European Cybersecurity Strategy and Proposed Network Security Directive

The European Commission recently published 2 documents:

* the Cybersecurity Strategy of the European Union (English version; 20 pages)
* the Proposed Directive on Network and Information Security (English version; 27 pages + 2 annexes)

Mozilla is trying to work out whether we need to have a position on these documents and, if so, what that position should be. How might this affect the open web? Are there any actions we could or should take in response?

This is part of the work of the new Public Policy module. Particularly if you live in the EU, we would appreciate it if you would read one or the other and indicate any parts of it which are particularly of interest to you and to Mozilla.

The first document, the Strategy, sets forth the EU’s vision of cybersecurity. The second one, the proposed NIS Directive, if enacted, would require all Member States, and key “Internet enablers” such as e-commerce platforms, social networks, plus critical infrastructure companies (energy, transport, banking, and healthcare) to take action to ensure “a secure and trustworthy digital environment throughout the EU”. This might mean, for example, requiring them to adopt risk management practices and report major security incidents on their core services.

(I would expect these documents to be available in other EU languages but, although the press release is, I can’t see where the documents are. Pointers gratefully received.)

A Reprehensible Human Being

It took me a long time to realize the following truth: No matter how compassionate, charitable, winsome, and kind you are, if you oppose the sexual revolution you are the enemy. And in many ways, you’re not merely the political “enemy,” you’re also a reprehensible human being.

David French

‘Do Not Track’ and the Role of Government

Following Mitchell’s recent comments on DNT, here’s a riff from me.

There are currently two views of how Do Not Track, the standard for a browser to signal to a website that its user does not want behavioural tracking, should be enabled.

My position (and that, as far as I can tell, of the standardization group, and of many within Mozilla) is that Do Not Track is “no preference” by default (i.e. no header is sent), and must be explicitly enabled or disabled (without specifying an exact user experience). While it may change in the future, Microsoft’s current position is that users will be asked about “Do Not Track” during installation or upgrade, and the checkbox to turn it on (visible only in the non-speedy install) will be checked, and so the feature will be enabled, by default.

This made me think that the two views of “Do Not Track” correspond to some degree to two views of the role of government in innovation and user empowerment.

If you are in favour of market-driven solutions, then the power of Do Not Track comes from the fact that everyone who has it turned on has made a conscious decision to do so. This action speaks with a powerful voice in the market, and is hard to argue against. The idea is that any advertiser which refuses to respect a specific user request will suffer from a poor reputation, and loss of business. Hence, consumer pressure leads to positive change without regulation. But for this to work, it requires that the default be “off” (or “no preference”, which amounts to the same thing).

If you are in favour of regulated solutions, then the power of Do Not Track comes when governments force advertising companies to respect it. So how it gets turned on or not is a secondary question, and your goal is simply to get it enabled on the computers of as many people as possible, and get a law passed that makes website owners pay attention to it. After all, once it’s a government mandate, the advertiser has to respect it, whether the user made a choice to enable it or not. And so having it on by default allows you to make the claim that you are “protecting more users”.

I suggest that history shows us that government regulation of technology is usually written by those who don’t understand it, arrives late, and demonstrates inflexibility in the face of future innovation. The EU cookie law, as implemented in the UK, is a case in point – its net effect is that most UK websites how have to have a click-through dialog before you can continue to use them as before. I doubt that many people’s privacy has been meaningfully enhanced, and website usability has suffered.

Government-mandated DNT would not nearly be as flexible and open to further innovation as market-driven DNT. I hope we get the market-driven sort.

EU is 113% Democratic

You couldn’t make it up. The vote on an amendment to some “orphan works” legislation in the EU’s Legal Affairs committee (which has the responsibility of “safeguarding the integrity and trustworthiness of the legal framework as a whole in Europe”) was lost 14 votes to 12. Nothing wrong with that, except that there were only 23 voting members. In other words, there was a 113% turnout – a figure of which Vladimir Putin or Robert Mugabe would be proud.

When it was pointed out that these 3 phantom votes could have affected the outcome, a re-vote was nevertheless denied.

Front-runner for “understatement of the year” goes to Christian Engström, Member of the European Parliament for the Swedish Pirate Party, who said:

“What can I say? There is a lot of room for improvement when it comes to democracy in the European Union.”

Coalition for Marriage Petition

[Update 2013-10-12: It seems that an anonymous resident of Chicago has added a link to this blog post to my (short) Wikipedia entry, thereby suggesting that my opposition to the redefinition of marriage is one of the most important things that people need to know about my life, work and opinions. I’m not sure why they think that, but I wonder whether their intent was that people would read that sentence and pigeonhole me without further consideration. If you came here from Wikipedia, I hope you will not make that mistake.

In addition, the following quotation from a letter sent out in July 2013 by the Prime Minister’s Office might be of interest:

The position in discrimination law is very clear. The belief that marriage is between a man and a woman is protected under Article 9 of the European Convention on Human Rights, the Human Rights Act 1998 and the Equality Act 2010. Discriminating against someone simply because they hold that belief or express it in a reasonable way would be unlawful discrimination.

I’m sure that anyone who is an opponent of discrimination would not want to do such a thing.

The original blog post follows.]

For my UK readers: if you agree with the following statement:

I support the legal definition of marriage which is the voluntary union for life of one man and one woman to the exclusion of all others. I oppose any attempt to redefine it.

then please sign the petition of the Coalition For Marriage.

Civil partnerships and marriages in the UK give exactly the same legal rights and operate under the same constrictions. This is not a question of “equality”. But because of the way marriage is defined in UK law, it is also not possible to redefine it in this way without changing what it means for heterosexual couples too. The soundbite “if you don’t like it, don’t get one” is an invalid argument.

The government does not have the power or authority to redefine words.

The Impossibility Of SOPA

It has been suggested that if SOPA or PIPA pass, then sites with user-generated content would need to review it all manually for copyright violations.

What would it look like for YouTube, if a reviewer had to watch every minute of video?

  • About 48 hours of video a minute is uploaded to YouTube (that figure is from May 2011, so it’s probably more now, but let’s go with that as a conservative estimate)
  • 48 hours a minute is 483,840 hours a week
  • If the reviewers worked 40-hour weeks, you would need 12,096 of them (plus a thousand or so more for holiday cover) – call it 13,000
  • If you paid them all at the US Federal minimum wage of about $15,000, it would cost $195 million per year.

But, of course, you couldn’t start the reviewers straight out of high school. First, they’d need to watch the 100 years of video which has been submitted to YouTube by content owners, so they knew a copyright violation when they saw one. (They wouldn’t be able to detect copyright violations of the content of independent filmmakers or individuals, but hey, this system isn’t about them, is it?)

The problem is that after watching 100 years of video, those who aren’t dead would have pretty poor eyesight. It would also introduce an unacceptable delay in getting the system up and running. So the job needs to be parallelized. Specialization is the key. One set of reviewers could watch all the musicals, and another could focus on vampire movies. (They might need paying extra.) If we got each trainee reviewer to spend 3 years exclusively watching Hollywood movies, TV network serials and listening to major-label music (drawing parallels with the average college degree is left as an exercise for the reader) then we could get the system up and running faster. However, we’d need 33 times more reviewers – 429,000 in all, making the cost $6.4 billion.

For comparison, 429,000 people is about 1 in 30 of the entire jobless population of the USA, and $6.4 billion is approximately 60% of Google’s annual profits. These resources would be spent entirely on content checking for YouTube, without considering Google’s other sites which take user-generated content, or Facebook, or any other social site.

There is just too much user-generated content to check it all manually, and automatic methods will never be 100% effective. So how do SOPA proponents expect that sites like YouTube can possibly remain open and legal? It’s impossible.

Social Justice or Something Else?

Here’s a quick test to help e.g. those who sympathise with the “we are the 99%” slogan to work out what personal motivation is behind their support of proposals for change in people’s relative incomes.

(Once you’ve read the short article) It’s worth observing that, after the button is pushed, if you have a relative measure of poverty (as we do here in the UK), measured poverty goes up.

A further observation: this test makes no claim that the hypothetical scenario is actually happening or will happen. Notice that there’s a genie involved.

Open Sourcing Local Minimum

I can’t remember who said it (Simon Phipps?), but a while back this idea stuck with me.

If a company tries to open source a project, but gets nervous about it and tries to retain too much control, they can end up at a sort of open sourcing local minimum, where they are getting the disadvantages of open source with none of the advantages. In other words, they incur all the expense and hassle of setting up an open source project, without getting the increased community involvement and eyeballs which are the reward, because potential contributors can see that it’s not a project they can have a real ownership stake in.

Sometimes, half-done can be worse than not done at all.

There’s No Money Left

“I’m afraid to tell you there’s no money left” was what was written on a note left by the previous Chief Secretary to the Treasury for his successor when the UK government changed after the last election in May 2010.

Since then the new government has been attempting to rein in spending, although he hasn’t been doing a great job of it – over this parliament the national debt will still rise by over £500bn, or £19,000 for every household in the country. Interest on this debt – money the Government has to collect in taxes but can’t spend on services – will more than double to almost £67bn, surpassing spending on the defence, transport, home office and justice departments combined.

Even so, some people think the relatively mild spending cuts, which restore government spending to where it was as recently as 2007, are an unbearable travesty which will take us back to the dark ages.

That’s why I’m attending the Rally Against Debt in London this Saturday, and I urge my UK readers to do the same. Here’s my placard slogan: “The Borrower Is Slave To The Lender” — Proverbs 22:7.

Privacy Irony “provides an independent and open tool for scanning your Facebook privacy settings”…

… by making you run untrusted JavaScript in a Facebook browser context, just like lots of shady “automatically spam all your friends” copy-and-paste-this-code-to-get-a-cookie Facebook pages.

Of course, it’s easier to snipe from the sidelines than to do something myself…

Privacy Overreaction

From the latest EDRI-gram:

Google admitted that the previous information on the data they have gathered
with their Street View service was wrong and this included “samples of
payload data from open (i.e. non-password-protected) WiFi networks.”

Google claims that this was done by mistake and the data was never used in
any Google products. They have also indicated that only fragments of payload
data were gathered because: the cars are on the move, someone would need to
be using the network as a car passed by and the in-car WiFi equipment
automatically changes channels roughly five times a second.

The decision was challenged also by an open letter of the Privacy
International (PI). … PI has also announced that it will seek a prosecution for
unlawful interception under the UK’s Regulation of Investigatory Powers Act,
noting that “in those circumstances there would be no question of destroying
the data.”

As PI has recently replied to the public blog post: “This latest incident
was not caused by a mistake; it was caused by a failure of process that cuts
across the entire company. In the absence of a systemic change in product
development and deployment procedures the latest incident will be just one
in a continuing litany of transgressions on personal privacy.”

Really? Really really? Fragments of data no more than 1/5 of a second long, collected by accident (or, at least, without purpose) and never used in a product? A “systemic failure”? A prosecution for unlawful interception?

As Eric Schmidt rightly said, “who was harmed?” The cause of promoting the privacy of web users is not advanced by this sort of over-reaction. Resources, and the attention of the public, are limited. Fight the battles which matter.

Poor Nick Clegg

(Those of my readers with no interest in the UK General Election may want to move on.)

Poor Nick Clegg. He’s got two options, both of which suck.

Option 1: an arrangement of some sort with the Conservatives. They aren’t offering the voting reform he wants and has said is a prerequisite; if he picks this, his entire party will claim that he’s sold out. Given that it’s such a core LD policy, it would be a disaster for him. Is there any chance the Conservatives can offer him enough for him to save face, but not enough for there to be a chance of PR actually happening?

Option 2: a coalition with Labour. This gets him the voting reform, but they don’t have enough seats to make the magic 326 (or 324, if you note that Sinn Fein MPs don’t turn up). Together, that have 315. If you add in the 3 SDLP MPs, who take the Labour whip, you get 318. You need to add in the SNP, or perhaps Plaid Cymru and the Greens, or even all of them, to get a workable majority.

This might well mean Gordon Brown as PM – could Clegg really prop him up after campaigning on a vote for change? Or, if Brown resigned and another Labour person was appointed, the government would then be led by a politician who had not campaigned as PM for the election we’ve just had!

And after that, a fragile alliance will be forced to make severe spending cuts that none of the parties have warned are coming. They probably won’t; and the bond markets from whom we have borrowed a lot of money will get worried, and we will spiral into a fiscal black hole. When things have gone badly enough (perhaps with the IMF called in) that there’s another election, the Conservatives will sweep to power and no-one will trust either Labour or the Lib Dems for years. The Conservatives may well win even if voting reform has been rushed through in the brief period that the coalition held together (although they’d find it much harder in the future).

Neither option looks appealing for Clegg.

All this goes to show that the Conservatives would be mad to concede voting reform to the Lib Dems, but they have to make a very convincing job of looking like they want a deal.