From a security point of view, the trouble with cloud-based applications and closed source software in general is that you can never tell whether there are flaws that will leak your information or even back doors put there deliberately to allow third parties to get at it.
Open source software gives you many advantages.
You can understand exactly what the software will do when run. Strictly speaking you can understand what any software does, but source code written in a high level language serves the purpose of both telling the computer what to do and telling humans what the program is intended to do. This is because classes, functions and variables in the program are given English names. Programmers may even write comments in the source code to annotate it. The names and comments may be misleading but this becomes apparent when you look at what code does as a whole. If you can not personally understand the program, you can be reasonably sure others do. One thing that gives me confidence is that previous flaws have been found and fixed.
You can be sure you are running the same software you have gone to the trouble of understanding because you can compile it yourself. You can compile the user applications, libraries, operating system kernel, drivers and even the compiler yourself if you want. More usually you will entrust most of this work to others such as Linux distributions. Programs downloaded from such sources are cryptographically signed. Becuase the source code is available anyone can check that the source code produces the same program that is provided pre-compiled.
So there is little likelihood of a back door in open source software. Linus’s Law states that many eyes make bugs shallow. This means that bugs in open source software, especially the most important and most widely used open source software, get fixed quickly. In The Cathedral and the Bazaar, Eric Raymond described how the Linux style of development leads to superior code quality. All this means there is less likelihood of accidental leakage of your secret information.
Should they decide they do not like us encrypting our files or obscuring our online activity, it would be very hard for authorites to take open source software away. The nearest they have got is the Consumer Broadband and Digital Television Promotion Act which was intended to protect music companies who wanted to put DRM into music by making trusted computing compulsory. The idea was that computers would be required to have a special chip that would only let them run programs that would be cryptographically signed by some authority. You would not be able to run your own programs.
The bill got nowhere and such laws are unlikely to because open source software is so ubiquitous. It runs the Internet. Samizdata runs on a computer running the Linux kernel using GNU libraries and uses an open source web server, database and blogging software written in languages compiled by open source compilers and interpreted by open source interpreters. So do everyone else’s web sites. Most of the electronic gadgets in the world that have any software at all have open source software in them, including phones and TVs. None of this is going away.
As much as Google and Microsoft have brands to protect, if the government makes laws big companies have to follow them. Governments have no such hold over open source programmers who are geographically, organisationally and ideologically dispersed.
The people who write GNU Privacy Guard or OpenSSL are not going to put a back door in their software. If they did it would be spotted and someone could simply fork the project.
It is possible that certain algorithms have mathematical back doors and that the NSA has hired all the people clever enough to find them. It is possible that the NSA tried this with a cryptographic random number generator and were caught out. We can be somewhat confident that the NSA can not break AES encryption. There are other encryption algorithms available.
Nothing is certain, but open source software gives us some control over our computers and some defense against governments that closed corporate software never can.
When I read this…
US spy chief James Clapper has strongly defended government surveillance programmes after revelations of phone records being collected and internet servers being tapped. He said disclosure of a secret court document on phone record collection threatened “irreversible harm”.
… my first reaction was “Irreversible? I certainly hope so”.
The flood of revelations about the sheer scale of NSA information theft… direct server access without an individual court order whenever the NSA wants something from Microsoft, Google, Yahoo, Facebook, Skype*, PalTalk, YouTube, AOL and Apple… has made me wonder if savvy non-US based business might not be able to market their services as explicitly non-US.
Just imagine the possible tag lines:
“Don’t worry, the NSA does not have easy assess to your data as we are not a US based or owned company”
…or tapping into a bit of anti-Americanism never hurt the bottom line…
“We are not located in the ‘Land of the Free, Home of the Brave’, so your data cannot be browsed at will by unaccountable NSA spies!”
… which is not to say such services cannot be marketed to Americans…
“Non-US nationals across the world are not protected by the US constitution, come to think of it, neither are Americans in America, so your data is safer with us as we are a NON-US owned and NON-US based company!”
The creative possibilities are endless and anyone who cannot leverage this into internet gold is not trying hard enough! Capitalism for the win!
*= Skype, originally a Luxembourg based company, was purchased by eBay in 2005 and then Microsoft in 2011.
The media and blogosphere are abuzz with the astonishing info-grab by the US government…
The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America’s largest telecoms providers, under a top secret court order issued in April.
The order, a copy of which has been obtained by the Guardian, requires Verizon on an “ongoing, daily basis” to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries.
The document shows for the first time that under the Obama administration the communication records of millions of US citizens are being collected indiscriminately and in bulk – regardless of whether they are suspected of any wrongdoing.
I assume the Guardian got this information because someone inside Verizon said “fuck this” and leaked it. I also hope the Guardian has the ghoolies to well and truly protect their source.
Never people to let a nice atrocity go to waste, the recent murder of a British solider in London is being used by the ruling classes to renew the push for more state surveillance.
Never mind that the two perpetrators were already known to the security services, somehow the non sequitur that a more panoptic state could have stopped a pair of low tech islamic psychopaths carrying out an outrage that required perhaps ten minutes of prior planning (drive to an area with a lot of soldiers, grab one, murder him in broad daylight in front of witnesses) is being run up the flagpole to see how many people salute it.
Pure and utter bullshit.
Just remember this when some idiot holds up Boris Johnson as someone preferable to the ghastly David Cameron when (rather than if) Cameron gets the heave ho from the Tory party leadership as they start to feel Nigel Farage’s breath on the back of their necks.
Some organisation has recently filled my local neighbourhood in the inner London borough of Southwark with a remarkably large number of the above signs. These have been attached to stop signs and other traffic signs, poles holding street lighting, and a few are even attached to poles that hold nothing else and have presumably been installed specially for the occasion. It is hard to imagine government of some kind not being involved, given the public places where they have been erected, but WTF?
Are these supposed to make me feel safe? Reassured? Threatened? Creeped out? Vaguely worried? Concerned that money that could otherwise be spent on something useful is being used to pay the salaries of people with far too much time on their hands? Also, WTF?
Going to the advertised website is only of limited help. Something about fighting crime with fighter jets? In any event, a badly designed website of the kind one would find from some small company that is desperately short of capital and trying to impress investors after an unsuccessful listing on AIM. Oh, okay, there is something about some kind of partnership in London with the Metropolitan Police elsewhere on the website, but it is virtually impossible for me to link to due to the horrendous overuse of Flash. So taxpayer money probably is involved somewhere.
Once again, WTF?
As noted in my previous posting last night, I went out photoing photoers last Sunday, and one of the more interesting photoers I photoed was this guy:
That’s an iPad, being used as a camera. I mentioned this to Michael Jennings, and he told me that the first iPad didn’t have a camera built in. The second one did, but it wasn’t very good. Not designed for proper photoing, merely for video-conferencing. But people used it to take proper photos anyway, or they tried to. And on iPad number three, the camera is quite good. Not in the same league as a dedicated camera, but good enough for many, for taking tourist snaps in good daylight and for telling friends what they are seeing.
I know the feeling. If you are a techy, or if whatever you are doing just has to be really, really good, you use the best kit for each job that you are doing. But if you are a civilian, you just love the idea of one machine that does everything for you. There is just one pile of magic to master, just the one gadget to be faffing about with when you are on holiday. I have never used an iPad, but I entirely know why this guy is using his iPad to take photos, rather than a regular camera type camera.
I talked with him. So, using one of those things to take photos, eh? Yes, he said, and he eagerly showed me some of the photos he had just taken, of Westminster Abbey. They looked fine to me, although a regular CSI character could easily work out the man’s identity from his reflected face in this:
He’s not the first iPad (or Tablet or whatever) photoer I have spotted in recent months, just the first who obliged with a good clear pose for me to photo, a pose which obligingly hid his face.
I have been photoing digital photoers for over a decade, and if there is a technological trend in evidence, it is that the range of cameras being used by digital photoers has slowly grown. First, there were the very first digital cameras, like my very first digital camera. Rather big, very expensive and rather clunky, but they worked! Meanwhile the Real Photographers were going digital, with even bigger and massively more expensive cameras, which looked, then as now, just like regular old cameras that used film, and which made use of the same even more expensive sets of interchangeable lenses. Then cameras started to emerge which were betwixt and between (“bridge” cameras) the little ones and the Real Photographer cameras, like my last two cameras, with their ever more amazing zooming abilities. I try to get cameras in focus whenever I can, and in my photos you can see the zoom numbers climbing as the years have gone by, the latest Canon “bridge” camera being 50x!
And while all that was happening, mobile phones were also getting good enough to use as cameras. Just like my iPad Man, Mobile Phoner relishes only having one machine to fret about, to do everything. Hence the ever increasing smartness of smartphones.
It all reminds me of how General Motors worked out, in the 1920s, that the idea of just one basic kind of car for everyone was silly. Instead GM offered a range of cars, to suit all tastes and pockets. But, there never was a Model T digital camera, available only in black, and the camera market is easier to enter, so there never was a General Cameras either. The range rule has prevailed with digital cameras from the start. It didn’t have to be thought of, it just happened.
This range of cameras is reflected in my latest clutch of photoer photos, here (already linked to above). There is the Real Photographer (1.2), or at any rate the photographer using a Real Photographer camera, the guy with the reflecting sunglasses. There are the ever smaller and ever cheaper dedicated digital cameras, often decked out in bright colours (silver (2.3) and red (3.1) in these photos as well as just black). There is the guy using his smartphone (3.3) to take photos (of the man blowing bubbles on the South Bank). There is the 26x zoom camera (3.2). Even the little red camera (3.1) is 10x, as you can clearly read if you click on that one. Tellingly, there are cameras there where it is a bit hard to tell at a glance if they are single fixed-lens or multiple choice lens, bridge or Real.
There must also be another kind of camera being used, to add to all these others, which is the one that is so small and so unobtrusive that it cannot even be seen. These cameras are hidden in glasses, or in buttons, or in hats, or in jewellery. Time was when only the likes of James Bond had such devices, but now, I presume, anyone who wants such a camera can have one. I must have photoed many such cameras, but I will never know about it.
I salute these invisible cameras with particular fervour. They are Little Brother’s answer to Big Brother’s now ubiquitous and very visible surveillance cameras. These invisible cameras are the reason that They will find it so very hard to ban outdoor photography by civilians, however much They might like to and however hard They try, because They won’t be able to see it happening and tell it to stop.
Face recognition is now starting to loom large, and it won’t be long before etiquette changes in response. The internet has been instructed to email me whenever face recognition gets a big mention, and the emails ever since I said to do this have flowed to me in a steady trickle. Face recognition will soon be a Big Issue, and for many it already is. To photo anyone in public will soon be universally understood as like a potential public announcement of exactly where they were, exactly when. I presume that celebrities of ever decreasing celebrity are already hunted down with such software. Now regular people are starting to track each other. Soon, this possibility will be routine. Governments will want to make it illegal for anyone except themselves to behave like this, but I can’t see how they will be able make this stick.
I wonder where my husband was last weekend. I know where he said he was, but … let’s run the programme, and see if anything shows up. Was he in London with that tramp with the pink hat, I wonder?
That young speaker I heard yesterday for the first time seemed like quite a dangerously clever chap, with a potential big future that I disapprove of. So, www, show me every picture you have, and I don’t just mean the ones with his name attached. What does he do with himself? How does he relax? How does he unwind? Give me some dirt.
That kind of thing.
As the memory of the internet grows, people will be living more and more of their lives in a state of perpetual surveillance, of everyone, by everyone. At present, your name needs to be spelt out and attached to such revelations for them to be revelations. But that is fast changing. Soon, your face will be enough.
When I say “soon”, I don’t really know when all this is going to happen, and be seen to have happened. This may already be happening, or it may only really get talked about a decade hence. But happen it surely will. Whereas I only arrange to be informed when the words “face recognition” appear in an internet news story, it is surely only a matter of time before we can all of us say “show me any picture that looks like this person”. → Continue reading: What happens when face recognition becomes the new reality
I have frequently noted here the obsessive fortification of the state during the last decade: how all public buildings in Britain have steadily become the opposite – closed-off, accessible only through guardrooms, by special permission.
A fascinating and frightening piece by Anna Minton in the FT Locked in the security cycle describes something I did not know. Though I had noticed a more general neurotic security obsession in new developments, I thought this was merely a matter of insurance and corporate cowardice. Some of it may be. But some of it is official coercion. Minton explains:
High security is now a prerequisite of planning permission for all new development, through a government-backed policy called Secured by Design. [...]
Secured by Design is administered under the auspices of the Association of Chief Police Officers and backed by the security industry, with the initiative funded by the 480 security companies that sell products meeting Secured by Design standards. It is also supported by the insurance industry, with lower premiums for the increasing levels of security offered by Secured by Design standards.
Beware the security-industrial complex!
Note this is enforced by state power: since the all-nationalising Attlee government of 1945-51 planning permission controls all building in Britain. It is a panopticon of the built environment, covering all significant building or alteration of building: nothing is legally done privately; nothing is legally done without prior official approval. So “a prerequisite of planning permission”, means developers comply or they don’t build. But the standards to be applied by planning officers are controlled by a ACPO – a closed professional body for senior police and civilian policing officials – and far from correcting the producer interest, as choice might, deliberately incorporate it as a driving factor.
What will we get – what are we getting – all around us? An architecture calculated to reproduce the assumptions of those in security positions and industries of what’s a good place for people to live, trade or work, for children to play or be educated. Those are assumptions about order, ‘appropriate’ persons and behaviour, the need for oversight, the nature of – and constant presence of – threat. Hence the suspicious building syndrome: you will be increasingly screened to permit entry, and watched, controlled inside the perimeter. Hard, plan-defined boundaries, rather than freely negotiated common use of space.
But look! Lots of jobs for guards and electrical maintenance crews. Compliance by large builders will make their lives easier and competition more difficult. ACPO members will find valuable consulting work. Politicians can say we live in a society with “world class” security. The execution of policy will be deemed its success. Everybody (who matters) wins. Positive feedback.
But not the only feedback loop. The authorities are not interested in contrary evidence. Public bodies and quangos are skjlled at commissioning proleptic studies, and the institution of ‘public consultation’ is highly developed as an art of obtaining affirmation for policy, but even so, there are clear signs that that official security obsession creates psychological insecurity in the populace. Minton again:
Although crime has been falling steadily in Britain since 1995, fear of crime is soaring and 80 per cent of the population mistakenly believes crime is rising. Fear of crime does not correlate with actual crime but with trust between people, which is being eroded by high-security environments. [...]
One of the key drivers for this project [Minton's forthcoming NEF-published report] is the dearth of evidence that Secured by Design and high security prevent fear of crime and create strong, stable communities. Of the few existing studies, an investigation into CCTV by the Scottish Office found that while people often believed CCTV would make them feel safer the opposite was true, with both crime and fear of crime rising in the area investigated. The author concluded this was because the introduction of CCTV had undermined people’s personal and collective responsibility for safety. Research has also found an “unintended consequence” of extra security can be that “symbols of security can remind us of our insecurities”
I would add: they also remind us of something else. The pressure for all this comes from regulatory culture. As with the fortification of the state, it reveals and propagates the intense fearfulness in authority itself. Authority is frightened of the unsupervised individual, and thinks we should be too. To recycle a phrase, they hate our freedom. The possibility that life may be lived harmlessly in divers ways is just as much anathema to a secular bureaucrat as a religious totalitarian. If rules and fear are not everywhere, we might not accept that the people who make up rules always know best.
Profiling whole populations instead of monitoring individual suspects is a sinister step in any society. It’s dangerous enough at national level, but on a Europe-wide scale the idea becomes positively chilling.
- Shami Chakrabarti
If you visit, for example, the Financial Times website, you will be presented with a pop-up box warning you about cookies. This is becoming more common and is a result of the EU Directive on Privacy and Electronic Communications, also known as the e-Privacy Directive, also known as the cookie law, which took effect on 26th May.
Since no-one understands the law and has to rely on vague guidance that gets updated without really clarifying anything, web designers who have heard of the law will likely rely on the annoying pop-up box for some time and it will become boilerplate which is instinctively dismissed by users. Luckily most web designers seemingly have not heard of the law or are otherwise ignoring it, probably because they have real work to get on with.
Dave Evans of the Information Commissioner’s Office writes:
We’ve stressed that there’s no ‘one size fits all approach’. We think that organisations themselves are best placed to develop their own solutions.
Freely co-operating organisations did solve the problem years ago, when they invented web browsers with cookie settings. This legislation solves nothing at the cost of confusing, worrying and irritating people.