Wednesday, August 5, 2015

BHUSA15: The Lifecycle of a Revolution

Jennifer Granick, Director of Civil Liberties at the Stanford Center for Internet and Society.

Jennifer and Jeff Moss (aka Dark Tangent) met at DefCon III in 1995 - they immediately connected, and she became the go-to lawyer for hackers ever since.

We’re seeing an internet that is no longer dominated by the US. This is important, as these other governments that don’t have a bill of rights will get in on making rules to regulate our Internet. Where will we be in 20 years? Will you know who is making the decisions? Computers will be deciding if you get a loan, where your car drives, etc. There will be mistakes, but as long as they are on the edge cases, that’s okay.

Technology was supposed to help us overturn oppressive regimes, but instead we’re seeing the opposite happen. The repressors are centralizing security, creating chokepoints where regulation can happen.  The backdoors and restrictions will be done by the elites and governments with local interest – not global interest.
Who is responsible for deciding who gets security, who gets access to what things on the Internet?

She was inspired by Steven Levy's book, Hackers, which espoused freedom of information and decentralization of information. This empowered people to make decisions on what was right and wrong. The global network would allow us to communicate with anyone, anywhere, any time.

Jennifer attended New College - where students were responsible for their own education. They wanted information to be free, and they wanted to use their freedom of thought to change the world.

She started her career as a lawyer with a deep love of technology, and was upset seeing hackers getting prosecuted for things she considered “pretty neat tricks”. She met a prisoner who was at risk of losing his “time credit” after it was discovered he was hacking the pay phone to get himself and his friends free phone calls. She wanted this to stop. That was in 1995, and she started paying more attention to what was happening.

Meet “Cyberporn” – A Time Magazine expose about what you could find on the Internet. Congress wanted this to stop (nothing gets government more excited than porn) – and they wanted to create an online decency act.  Of course, doing so required assuming that there were no first amendment rights available on the Internet.

John Perry Barlow, founder of the EFF and lyricist for the Grateful Dead wrote:

Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You’re not welcome among us. You have no sovereignty where we gather.

The Supreme Court, fortunately, turned over most of the provisions of CDA, except the one provision which specified that the provider did not have to be the police.

The Internet was supposed to make us more free – but that’s not what’s happening anymore out there.

Race, gender and class discrimination seems resilient to change on the Internet.  While Jennifer has always felt welcome, there is too much evidence  to ignore.  Look at our big tech companies, which have 17, 15, or 10% female engineers.

How  is that equality?

There are talented people on all parts of the autism spectrum, with different college (or no college) backgrounds, and at any age – from the very young to the elderly.  Given that, could we lead in equality?

What about Freedom to Tinker?

For example, Mike Lynn was coming to present on new vulnerabilities in Cisco routers at Blackhat. His employer, ISS (Inernet Security Systems), and Cisco decided he should not do the talk and threatened Black Hat Conference to remove the pages from the program referencing Mike’s talk and redo the CDROMs with conference proceedings on them.  Jennifer was his lawyer. Mike gave the talk anyways, but the first thing he did in his talk was resign from ISS.
What looks more like censorship than ripping out pages out of a book?

Jennifer also represented Aaron Swartz, who ended up killing himself while being prosecuted.

How do we stop this?

Congress has to stop the “tough on cybercrime” hand waving and actually do something about cyber security.  They have made big prison sentences for violators of this, but when another country like China is behind the attack – nothing is done. China does not go to jail. It’s the little guys that are really hurt by DMCA and CFFAA. We need to get rid of them.

 Already now, algorithms are making decisions about our lives, our money, our jobs – and we do not understand these algorithms.  How do we take advantage of AI and machine learning, without ending up completely out of control.

Who is responsible when software fails?  For the most part, nobody. People are sick and tired of this.

Think about this; what happens when your self driving car crashes?  When your internet connected toaster catches on fire? When hackers can control your car remotely using your OnStar device?

We will end up with software liability. Once we are suing Tesla and GM for their software issues, it will be a small step to start suing software companies.

Jennifer recommends reading the Master Switch, by Tim Wu, which studies the cycle of major technologies. History shows a typical progression of information technologies from somebody’s hobby to somebody’s industry; from jury-rigged contraption to slick production marvel; from a freely accessible channel to one strictly controlled by a single corporation or cartel – from open to closed system.

If we don’t do things differently, the Internet will end up like TV, strongly regulated.

Sadly, there are people on the Internet that suck – 4chan, Nazis, jihadists.  Freedom of speech allows those – if you try to regulate them, you will end up impacting everyone. We must tread carefully.

Jennifer asks: who has ever had a blog? Lots of hands go up. Who still blogs? A few hands go up. She noted, “I used to blog, I don’t anymore, I use the centralized service – Facebook”. Nobody, well, except people in this room, still run their own mail server – they all use  We are giving up the control, we are doing this to ourselves.

When we talk about the “cloud” - is it all happy and free? No, it is actually controlled by a small handful of companies, subject to government regulations (US or otherwise). This creates a centralized point for control and eavesdropping.

The law is not protecting us here – in fact, quite the opposite. For example, we have laws that allow surveillance on foreigners, but loopholes in those laws are being used to spy on US Citizens. Laws are passing to give corporations protection from lawsuits if they turn over information to the US Government.

There is not a lot of case law here, oddly, considering the Internet has been around for awhile.

When there is no warrant requirement, searches can be massive and arbitrary.

The myth is that security and privacy are opposites. Not true! Think about how the putting a lock on a cockpit door provides security, but doesn’t mean privacy is exposed. A gay man in another country needs to keep that information private in order to be secure in his own health and happiness.

The current situation is leading to the security haves and have nots. It’s increasingly about power – and once that happens, the people will lose will be the minorities (religious, ethnic, etc) – those who need security most! In the US, we have the Bill of Rights, so we don’t care enough about this. But, other countries do not have those protections. We need to be the leader to protect the world, but we’re not doing that.

We’re already scanning for terrorist threats, and it’s broadening now into monitoring people that seem to be becoming radicalized. What does that mean? There is no agreement, even from the FBI and psychologists, on what it means to be “becoming radicalized”.  So, now more people are getting observed.

People don’t even realize what the Internet is. In a national survey, more people say that they are using Facebook than reported using the Internet. Of course, Facebook is on the Internet – but it is NOT the Internet. So who is correct their?  Facebook decides what to show you based on some algorithm, the freedom is not there...  The further this goes, the less we will know about the world.

We need to start thinking about decentralizing technology again. We need end to end encryption. We need to be afraid of the right things. People are terrible at assessing risk. People are more afraid of sharks than of cows, but EIGHT times more people die at the hoofs of cows every year than are killed by sharks. (note: WHAT?!?! Now I’m more afraid of cows, I knew they were after me!)

We can use law to provide safeguards where technology doesn’t, but we don’t. Congress is simply not protecting our privacy. We need to push them.

We need to get ready to smash it apart and make something new and better.