounted for. They exist in a scarcity-based economy. There is an upper limit to how many nukes can be built here on Earth, there is a way of counting them.

And as determined by the START treaty, there is a way to dismantle them. Nuclear disarmament was a hotly contested and highly useful goal near the end of the Cold War, although the topic has somewhat fallen out of fashion today. It’s as if people have come to terms with the idea of certain people having the ability to wipe out all of humanity at the blink of an eye. After Obama first took office, he went and had a conversation with Putin about disarmament, but there hasn’t been much media followup since then. Are there fewer nukes now than there were five years ago? I doubt it.

But an ICBM is a relatively hard thing to hide. This we know in part because if Scotland gets independence from the UK, the net number of Nuclear powers in the world remains constant, although the identity of one of them changes: the UK’s Nuclear stockpile is for the most part poorly hidden in the highlands. So if we did at some point get serious about disarmament, we’d know where to go, modulo some degree of military ingenuity and political madness.

Utopian Indulgence

With nukes, there is an exit strategy. In recent weeks, we have been granted some rather disturbing insights into the world of surveillance. We have heard of Prism, Boundless Informant, Tempora, and other things, the goal of which is not to spy on enemies of the state, but to spy on everybody on the assumption that we are all enemies of the state.

Let us indulge in a utopian form of escapism for a moment and posit the possibility that US President Barack Obama were to appear live on all the networks tonight, terrestrial and satellite, and declare that these catch-all surveillance programs would be abandoned forthwith, that all of the collected information – several hundred billion database entries – and all of the surveillance equipment would be destroyed.

If the US government had any credibility left, there would be instant jubilation. Peace would break out and victory would be declared, of some kind. But this is not the case. The US government was already running on the fumes of its credibility by the time Chelsea Manning exposed a shocking number of war crimes perpetrated in full knowledge of the upper echelons of the US government, and in terms of credibility it sputtered to an unceremonious halt when it was exposed that they had for at least seven years been conducting massive pervasive intrusions into the privacy of hundreds of millions of people around the world, violations against the trade secrecy afforded to companies globally, and quite literal invasions into the sovereignty of possibly every country on the planet.

This is not to say that all parts of the US government are rotten – not at all. On the contrary, many people within the US government or working for it are decent people with good intentions: The existence of people such as Edward Snowden, Chelsea Manning, Thomas Drake and Bill Binney is proof of this. The problem is not with the people, as such, it is with the structures and the behavior those structures breed.

If we return to our indulgence, the onus on the US government in this situation is to prove that they have dismantled their surveillance systems. But how could this be accomplished? There is no easy answer.

Dismantling Realpolitik

One of the fundamental challenges is that the US has ratcheted up their security apparatus to a point where any loosening would be construed by some as backing down. There are countries which might conceivably wish to take advantage of any weaknesses. There aren’t a lot of avenues for reduction.

One might argue that there is a possibility for the governments – and let’s remember that it isn’t just the US government, there’s the UK, Germany, France and many others – to back out of this surveillance quietly without alerting their enemies. But that would be moot – the public would not know, and thus public opinion would not be mended, and therefore little real benefit would come of it.

The understanding here is that any action taken by any of these governments now that does not lead to a better informed public on the one hand, and better protected rights to privacy on the other, are not going to be sufficient. So what are governments to do? There aren’t a lot of options.

The Death of the Republic

We have reached an impasse. On the one hand, the actions of the governments of these countries have rendered them entirely untrustworthy. On the other hand, their only avenue to regaining trust is to dismantle military artifacts that are not physical, cannot be visually accounted for, that exist in a post-scarcity economy, with no meaningful limit to how many surveillance systems can be in place and no way of counting them.

This is a catch-22. But we have seen this kind of stalemate arise before, numerous times in numerous empires, and they always had the same result. Some issue of contention comes up, ratcheting to the point where there is no feasible outcome. Politics be damned, military action is sometimes taken. Sometimes, it’s not country-on-country action. It’s the public using all of those repurposed artifacts to their own ends.

I am deeply worried by this possibility. While the little anarchist in me would be happy to see these governments replaced, I very much prefer soft landings. The republic as we know it needs an exit strategy. This means a few different things.

A Motion for Rebirth

First, we need some new way of creating structural transparency on the protocol level. This is to say that the institutions which service us must be capable of exposing their activities directly to the public through a complete analytical mechanism. In practice this would mean that people are granted the capacity to be as well informed as they see fit.

Second, we need some new way of aggregating political will. This essentially means better collective decision making mechanisms, systems of direct democracy that allow everybody to express their social choices in a way that does not disempower them. Most direct democracy systems fulfill the requirement of allowing everybody to participate, but few fulfill the requirement of giving everybody a say. This needs to change, and until it does, there is no reasonable expectation that people will wish to participate.

The third thing is slightly more cumbersome, and more related to this discussion of military artifacts. The world’s political economy has been constructed over many centuries, imbued the logic of empire. If you take any artifact from the economy, physical or electronic, military or civilian, the chances of its creation having involved the exploitation of humans somewhere are near certainty.

We need to figure out – and here I have no boilerplate solution – new organizational structures that don’t require exploitation. I know, I know. Slightly slipping back into Utopia here.

New Logic, New Artifacts

The hard problems are kind of obvious. We’re all here because we know that they need solving. Some look to the people standing on this deck for guidance and leadership in these issues. The reality is, nobody has the answers.

What we do know is that the logic of our current societies does not lead to equality, democracy and civility. It leads to Prism, Tempora and Boundless Informant. It leads to GCHQ, NSA, and BND. It leads to Tito, Obama and Lukaschenko.

We need a new logic. This logic will only come about by the elimination of the existing states, the states that have rendered themselves untrustworthy by their actions against us. But as assuredly as the current system has generated the military artifacts of our time, the new logic will produce new artifacts, both military and civilian, and it is up to us to repurpose them to the benefit of everybody.

Passing Over Eisenhower

This was originally published at the Center for a Stateless Society on the 18th of July 2013 — it feels like years ago, so much has happened in the interim. A Portuguese translation is available. I decided to repost it now because it came to mind recently while doing a bit of a retrospective, and realized I hadn’t cross-posted it.

The Internet industries of America may just have inadvertently had their hats handed to them by the military industrial complex. Now it’s up to Europe to provide an alternative to the surveillance state.

Almost all of the major Internet industry giants are based in the United States. The reasons for this are historical and economical. The tradition of strong entrepreneurship practiced in the US since their inception, mixed with their purchasing power and history of acquiring any sufficiently profitable venture or fascinating technology from abroad, has put the US into a prime position to be the global leader in provision of Internet services.

That may just have ended. While US dominance over the roughly $11 trillion/year global Internet services market is still unchallenged, the damage that the revelations made about NSA’s vast global surveillance scheme may stymie their growth and perhaps even turn them into a localized recession in coming months and years.

The reason for this is Europe. While some Europeans are becoming increasingly comfortable with the notion of living in a surveillance state, most people on the European mainland still grow up hearing stories of totalitarian dictatorships, wars, genocides, and the Holocaust, and have a natural inclination to detest the notion of secret police. As more is learned of the US’s secret spying games – aided in part, it seems, by their English counterparts – outrage boils thickly in countries like France and Germany, where despite highly open and inclusive societies in some senses, the notions of privacy as practiced in the United States have often been thought of as quaint. While modern discourse on privacy is dominated by the philosophical foundations of the 4th Amendment, a slightly different, somewhat more subtle understanding of privacy reigns in European discourse, with an annoyingly elusive definition.

Over coming months and years, the US government’s betrayal of the people of the world will spur a new industry in Europe, not aimed necessarily at pure technological innovation, but rather simply creating secure, privacy-respecting alternatives to the software services provided by the US based companies that can no longer be trusted. We will see Czech and Hungarian startups bringing out new search engines and Croatian and Polish companies developing secure e-mail services. We’ll undoubtedly see surveillance-resistant chat software coming out of Austria and global map databases being developed in Estonia. Or something like that.

This is not to say that Europe is ready to take on such a massive task. There is a lot of soul-searching that needs to happen, both culturally and politically in Europe: while privacy is a shared value in most of the continent’s corners, due to the lingering fear of a return to totalitarianism – fueled in no small part by the ascension of the likes of Hungarian prime minister Viktor Orbán to power – there is still a phantom of apprehension in the interactions between the tribes that make up Europe that seems to foreshadow balkanization. On top of this we have a schizophrenic political class that speaks of free trade one minute and restrictions the next, amongst whom are those who get raging hard-ons at the merest mention of censoring pornography or anything else they find offensive or overly stimulating.

That said, this may well turn out to be Europe’s decade in tech, and all because the United States failed to heed an important and timeless warning: “We must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military industrial complex.” Eisenhower’s parting words to a nation being enveloped in a cold war were colder still, as a man who had seen a beast grow out of hand during his years in office was urgently pointing at the writing on the wall. But the years passed and the beast grew – premonitions turning to loathsome misery with each passing President who failed to stop the surveillance state.

And now, the military-industrial complex may have destroyed the US’s Internet-industrial complex.

Just as the last two thirds of humanity are preparing to transition into cyberspace, the NSA’s actions have revealed it to be far more of a Wild West than any government feels comfortable admitting. The rule of law breaks down really fast when there’s no clear monopoly on the legitimate use of violence. There are few acts as violent as stealing everybody’s secrets. Almost two hundred countries are screaming for legitimacy, but the one that stayed the most silent – except when berating, say, Iran, for not respecting “Internet freedom” – was the one whose legitimacy had already been eradicated by their violations of the values upon which their country was founded.

Passing over Eisenhower may have been the death-knell for American democracy, but it’s exposure may sound the beginning of a new era of human rights. Those coming online for the first time a few years or decades from now may be faced with a world altogether different from the one we now live in, perhaps partly in that they will have a choice between the monitored networks of Oceania or the liberal cryptarchies of Eurasia. The market will undoubtedly have its say in what happens after that.

For now though, there is a plan emerging. The hackers and the human rights activists, the net-freedom-blah people and the technophiles have been awakening from the post-Arab spring burnout and remembering the things that need to be done to prevent the next Mubarek. Better, simpler, more usable cryptography. Peer-to-peer, verifiable, anonymous monetary systems and democratic decision making systems. Secure communications and full transparency within governance.

During the transition to this new European future, a lot of data is going to have to be stored – refugee data seeking asylum from the terrors of the Anglo-American surveillance state. While the governments of Sweden and the UK may be somewhat too eager to share the data flowing through their resident data centers with their American pals, there are a few countries, notably Iceland, who are willing to provide a strong legal environment, cheap renewable energy, and good connectivity to the rest of the world. Data centers are not the future, but they are the present, and for now there’s an amazing business opportunity out there for countries who are willing to stand up and defend data sovereignty, the notion that individuals have the right to privacy and control over the data they generate.

To those who wish to practice data sovereignty before it becomes cool, I’d say: Come to Iceland. Bring data.

Gluggað í Ríkisfjármálin

Ég asnaðist til að skoða ríkisfjármálin. Vitiði hvað kom í ljós?

Ríkisstjórnin sem boðaði aðhald í ríkisfjármálum hefur eytt umtalsvert meira en vonda fjárglæfrastjórnin sem sat áður.

Ríkisstjórnin sem boðaði lægri skatta hefur innheimt töluvert meira skattfé en vonda skattpíningarstjórnin sem sat áður.

Athugið að þetta er þrátt fyrir að ríkisstjórnin hafi afþakkað milljarðatugi í auðlindagjald frá handhöfum einokunarréttar á fiski.

Reyndar eru 25 milljarðar af tekjuaukningunni í formi sölu á hlutabréfum í eigu ríkisins.

Ég miða hér við árið 2013. Á fyrri hluta ársins 2013 var gamla ríkisstjórnin við lýði, fyrstu 5-6 mánuðina. Þetta er ekki sundurliðað eftir mánuðum, því miður. Því varð maður að bera þetta saman við nokkur fyrri ár til samanburðar, en ég á erfitt með að sjá annað en að það hafi mestmegnis verið nýja ríkisstjórnin sem breytti stefnunni.

Ríkisstjórnin kostaði 33.4% meira árið 2013 en árið 2012. Nákvæmlega tveir yfirflokkar kostuðu minna 2013 en 2012: Atvinnuvega- og nýsköpunarráðuneytið, og fjármagnskostnaður.

Atvinnuvega- og nýsköpunarráðuneytið lækkaði sig um 1%, að því er virðist aðallega með því að leggja niður fóðursjóð, húsbyggingasjóð, og minnka verulega framlög til byggðaáætlunar og iðju og iðnaðar (sem felur í sér átak til atvinnusköðunar og ýmis nýsköpunar- og markaðsmál).

Fjármagnskostnaður er peningur sem notaður er til að borga vexti (aðallega) af skuldum ríkisins, og lækkar helst ef vel gekk að borga af skuldum eða endurskipuleggja skuldirnar á árinu á undan.

Allt annað hækkaði.

Forsætisráðuneytið um 26.3%. Þar mátti helst nefna hækkun á fjárframlögum til aðalskrifstofu ráðuneytisins, töluverða hækkun á framlögum til óbyggðanefndar, þjóðminjasafnsins, og Þingvallaþjóðgarðs.

Fjármála- og efnahagsráðuneytið hækkaði um 19.7%. Þar mátti helst sjá 17 milljarða króna aukningu á afskriftum af skattakröfum, þar sem farið er um 11 milljarða umfram fjárheimild. Einnig er liður í því ráðuneyti sem ber titilinn “(óþekkt)”, þar sem tæplega 2 milljarðar hafa horfið.

Sumt eða allt af þessu kann að eiga sér ástæður, en erfitt er að sjá hvernig þetta telst vera aðhald í ríkisfjármálum.

Ég verð að viðurkenna að ég skil þetta illa. Það væri forvitnilegt að vita hvað formaður fjárlaganefndar hefur um þetta fyrirkomulag að segja, enda virðist ríkisstjórnin þrátt fyrir allt að vera að starfa vel innan fjárlaga á árinu 2013. Þetta voru auðvitað fjárlög sem voru sett 2012, þegar Björn Valur Gíslason var formaður fjárlaganefndar, en þetta er samt skrýtið og úr takti við árin á undan.

Það verður gaman að sjá hvernig þetta kemur út fyrir árið 2014 – en merkilegt nokk, þá hafa tölur fyrir árið ekki verið birtar, en það er ekki nein tæknileg ástæða fyrir því að það ætti ekki að vera hægt að birta útgjöld ríkisins jafnóðum.

Ríkisfjármál eru flókið mál. Hér er ég ekki að skammast í neinum, en mér finnst full ástæða til að draga athygli að þessu og spyrja spurninga.

Baul Bullukollanna

Það er ekki algengt í íslenskri stjórnmálaumræðu að hlutir séu sagðir með skýrum og afgerandi hætti svo ekki verði um villst. Því verður að teljast óþolandi þegar fullorðið fólk leikur sér að því að snúa út úr, þegar það er gert. Vandinn er að erfitt er að sanna að menn eins og Sigmundur Davíð Gunnlaugsson og Björn Bjarnason séu að snúa út úr, en séu ekki bara svona heimskir. Ýmislegt styður hvora tilgátuna.

Svo þetta sé gert alveg skýrt, enn og aftur:

Friðhelgi einkalífsins snýst um vernd hinna valdaminni frá misbeitingu hinna valdameiri.

Gagnsæi snýst um að opna hina valdameiri gagnvart eftirliti hinna valdaminni.

Upplýsingafrelsi snýst ekki um að allar upplýsingar séu opnar öllum alltaf, heldur að flestar upplýsingar séu opnar flestum alltaf, en sumar upplýsingar séu verndaðar, alltaf. Línan er dregin á skýrum stað: ef upplýsingar eiga erindi við almenning og það þjónar almannahagsmunum að þær séu opinberar, þá skulu þær vera opinberar. Ef upplýsingar eru persónulegar og koma engum við, þá skulu þær vera friðhelgar.

Það er ekki flókið að skilja þetta. Að forsætisráðherra landsins skuli eiga erfitt með að skilja einföld grunnatriði er grafalvarlegt. Neyðist maður til að spyrja sig hvaða önnur grunnatriði hann eigi í vandræðum með. Sem betur fer er Björn Bjarnason hættur að geta valdið skaða í íslensku samfélagi, nema með bauli sínu.

Crowdsourcing the Constitution - Lessons From Iceland

I was in Edinburgh some months ago visiting Bella Caledonia. I did this talk there, trying to give some history and background to the Icelandic constitutional process of 2010-2013, and putting it into a context of Scottish independence.

Suffice to say, I think Scotland should be independant. I say at least twice in this talk: EVERY reason that’s been given for people to vote “no” is invalid.

Maya Og óttinn

Í gær dó Maya Angelou, 86 ára gömul. Hún var kona sem barðist alla ævi sinni gegn mismunun. Vegna ótta annarra á hinu óþekkta fæddist hún, sem blökkukona í suðurríkjum Bandaríkjanna, inn í samfélag þar sem sumir máttu en aðrir ekki. Þessi aðgreining, sem var til komin vegna mannvonsku og fáfræði, ýtti undir fátækt, sem svo leiddi af sér glæpi.

Þegar hún var sjö ára gömul var henni nauðgað af kærasta móður sinnar. Hún sagði frá ódæðinu, sem varð til þess að æstur skríll drap nauðgarann. Hún öðlaðist við þetta sinn eiginn ótta – ótta við að orð hennar gætu haft alvarleg áhrif – og þagði hún því í sex ár þar á eftir.

Það er til fólk í öllum samfélögum sem nærist á ótta, eigin ótta eða ótta annarra. Þessi ótti er lamandi, hann tætir burt alla skynsemi og hamlar framförum.

Þessi ótti hefur ahrif á hegðun fólks. Hann veldur þröngsýni og fátækt í hugsun. Hann lætur fólk hverfa ofan í þjóðerni sitt, litarhaft eða trú. Lætur fólk reiðast þeim sem eru sér ólíkir, og spyrna gegn þeim. Í einhverjum tilfellum veldur það flóttahneigð: fólk skapar sér ímyndaðan heim þar sem það verður ekki vart við taugaveiklun sína gagnvart hinu óþekkta. Það var einmitt vegna þannig ótta sem Martin Heidegger kallaði eftir “rótfestu í hefðum sem tengjast stað og umhverfi sem eina öryggið sem býðst í pólitískum eða félagslegum aðgerðum í hættulegum heimi.”1

Aðgreining leyfir fáfræði um mismunandi félagslegar aðstæður og menningar að dafna, sem ýtir undir gróusögur, sögusagnir, og kolrangar staðalímyndir.

Popúlismi getur af sér popúlisma

Þegar fólk nærist á ótta annarra og hagnast á fordómum þess, þá kallast það popúlismi. Popúlistinn reynir að finna veikan blett, einhverja bólu í hugarfari náungans, og þrýsta á hann. Stundum kemur eitthvað slímugt út.

Popúlistinn er oft ekki að því vísvitandi: þeir eru sjaldan svo snjallir. Þeir athafna sig eftir sínum eigin ótta. Stundum er þessi ótti við fólk eins og Mayu Angelou, sem er öðruvísi á litinn en hinir hræddu. Stundum er þessi ótti við fólk eins og Harvey Milk, sem hefur aðra kynhneigð en hinir hræddu. Stundum er óttinn við fólk sem trúir á aðra guði, eða jafnvel sama guð undir öðru nafni. Eða fólk sem bara klæðir sig öðruvísi, eða talar annað tungumál.

En popúlistinn veit að hann getur ekki hagnast á sömu fordómum endalaust. Því þarf popúlistinn alltaf að víkka út. Bæði með því að víkka út eigin fordóma, en líka með því að skapa meiri ótta. Gera samfélagið beinlínis verra.

Þetta er gert með hólfun og skipulagningu. Allt á að vera á sínum stað, allt á að hegða sér rétt. Allt á að lúta stjórn. Eins og Vidler komst að orði eru nútímaborgir orðnar að “ímynd Taylorískrar framleiðslu”2. Edward T Relph sagði þessa hugmynd hafa leitt af sér samfélag sem var “afturhaldssamt, ljótt, sterílt, andfélagslegt, og almennt illa séð.”3

Popúlistinn hræðist það sem hann skilur ekki. Því gefur hann sér það hvernig allt virkar, og reynir að umraða heiminum í það líkan. Allt sem ekki passar er ýmist þröngvað inn í það, eða því er tortímt.

Einn daginn eru múslimar slæmir, og næsta dag eru það allir sem ekki eru kristnir. Næsta þar á eftir eru það einhverjir aðrir.

Frægt er ljóð Martins Niemöller: “first they came for the Socialists, but I did not speak out – because I was not a Socialist.” Muniði hvernig það endar?

Popúlistinn byrjar alltaf á einhverju einföldu, einhverju – eða einhverjum – sem öllum er sama um.

Það var enginn eftir til að tala fyrir þig

Það krefst hugrekkis að sigrast á ótta. Það krefst enn meiri hugrekkis að hafna popúlisma. Maya Angelou gerði hvort tveggja, og á langri ævi sinni sá hún heiminn breytast á ýmsa vegu, stundum til hins betra, stundum til hins verra.

Á þeirri tæpu öld sem hún lifði tók óttinn á sig margar birtingarmyndir. Maya Angelou byrjaði að tala á ný meðan seinni heimstyrjöld geisaði, á tíma þar sem milljónir létust vegna ótta. Stríðið kom til ekki síst vegna þess að fólk sem nærðist á ótta annarra náði yfirhöndinni yfir rökhyggju. Þetta er auðvitað einföldun, en skrefin voru þrjú:

  1. Hrun í fjármálakerfinu sem hafði alvarlegar afleiðingar fyrir afkomuöryggi fólks
  2. Vaxandi þjóðernishyggja, einangrunnarhyggja og annarskyns óttadrifin pólitík
  3. Heimsstyrjöld þegar það sauð upp úr milli nágrannaþjóða og þjóðarbrota

Við erum einu skrefi frá því að þurfa að horfa upp á annað blóðbað. Á vissan hátt er það þegar hafið: í Sýrlandi, í Úkraínu, í Tælandi. Eins í kosningunum í Evrópu um síðustu helgi, og kosningunum sem eru framundan á Íslandi, þá var óttadrifni popúlisminn aðal umræðuefnið. Það kemst ekkert að, nákvæmlega ekki neitt, nema hræðsluáróður, fordómar og viðbjóður.

Það kvarnast fljótt úr hugrekkinu þegar óttinn er allstaðar. En það er óskynsamt að óttast hið óþekkta, þegar hið þekkta er miklu verra: ef þessi óttadrifna alda popúlismans fær að halda áfram með sama hætti, þá er raunveruleg hætta á því að næsti umgangur verði ofbeldisfullur. Að samfélög sem höfðu öll heimsins tækifæri til að læra hvor af öðru og bæta sig taki sig í staðinn til og heyji stríð.

Það þarf ekki að gerast. Francis Fukuyama hafði rangt fyrir sér: sagan er ekki búin. Maya Angelou sigraðist á sínum ótta og varð ásamt Martin Luther King, Malcolm X og Nelson Mandela einn af risum mannréttindabaráttunnar. Þannig getur sagan okkar orðið. Hugrekkið getur tórað enn.


  1. Vitnað: Harvey, The Postmodern Condition, bls. 35.

  2. Anthony Vidler, The Third Typology.

  3. Edward T. Relph, The Modern Urban Landscape

Engineering Our Way Out of Fascism

The following is a transcript of my keynote lecture at FSCONS 2013. Releasing it now because my last post referenced it, and at SIF 2014 today, Carl Bildt essentially proved pretty much all the points I made here.

It is good to be here, it is always good to be here at FSCONS. More so than any other event I attend, to come here is to come home. Yet to come upon this stage is always a reminder that we have work to do, and this year, more than any previous year, we have work to do. In part that is perhaps because in previous years we were too lighthearted about the work we need to do, or too blasé or too busy doing other things. Of that I am as guilty as any of you. But we need to talk about this seriously now.

The work that needs to be done now exists for reasons that need no introduction. I’m going to try and talk about that work, and about about knowing, and about acting. I’m going to try and talk about fascism, though not in the sense we normally use the word. And I’m going to talk about the distinction between technology and politics, and how we allowed ourselves to be convinced by the fascists that such a distinction existed, and even those of us who are very much aware of the political implications of technology are often blind to the implications of those politics. And of course, I’m going to talk about what all of this has to do with Free Software.

This year has been a good year for knowing. We now know many things that we were not supposed to know, that those who intended us not to know were very serious about keeping from us. We also know that there is much more that we will know soon, and those who do not want us to know these things are struggling to figure out how to keep this knowledge from us. Their goal is ultimately to determine in which way they can cut off free speech without seeming to do so.

In England where I now reside there are discussions of how to prosecute those who know things that we should know, how to cause David Miranda to be rendered permanently persona non grata for the sole crime of having passed through an airport’s transit lounge. All is not as it should be. It would be ludicrous to claim that England were a democracy, but as many still make such claims it’s worth noting that these are not the actions of a democracy.

In light of Edward Snowden’s exposures of massive surveillance conducted by the United States Government, a lot of commentators from political, technical, social and mathematical angles have debated heavily the question famously framed by one from the country where Snowden sought refuge as Что делать? What is to be done?

In order to answer the question, the question must be asked. Unfortunately a lot of the public debate around the response to the revelations has avoided defining the actual problem and has fallen short in terms of defining concrete solutions.

Understanding the Problem

The problem created by the existence of ubiquitous surveillance conducted by a state in consortium with private actors falls into a few broad categories. There are issues which arise internally within the state in question, issues which arise externally in the international realm, then there are existential issues, and there are more general issues with the political trend.

I have recently spoken in other venues about the existential problem of ubiquitous surveillance, so I will not go deeply into that topic except to say that in the time since I did those speeches and wrote those essays, their harshness has not only been repeatedly justified but shown to be severely understated.

The existence of these systems is a fundamental threat to society.

The best way I have found to think of this is to think of nuclear weapons. Nuclear weapons have been used to murder around 260.000 people over the course of human history. The people who committed that crime have never been held to account, but having narrowly averted a mass extinction event, in part through actions taken in Berlin exactly 24 years and one day ago today, we now have roughly ten thousand of these devices in existence today. We don’t know where all of them are, but we know that they exist in a scarcity economy, they are countable, and they can be dismantled.

Surveillance technology does not have this feature. Software, being not subject to the same structures of scarcity as nuclear weapons are, can exist in uncountable copies throughout the Internet. We don’t know where Prism is, nor do we know on how many computers Boundless Informant runs. And we might never know. This means that for all intents and purposes, we must assume that the cold war of surveillance is one that can never actually end – not through the felling of any Iron Curtains.

The Digital Curtain is impervious to all the world’s Berliners.

The people who built these tools have not directly through them killed anybody, although indirectly these tools have doubtless facilitated state murder. However, the fundamental rights of at least 2.5 billion people have been violated through the creation of these tools, and within a narrow margin of possibility that we have not yet explored, the creators will never be held to account.

The Internal Problem

Internally within countries such as the United States and the United Kingdom, the problem of ubiquitous surveillance is one where the distinction between the inside and the outside is lost. In an episode of Battlestar Galactica from 2004, the protagonist Commander William Adama states that “There’s a reason you separate military and the police. One fights the enemies of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” Here he echoes a sentiment more concisely expressed by Boroughs when he quipped that “a functioning police state needs no police.”

More recently, and less fictitiously, Eben Moglen stated in Westward the Course of Empire that: “Military control ensured absolute command deference with respect to the fundamental principle which made it all ‘all right,’ which was: ‘No Listening Here.’ The boundary between home and away was the boundary between absolutely permissible and absolutely impermissible—between the world in which those whose job it is to kill people and break things instead stole signals and broke codes, and the constitutional system of ordered liberty.”

The internal problem of ubiquitous surveillance is that it amounts to a refutation of the individual’s ability to defend actions against government scrutiny. It does not, oddly, eliminate the presumption of innocence – formalized as ei incumbit probatio qui dicit,non qui negat, that the burden of proof lies with the accuser and not the accused – but rather allows the accuser to see all the cards, always. While some will argue that a just government should have the ability to be able to see all the cards at all times in the name of prevention of crime, such argumentation does not address the flawed logic of presuming that the government is just.

Once one makes such an assumption, as various commentators including former editor of The Independent, Chris Blackhurst, have done quite publicly of late, then any criticism of existing authority is automatically considered invalid, and any actions taken by existing authority are considered valid. Blackhurst argued that “If the security services insist something is contrary to the public interest, and might harm their operations, who am I to disbelieve them?”

In Robert Altemeyer’s The Authoritarians, he set up three criteria for a person being considered to have the psychological profile of a Right-Wing Authoritarian follower:

  1. a high degree of submission to the established, legitimate authorities in their society;

  2. high levels of aggression in the name of their authorities; and

  3. a high level of conventionalism.

He further argues that “most people seem spring-loaded to become more right-wing authoritarian during crises.” All of these behavioral characteristics are demonstrated in spades by those journalists and pundits who have been most rabid in justifying government secrecy and denouncing those who would expose it, as a crisis of confidence is unraveling public trust of the presiding authorities.

In short, the internal problem of ubiquitous surveillance comes down to a question of legitimacy. In previous times, any government operating a highly efficient analogue of the Stasi would be deemed illegitimate and undemocratic, a government that imprisoned those who exposed wrongdoing would be considered to be rogue, and a government bent on preventing public discourse by sending thugs over to media outlets offices to drill holes in hard drives and set fire to computers would be considered despotic at the very least. A government has no legitimacy when it spies on its citizens and lies about it perjuriously, covers up systematic war crimes and throws those who exposed them in prison for 35 years, and holds people without trial for investigating leaked evidence of criminal wrongdoing. The crisis of modern western democracy is a crisis of legitimacy.

The External Problem

Externally, there is a diplomatic problem. The crisis created by Edward Snowden’s revelations are pushing diplomatic boundaries in ways that even Chelsea Manning’s revelations didn’t, with Obama refusing to visit Putin, Rousseff refusing to visit Obama, and Morales being forced to visit Fischer by Portuguese, French, Spanish and Italian airspace authorities. If you had been cryogenically frozen during the Cold War, then thawed out in 2013 and had this situation explained to you, you wouldn’t believe any of it.

In particular, you’d have trouble grocking the fact that a post-dictatorial South America appears to be the most vigilant in upholding the spirit of the Universal Declaration of Human Rights, while Western European and American authorities are vigorously defending the exact same kind of activities that they previously used so as to define the USSR as the enemy.

Since nation states came into existence, there has been a general understanding that every government spies on every other government to the extent they can, without being overly aggressive, overt or unsubtle. This diplomatic allowance has nevertheless not been assumed to extend to the general public or to industry, although at various times various governments have overstepped those bounds and been given a stern talking to. However, since the time when Henry L. Stimson proclaimed that “Gentlemen do not read each other’s mail,” in his closing of the Black Chamber – an artifact of US military imperialism that Stimson, in 1929, considered to be outdate and inappropriate – there has been a growing anxiety relating to government interception of cross-border telecommunications, to no small degree fueled by the globalization of trade and the concentration of the world’s communications onto a few hundred undersea fiber optic channels.

The external problem, then, becomes one of trust. The gentleman’s agreement to conduct only the minimum amount of spying necessary to protect national interests, and only on public officials of the governments in question, which is very subtly semi-formalized in the Vienna convention, is there to make sure that allies can trust each other, enemies can still conduct trade, and everybody could more-or-less get along. Indeed: during World War I, the UK and Germany, while being at war with each other, were the world’s single most active pair of trade partners. When that trust is broken, it presents a threat to international diplomacy, it upsets international trade, and it makes the founding of any new diplomatic alliances way more complicated than it already was.

The fallout of this is becoming clear: Brazil is going to run its own fiber optics to Europe and finance the creation of alternative systems for e-mail to contend with American commerical offerings, while various other countries are considering measures as far apart as trade sanctions against the US, self-balkanization from the Internet á-la China, or overhauls of internal government communication standards. Very few governments are entirely blasé about this, and none should be.

The larger trend problem

Underlying all of this is a worrying trend. Over the last decade, the pendulum of cultural liberalism has swung back in many ways, with wars on terrorism, drugs, etc becoming all the more central to discussions globally. Inequality has grown and authoritarianism on the rise.

This authoritarianism is not the crude, forceful authoritarianism of previous centuries, where brutal measures were taken against all that opposed the regime, but a softer, more subtle form of authoritarianism, derived from the right wing branch of nationalism known as fascism. In order to prevent people from rising up against them, the people must be subdued and convinced that the life they lead is not too bad and that it could be worse. When I was a child, my grandmother used to say “think of the children in Africa.” Without meaning to say that my grandmother was a fascist, I recognize that this form of discourse is a subtle part of the cultural fascism that we have become accustomed to.

Fascism has become the dominant political system of the world, under the traditional definition of fascism rather than the more modern catch-all if-shoe-fits definition, but various aspects of how it came to prominence – through ­­agreements, diplomacy and skirting of poorly enforced or unenforced rules. both explicit and implicit – have led to it not being noticed by most people. The fact that this is the case has led us to a point where the likes of NSA are an inevitability, but so are the likes of Monsanto, Northrup-Grumman, JP Morgan, Microsoft, and so on.

Fascism: The perfect union of state and business.

Let’s not lose track of what we’re talking about. Fascism in this form is also known as a “mixed economy”. You might have noticed how Nordic social democracy is all about the promotion of mixed economies, but in practice, this means that the governments support certain large companies directly or indirectly with monopoly rights, procurements, grants and so on, while leaving what Venkatesh Rao called the “Jeffersonian middle class” in the gutter.

Sweden is proof that Fascism can be pleasant.

Last month, US Senator Dianne Feinstein suggested that “if you want to find a needle in a haystack, you first must have a haystack,” as a justification for the creation of massive databases detailing nigh every aspect of every individual’s life. In response, ex-FBI agent Coleen Rowley wrote that “Of course self-righteous builders of massive haystacks are not inclined to point out that it’s inherently easier to find a needle if it isn’t covered with hay,” pointing out the logical fallacy behind the argument but not deepening our understanding of the internal logic of a governance structure where such statements are considered reasonable. A “Feinstein’s Haystack” can be defined as a problem that has been created for the purpose of creating the impression that it is being solved. In order to retain authority, legitimacy is required. The most efficient way to gain legitimacy is to impress on ones followers that the role of the authority is justified and the holder of the authority is necessarily the best suited for the job. Through the creation of this institutionalized make-work, authoritiaran leaders retain legitimacy – even when the justifications are illogical.

One sees similar logic deployed globally to justify direct – if subtle – atrocities committed against humanity. Not so much a victimless crime as a crime that the victims won’t notice until it’s too late.

A Cost Estimation

Let’s run some numbers on this.

About 2.5 billion people are affected by NSA’s surveillance activities. This is an estimation of the number of people using the Internet in the world, a number that can be expected to grow quite substantially over the next several years. To break this number down a bit, current estimates put the number of users of e-mail globally at 1.9 billion individuals as a conservative estimate, with 2.3 billion being a more likely reality. Facebook has 1.15 billion users, Skype has around 600 million users, Twitter is of similar size. Dropbox has 175 million users.

Over a billion Android smartphones and tablets are in circulation, and over 250 million Apple iPhones and iPads. Amongst e-mail users, roughly 435 million people use GMail, 325 million use Outlook.com (formerly Hotmail), and 298 million using Yahoo! Mail. The top ten e-mail providers in aggregate host between 70-90% of all (legitimate) e-mail accounts, with the top fifty providers accounting for close to an estimated 99% of the e-mail market.

Further: During a single day last year, the NSA’s Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers. This gives some idea of the relative internal security capacities of these core vendors. It has long been known that Yahoo’s operational security is quite bad as far as user privacy is concerned.

The DNI (Director of National Intelligence) budget is about 52 billion dollars per year. That covers NSA, CIA and some other things, but it does not include US Cyber Command, ONI (Office of Naval Intelligence), any US Airforce surveillance activities, research done at the National Defense University and other similar organizations, nor does it include surveillance conducted by other five eyes partners. Adding those other aspects, it’s not a stretch to guess that the total budget is $120 billion/year.

$120 billion over 2.5 billion people over 365 days a year gives us a cost estimation of this catch all surveillance of about $0.13 per person per day. Let’s call that PPV: Price Per day of Violation. This is incredibly cost effective for the surveillance states. Of course, a lot of the $120bn are going to various tasks which are not directly related to spying on the general public – everything from keeping the floors clean at Fort Meade down to conducting drone strikes on people in Pakistan.

But since we don’t know the exact division and all of these things factor into the same system of systematic human rights violations, let’s just use the total figure. Actually, this is also better for the following analysis because it assumes their capacity to be greater than it actually is, which is to say that the biased assumption that pervasive ubiquitous surveillance is bad leads us to want to overestimate rather than underestimate the total surveillance capacity. Of course, if it were possible, we would prefer to be accurate, but the asymmetric clandestine nature of the surveillance measures makes accuracy hard.

Raising the Stakes

A lot of people have been asking “how do we reclaim our privacy”? The answer to that is an economic one. The total global surveillance budget is finite and subject to a lot of real world restrictions. It cannot grow indefinitely. However, we can raise the cost of each privacy violation substantially.

This requires a three pronged attack: technological development, policy advocacy, and litigation. The technology side is likely to be the biggest individual contributor, but we should not discount the benefits of influencing policy makers and dragging offenders through the legal system.

The goal of those interested in protecting human rights should be to raise the average cost of surveillance to $10.000 per person per day within the next five years. This reduces the effective surveillance capacity to about 32.000 people, assuming no budget changes, which strictly promotes targeted surveillance and careful planned target acquisition. In reality, this will be a lower number simply due to the expected increase of Internet users over the next five years and the associated scaling costs with low level traffic analysis.

How to get to $10k PPV?

First, let’s talk about litigation options. The fine people at Privacy International (support their work!) are currently working on taking the seven largest telecoms providers in the world to court over fiber optics surveillance, based on violations of article 8 of the European Convention on Human Rights. The Electronic Frontier Foundation (support them too!) is involved in multi-district litigation against the NSA and various other parties. These two organizations are doing remarkable and amazing work, but they do have limitations on how much they can accomplish, and there is a lot of stuff that they can’t reasonably cover. If they get more money, they can do more things. This is kind of obvious, but seriously consider contributing.

Amongst the many untapped legal options is directly suing various providers, such as Verizon, AT&T, T-Mobile, Apple, Yahoo!, Google, Microsoft, Amazon, SWIFT, Barclays, ABN AMRO, Deutsche Bank, UBS. Why so many banks? Because it isn’t just the Internet that is being monitored.

On top of this, it might be worth considering lawsuits against governments directly. This will be harder to do, but if won, these would have a substantial effect on the situation.

The reason this will be effective in raising the bar is that it will make the various private entities involved feel a direct bottom line impact on their businesses resulting from their collusion with state actors, which will lead them to push back to a much more significant degree than they have so far.

Litigation however will only get us so far. A large amount of policy work is needed in order to fix the current situation. Specifically, numerous international agreements need to be reconsidered and renegotiated. Cross-border data protection agreements should be looked at, and similarly the Wassenaar agreement needs anything touching on cryptography taken out of it. Laws within countries can be improved, in particular data protection laws and laws regarding cryptography. Countries that require key escrowing for instance need to stop doing that.

The Tax Issue

If you happen to be living in one of the Five Eyes countries, the numbers game gets a bit more complicated by sheer virtue of taxes. You see, unless you are dodging taxes, you’re actually funding the adversary. That means that if you start a company around the issue of protecting privacy, base it in a Five Eyes country, and you don’t pull a double-Irish or some other trickery to get out of paying taxes, you’re going to be funding both sides of the battle. In a sense, this fact makes tax-avoiding companies like Google and Facebook somewhat better, in that at least they aren’t funding the surveillance state.

Technical Solutions to Political Problems

Then there’s technology. Although policy and litigation approaches are useful, they will not do anywhere near as much to raise the PPV as improvements to technology. Here, technologists like many of us must first admit a few things to themselves, and then devise a strategy that is likely to succeed.

In the late eighties and early nineties, we could be forgiven for caring about technology. We were busy building an operating system, we were exploring the reality that is afforded to us when we can control every part of our computers, from bootloaders, keyboards and disk I/O up through graphics adapters, graphical user interfaces, networks and even Perl. We were a nascent breed who could do anything, and the technology was exciting.

Now, we’re a bit further down that particular road and we have to stop taking the political consequences of Free Software for granted – as many of us unfortunately do. Even those of us who are the most politically aware sometimes subtly mistake arbitrary decisions about the protocol we use, the cryptosystem we employ, or whether we zero index our arrays, as being purely technical decisions. And while I’ve not yet fully comprehended the political implications of using a red-black tree rather than a binary tree, it is a well documented fact that choosing ASN1 over C-strings can have far reaching political implications.

On top of that – sorry guys – but we suck at design. We suck so much at design that many of us still think a command line is a great user interface, and many of you will defend that stance strongly. Don’t get me wrong, I love the command line, but the command line is a language for people who care about technology. Good user experiences should not require a user to care about technology. In one sense, that comes down to the crux of the problem: Many of us in the free software movement care more about technology than we care about people. Software over wetware. That’s a political stance too.

That brings us to what is to be done – Что делать.

After I had prepared this talk, I found time to watch the intervention Bruce Schneier made at the IETF conference in Vancouver last week, and found that almost everything I had to say had been rendered redundant. Nevertheless, let me give you the outline – and please then go and listen to Bruce.

Moving everything we control from centralized to decentralized infrastructures is the first step. This is one many of us have cared about for years, but it’s a step that the numbers I previously mentioned show that we have been failing in.

Technology is always political, and how even small design decisions made by software developers can have a drastic effect on the political outcomes over long or short periods of time. I’d like to suggest that software developers generally need to start developing like they give a damn about the society they live in – which may be true of the free software movement to a certain but absolutely insufficient degree, and is entirely untrue of those software developers who have not thrown in their lot with the free software movement.

Specifically, I want to rabidly attack the notion that usability and functionality are at odds with each other, and the idea that presenting users with a half baked system where they need to break out the command line whenever things don’t operate within some arbitrary parameters of normalcy is in some way acceptable. Most people don’t care about technology, they care about doing the things that are meaningful to them. They don’t want to spend all day fiddling with GnuPG’s parameters or figuring out whether their XMPP session is being transferred over SSL. They don’t want to know about IPSec or AES.

No. They want to be farmers, or merchants, or dentists or doctors. They want to teach our children languages and mathematics. They want to build houses or spaceships or plumbing or bridges or roads. They don’t have time to work with bad technology that we made badly because we didn’t care about them.

What’s worse: when companies that don’t care about those people either give them highly usable software that doesn’t respect their fundamental rights, most people will go for it because despite its failings, it at least gets the job done. If what we offer them as an alternative is not at least as good in terms of getting the job done – from the perspective of a nontechnical user, it does not matter at all how ideologically pure our offering is.

Software that helps 100 people do something wonderful is absolutely meaningless if it’s unusable by the next five billion people.

Bottom line: If you’re developing software and you aren’t developing that software for the benefit of all humanity, you are helping the fascists.

What needs to happen now is pretty simple: We need to migrate the next billion people off centralized infrastructures and give them strong crypto, and we need to do that over the course of the next five years, at maximum. We must not fail this task. Over a longer timeframe, we must expand this to everybody.

Decentralizing everything, encrypting everything, and hardening all of the endpoints, will not get us out of the fascism we have found ourselves in. Engineering our way out of fascism is a necessary step, but not a sufficient step. We need to fundamentally restructure our societal governance models, but we’ll get to that. That’s later. This is now. We are technologists. Let’s make what tech we can.

Big Silos, Small Privacy

For many months I’ve been going around claiming that about 90% of all e-mail users use the top ten e-mail providers. This claim was always a ballpark estimate, but it was based on a bunch of statistics that I collected from here and there around the Internet.

Most importantly, there appear to be between 2.5 and 3 billion Internet users globally, and there appear to be between 2.4 and 2.7 billion e-mail users. Some old self-reporting figures from GMail – dated because it’s probably no longer in Google’s interest to say how many users they have, since they’re dominant – said they had 435 million users. That was in 2008. It’s not a stretch to think they’ve stil got about 20-25% of the total market. Hotmail/Outlook.com and Yahoo add substantially to these figures, at least sucking up the first billion. The next seven after that (which include services like the Russian Yandex and the Chinese QQ) easily cover the next 1.1 billion users.

Ballpark figures are nice, but it’s always good to back them up with data. Benjamin Mako Hill presented some data the other day which helps us with this. Based on a conversation with the Electronic Frontier Foundation’s Peter Eckersley, he started investigating how much of his private e-mail goes through Google’s servers. In his posting, he says that “Peter pointed out that if all of your friends use Gmail, Google has your email anyway. Any time I email somebody who uses Gmail — and anytime they email me — Google has that email.”

Mako went on to make a simple Python script and R script to run through his MailDir, extract the data, and generate some nice graphs from them, including a LOESS smoother showing a floating average over several weeks.

Mako's GMail delivered Email over time

His results were shocking: “Last year, Google delivered 57% of the emails in my inbox that I replied to. They have delivered more than a third of all the email I’ve replied to every year since 2006 and more than half since 2010. On the upside, there is some indication that the proportion is going down. So far this year, only 51% of the emails I’ve replied to arrived from Google.”

Mako's GMail delivered Email over time (proportionate)

Expanding on the scripts

Now, Mako’s observations are interesting, but they don’t, as such, help us figure out how much of the world’s e-mail is going through the top ten providers. And actually, that doesn’t matter to me really so much as the question of how much of the world’s e-mail is passing through services that are compromised by the Five Eyed Monster. So time to do a bit of expanding.

First off, I have a large number of MailDirs, so I added support for scanning a whole lot of them. Then I expanded his capture rules to include some other large E-mail providers, including Outlook/Hotmail/Live, Yahoo, Mail.com and, of course, the undying AOL.

The scanning took a while. Mailpile tells me that I have about 316.000 e-mails in my current mail directory, but this is only from early 2009 – anything before that is on a separate hard drive that I didn’t include in my scan.

I also had to modify my script to not include two awkward events: earlier this year, a server that used to be managed by me but still had my e-mail address on its error-reporting list decided to send me about 17000 e-mails over the course of 3 days. Another similar event happened in 2012, where a server I was managing freaked out overnight and sent me a couple of thousand e-mails. These were easily eliminated.

My modified scripts are available on Github.

Results

At first glance, my results are a bit more shocking than Makos. It appears that for a long time, almost all of my e-mail seems to have gone through the servers of the large service providers. Over the years less and less of it has done so. In particular, for most of 2009 and 2010, the average is just shy of 90%.

My e-mail that "touched" big service provider servers (proportionate)

At first, it seemed like it had started dipping downwards quite substantially in 2010-2011, but when I added e-mails received from social networking sites such as Twitter and Facebook, which periodically come to notify of messages being sent, it pulled the data back up a bit – but not the whole way. This might be good or bad, I’m not sure.

The overall trend is more encouraging: less and less of my e-mail seems to go through these large service providers. In particular, there is a very sharp downturn that starts in the summer of 2013. This appears to coincide with the Snowden revelations, and suggests that a great many people who communicate with me have, since the summer of 2013, stopped doing so using the servers of the large e-mail providers. Good job, y’all!

Now, there are a bunch of caveats. Most importantly, my inbox is not representative of inboxes on the Internet. In particular, I was asked by a friend to whom I showed this data whether he could do a similar analysis. I responded by pointing out that his e-mail address ends with @gmail.com, and therefore 100% of his mail would have gone through the servers of large service providers. If 90% of all users use these large service providers, and we assume that the other 10% have statistical properties like mine, then there is a fair chance that around 99% of all e-mail goes through major servers. If you change those assumptions, the numbers can be worse or better, of course..

In order to get a better understanding of the actual layout, it would be good to gather a collection of data. The data generated by Mako’s script is anonymous. The only fields are mail status (to get the replied data), timestamp, whether it was mailing list mail, and whether it matches critera (i.e., whether it went through a big provider or not). There is some room for abuse, in particular in that the timestamps on my incoming mail give strong indications as to which timezones I communicate with the most, and the frequency of mailing list tagged mail may be of interest to somebody. But seeing as how the Five Eyed Monster already has this data, and I’m not particularly worried about other people having this data, I’m okay with it.

For that reason, in the source archive, I’ve put my own tab seperated value output file. I’d like to solicit pull requests against that repository for more data sets. It may help to give a more accurate composite statistical overview of where we stand.

Cost estimation

Throughout the NSA surveillance discussion, I have been arguing that the way to “win”, where we define winning as cause the Five Eyes to not conduct blanket surveillance any more, is to price them off the market.

The calculus of that has been based on a bunch of assumptions. In short, we assume there are about 2.5 billion people who use the Internet, and the total surveillance budget is on the order of 120 billion dollars per year. That roughly comes out to about $0.13 per person per day.

However, it’s immediately obvious that the obvious method of deriving this number is not smart: if you increase the number of Internet users, or increase the cost of monitoring any individual user, this is not correctly reflected in the figure. So I’ve chosen to use $0.13 per person per day as the baseline, and raise the number by arbitrary estimations.

It is pretty certain that the number of Internet users has gone up, but I’m assuming that most of the Five Eyes surveillance methods are largely insensitive to changes in population. However, there are a few things that have happened since Snowden released his documents:

  1. There are a lot more people than ever who encrypt their data. This is not a statistically significant number yet, but it’s bound to impact the bottom line. I’m willing to say that progress so far amounts to +$0.01 per person per day on average.

  2. A lot of people are moving away from big e-mail providers, as evidenced by the above data. Based on my data, it looks substantial enough to warrant giving it +$0.10 per person per day. If it turns out that this trend is replicated in lots of other people’s data, then I may be willing to revise it up.

  3. Morale in the NSA is apparently quite low. This is presumably because the NSA staff discovered that the people of this world do not appreciate being spied on. Low morale may reduce efficiency, but I’m not going to give them too much for that: +$0.01.

There may be other factors, but at the same time there are some other problems. The biggest is that there are all sorts of dangerous snake oil services popping up all over the place that either recreate the Lavabit stupidity wholesale or else don’t even go that far and provide “security” measures that are just downright stupid and dangerous. I therefore hereby assume that ProtonMail, Virtru and other comparative “secure e-mail services” are thoroughly backdoored by the NSA already. For every user that moved from GMail to ProtonMail, our figure actually went down by some fraction of a cent.

So the standing total – in my estimation – is currently around $0.25 per person per day to monitor everybody in the world. That’s almost a doubling in surveillance costs since around this time last year, but we need to bring that number to about $10000 per person per day before we can safely assert that blanket surveillance is a thing of the past.

Samningasjá Ríkisins

Það var viðtal við Steingrím J. Sigfússon í síðustu viku sem náði athygli minni. Það er sennilega ekki fŕettnæmt, nema hvað minnst var á vonda langtímasamninga sem gerðir voru í stjórnartíð Halldórs Ásgrímssonar, sem forsvarsmenn heilsugæslu höfuðborgarsvæðisins lýstu sem “myllustein um háls stofnananna”.

Fyrsta sem ég hugsaði var, “nú væri gaman að geta séð þessa samninga.” Nema hvað þeir eru hvergi aðgengilegir. Þegar ný upplýsingalög voru samin þá reyndi ég að ýta eftir því við þá sem vildu á það hlusta að það væri mikilvægt að ríkisstofnanir hefðu jákvæða upplýsingaskyldu, en ekki bara skyldu til að svara upplýsingabeiðnum. Það er að segja, að stofnanirnar ættu að birta skjöl í þeirra vörslu af fyrrabragði. Þetta var inní frumvarpinu á einhverjum tímapunkti, en var svo veikt áður en að þetta var gert að lögum.

Nú stendur furðuleg og jafnvel bjánaleg 13. grein, sem vantar allar tennur í og virðist fyrst og fremst vera einhverskonar “æji værirðu til í að” apparat. Þar segir þó meðal annars: “Stjórnvöld skulu vinna markvisst að því að gera skrár yfir mál, lista yfir málsgögn og gögnin sjálf jafnóðum aðgengileg með rafrænum hætti. Hið sama á við um gagnagrunna og skrár.”

Ég hugsaði aðeins meira um þetta, og komst að þeirri niðurstöðu að eitt af því markvissa sem stjórnvöld gætu gert væri að útbúa “samingasjá ríkisins”.

Þetta væri vefsíða þar sem allir samningar sem ríkið eða þess stofnanir hafa gert eru listaðir upp í tímalínu sem sýnir hvenær samningurinn var gerður, hvenær hann lýkur, hversu mikið hann kostar eða hvað kemur inn í tekjur vegna samningsins, og svo útlistun á helstu áhrifum. Svo auðvitað ætti að vera hægt að sjá samninginn sjálfan. Slík síða gæti leyft flokkun og síun eftir ýmsum þáttum, m.a. hver undirritaði, hvaða ráðuneyti, stofnun eða fjárlagakafla hann tilheyrir, og hverjir aðrir eru samningsaðilar.

Þetta ætti að vera tiltölulega auðvelt bæði í hönnun og smíðum. Það er tvennt sem væri flókið við þetta.

Annars vegar það að margir samningar ríkisins eru eingöngu til á pappírsformi. Það er erfitt að gera sér grein fyrir umfanginu, en það kæmi mér ekki á óvart ef aðeins um 30% samninganna væri til á tölvutæku formi. Það er samt þannig að nýrri samningar eru líklegri til að vera til á tölvutæku formi, og mætti byrja á því að setja þá samninga upp. Svo mætti nota sumarstarfsmenn (til dæmis eldri framhaldsskólanema) til að taka saman lýsigögn um aðra eldri samninga inn í gagnagrunninn, þannig að það sæist, og svo skanna inn frumskjölin. Þetta tæki svolítinn tíma, en ef byrjað er næst nútímanum og farið smám saman aftur í tímann er eflaust hægt að færa inn og skanna 5-10 ár aftur í tímann á hverju sumri, og meira eftir því sem lengra aftur er komið, enda færri og færri samningar.

Margir samninganna hafa eflaust bara sögulegt gildi. Það gæti verið gagnlegt einhverjum, en í þágu gagnsæis væri aðalatriðið að ná inn öllum gildandi samningum. Hinsvegar væri mögulega vandasamt að aðgreina gildandi frá útrunnum í fyrstu umferð, og því mögulega alveg eins gott að skanna bara allan pakkann.

Hitt sem væri erfitt er stofnanaleg tregða. 13. grein upplýsingalaga segir að stjórnvöld skuli vinna markvisst að því að gera gögn aðgengileg með rafrænum hætti. En á þeim tæpu tveimur árum sem liðin eru frá gildistöku upplýsingalaga hefur eftir því sem ég best veit akkúrat ekkert gerst. Umfangsmesta gagnabirtingin hingað til var þegar fjármálaráðuneytið undir stjórn Katrínar Júlíusdóttur birti sjóðsstreymisgögn árið 2012 – áður en nýju lögin tóku gildi! Það var gott skref, en betur má ef duga skal.

Gagnsemi samningasjár

Einhverjir myndu spyrja til hvers þetta væri? Hvaða erindi ætti almenningur með að hnýsast í samninga sem stjórnvöld hafa gert við einkaaðila?

Fyrst og fremst er þetta spurning um vald. Þegar Halldór Ásgrímsson, eða hver sem er annar sem er í stöðu til að hafa áhrif á það með hvaða hætti ríkið starfar, beitir sér í trúnaðarstöðu gagnvart almenningi á hátt sem gengur gegn hagsmunum almennings, þá verður almenningur að geta orðið var við trúnaðarbrestinn. Annars er vald þess aðila of mikið, og vald almennings skert verulega. Af þessu leiðir að það er nauðsynleg og ófrávíkjanleg krafa að samningar sem ríkið gerir séu gagnsæir og opinberir, og hluti af samningsstöðu ríkisins. Einkaaðilar sem eru ekki reiðubúnir til að sætta sig við það þurfa að sætta sig við að fá þá ekki samninga við ríkið.

Gagnsemin felst þá í því að almenningur gæti veitt ríkinu aðhald og gert athugasemdir við samningagerð sem væri á einhvern hátt óeðlileg.

Að vísu fylgir þessu ákveðið lærdómstímabil. Flestir hafa, því miður, takmarkaða þekkingu á því hvað ríkið gerir. Sumir halda að þetta sé bara runa af kokkteilboðum og sjónvarpsviðtölum, en horfa algjörlega framhjá öllu umfanginu. Þegar þau heyra að eitthvað hafi kostað eitthvað margar milljónir þá er fussað og sveiað, vegna þess að flestir hafa aldrei haft svo margar milljónir og finnst þetta vera óttalegt bruðl.

Helsta ástæðan fyrir því að fólk áttar sig ekki á þessu umfangi er að umfangið er falið. Það er ógagnsætt að hluta til vegna ótta stjórnvalda við viðbrögð fólks þegar það sér hvernig öllu er háttað. Hluti af þeim ótta er eðlilegur – vegna þess að arfaslakir og beinlínis heimskulegir samningar eru gerðir í þágu einhverra skyldmenna eða vina – en hluti af þeim ótta er til kominn af því að fólk hefur oft takmarkaðan skilning. Hæna, egg.

Þetta lagast ekki nema með því að taka fyrsta skrefið. Opnun á samningagerð hjá ríkinu er skref í áttina að því að skapa meiri meðvitund hjá almenningi, sem að lokum ýtir líka undir getu almennings til að geta tekið upplýstar ákvarðanir um hverskyns hluti.

Gagnsemin elur því af sér meiri gagnsemi eftir því sem á líður. Svokallað “positive feedback loop”.

Að yfirvinna stofnannalega tregðu

Til að þetta gerist þarf vilja hjá ríkisstjórninni. Ég hef ekki séð nein ummerki um vilja til að auka á gagnsæi í ríkisrekstri hjá núverandi ríkisstjórn, en það er ekki þar með sagt að hún sé ofær um að breyta því.

Ég skora því á Bjarna Benediktsson fjármálaráðherra að taka þetta mál upp. Og hér er mitt boð: ef fjármálaráðherra tekur af skarið með þetta mál þá býðst ég til að búa til kerfislýsingu og þarfagreina verkefnið án endurgjalds.

NetMundial

The NetMundial meeting was held in Sa­o Paulo, Brazil, over the last two days. For various reasons I couldn’t be there myself, but I participated via the London remote participation hub. These hubs were probably the single best thing about NetMundial, allowing people as geographically challenged as myself to still weigh in on the discussions.

Outside of that one bit of silver lining (albeit bogged down with proprietary Adobe software), NetMundial went really bad. The opening session went massively over time due to poor timekeeping and the most severe procession of political circlejerking I’ve seen in donkeys. After that it settled down into something that looked fairly productive, albeit with the usual process trolling from the Chinese and Russians, and the usual bullshit from the copyright mafia and the megacorporations.

Despite this, it still seemed like the outcome might be useful, evidenced by the fact that the states were becoming quite annoyed about the remote participation hubs, which consisted almost solely of civil society actors. Not that the governments weren’t invited. I’d have loved to have somebody from the UK ministry of whatever sitting with us in the hub. But of course that didn’t happen.

However good things were looking during yesterday, at the end of the day the final document was butchered, leaving an outcome document that consisted only of pointless vagueness. The event had successfully been coopted by people who didn’t want to say anything important about anything.

In particular, the document did not address the two key topics of the conference at all: blanket state surveillance and network neutrality. It said that net neutrality is a thing that should be discussed further, and that surveillance should only occur in accordance with human rights laws. No condemnation. No strong statements. Nothing. The entire conference was a waste of time.

Get Real

Of course, many predicted this. In particular, there were a few articles that suggested that NetMundial would not be the right venue for a discussion. Milton Mueller suggested that one should not confuse NSA regulation with Internet regulation. I agree to an extent with that sentiment, but where that argument falls down is where he assumes that governance of the Internet has nothing to do with governance of espionage. This is equivalent to thinking that governance of multilateral trade mechanisms under the WTO has nothing to do with confiscation and destruction of goods in transit. It is mistaking the whole for a part. Homomeria, I believe the term is.

Which is to say that an international meeting on Internet governance is no less capable a place than, say, the UN, to discuss how to regulate espionage, and an equally capable place to actually do something about it. And in fact it may be a more apt place for discussion because such a meeting is more likely to have attendees who actually know what they’re talking about, technically, and representatives of the part of society which is actually effected by these activities in reality (the avatar of what in common law is dubbed the “reasonable man”).

The problem is that NetMundial was originally not suggested as a catch-all Internet governance meeting, but that it was deigned to address directly the issue of blanket surveillance. Then it didn’t. In part because people allowed pithy gestures by Fadi Chehadé on the one hand and the US government on the other to shift the direction and attention of the meeting away from fixing the most severe problem at hand to discussing ad nauseam issues which should have been kept separate at least until the next IGF, i.e., the IANA transition. And while I will grant that the control over IANA is certainly part of the problem when it comes to US hegemony over the Internet, it is separate in that it doesn’t contribute in any way, shape or form to the day to day activities of the NSA, GCHQ, or any of the other eyes out there.

The best way to destroy a meeting is to expand its scope.

So yeah. Realism in international relations, absolutely. It would be nice to see more of that. But this particular view is narrow.

What now?

That leaves us with what was actually accomplished during NetMundial. It was an interesting meeting of minds in some regards, with some pretty powerful statements coming from Nnenna Nwakanma, Vint Cerf, Milton Mueller, Roy Singham, Michał Woźniak, Ola Bini, and the Indian government representative whose name I have misplaced. There were some others, but to a large degree it was adults faffing about and a whole host of people being downright misanthropic.

Unlike many, I rather liked the Indian government representative’s observations. Because he was hitting at a pretty core issue, albeit in a fairly ham-handed manner. He kept asking for clarification about what kind of document the outcome would be – whether it would be a chairman’s summary or an actual “consensus” outcome document. The nature of the document is important in how it is represented after the event, but also, if it is going to be presented as a consensus of any kind (which of course it will be), it is quite important that the content of the actual document be somewhat in line with what was being said, which turns out not to be the case at all.

But for me the greatest accomplishment came in the form of us getting pretty concrete evidence that the Brazilian government is just as unlikely to want to actually do anything about mass surveillance as the others, and that post-Snowden diplomacy is in a state where Carl Bildt can still go on stage and talk about Net Freedom Blah without being pelted with rotten vegetables.

All in all, NetMundial was (perhaps predictably) a farce.

We’re going to need to do something better. The people running OurNetMundial were doing a fairly good job of drawing attention to the real issues. Perhaps OurNetMundial should become an event. But where? When? By whom? And how do we avoid cooption?

These questions and many others will remain unanswered for now. But somehting is going to have to happen.