The reason GCHQ’s spying is so out of control, is that no one thought it should be better.
Cory Doctorow on fighting for digital freedom!
Cory Doctorow is an award winning author, thinker and speaker. He has written many things, young adult novels, science fiction and non-fiction commentaries on the exigencies of modern society. They are all fantastic, available in DRM-free formats and released under Creative Commons licensing. He is Honorary Steward for the Shuttleworth Fellowship program and co-editor of the Boing Boing blog. He is a digital rights activist and serves as Special Advisor to the EFF. Through the Apollo 1201 project, he’s part of a mission to rid the world of DRM.
Linux Format: Without sounding too much like a hysterical screaming fan, I have to tell you that I am a huge fan of your work and it’s an absolute honour to be sat here with you.
Cory Doctorow: Thanks man, that’s very nice to hear [mutters oh Jeez, not another one quietly to himself].
LXF: I’m reading Homeland at the moment, really enjoyed Big Brother, but I think you’re collaboration with Charlie Stross, Rapture of the Nerds, has been my favourite. In all of these books there seems to be a spirit of rebellion—in your young adult novels this is the fight against the authorities, and in Rapture of the Nerds there’s Huw shunning all the exciting technology that everyone else has welcomed into their lives—this spirit of rebellion in many ways seems to be embodied in the open source movement. Going back to the days of the GNU commune and all those sorts of movements, that was a radical departure from the old way of doing things, they really turned things around. Can you speak to that?
CD: Sure, I guess you can think about FOSS as being either an instrumental or an ethical proposition and it can exist on a continuum between the two as well. Obviously, Stallman had both an instrumental and an ethical desire when he started the GNU project. On the one hand he was just peed off because he wanted to do something with this piece of punch tape that’d been locked in a drawer. In that regard it was a purely instrumental thing.
But as is so often the case, when you start out with something that’s purely instrumental it makes you think about the ethical questions: ‘Why is the drawer locked?’, ‘Who put the lock on the drawer?’ and ‘Who decides who gets the key?’. Those are ethical questions that are inspired by this instrumental desire. I think human beings are very prone to rationalisation and self-justification and one thing that often happens is that if you have something instrumental it can turn into something ethical. Anyone that’s ever parented a child knows that the line between ‘I really want a biscuit’ and ‘It’s unjust that I don’t have a biscuit’ [do not teach my child this–Ed] is very fine indeed. One of the things the free software movement has done by embracing peer review – at the licence level, at the toolchain level and then at the code level – it’s made it that much harder for those kinds of self-delusion to flourish, that peer review is really our best answer to that.
LXF: What about the idea that technology is moving too fast for us? We want to put the internet in our fridges and, to use one of your examples, rectal thermometers. I also went to Karen Sandler’s keynote, she has closed source code in her heart, and the GCHQ talk suggested that soon it will be possible to tap the entire internet. Do you feel that at some point we ought to take a step back and take stock of the situation? CD: Well, there’s nothing wrong with taking stock of things, that’s a good continuous practice, but I don’t know that you’re going to get everyone to stop while we take stock, though. In fact, the term ‘taking stock’ is a really interesting one, it comes from retail. One of the things that computers have let retailers do is allow them to take stock continuously. I used to work in a bookstore and we used to have to close for a day while we went round the shelves and counted the books, and that’s not a thing
On bad policy
“Don’t tell ISIS that with an inkjet you can open as many bank accounts as you need.”
bookstores have to do much anymore. Except to figure out how many books have been shoplifted. So stock taking is now a thing that we do continuously. I think that there’s a risk to thinking that the reason our technology policy is so dire, or that GCHQ’s spying is so out of control is that no one thought that it should be better, or that no one considered that the policy wasn’t dire when it was being enacted—that it was just some hidden, lurking, completely unintended consequence that emerged without anyone suspecting it would be there. Much like climate change—y’know the signs have been on the wall for a long time and it hasn’t been a matter of the consensus not catching up— it’s been a matter of denialism, right.
LXF: And now there’s no denying that things have gotten bad, we have climate change deniers, a privacy circus and DRM has inveigled its way into all sorts of places. Worse, it seems like the momentum is still building in that direction.
CD: The thing is that there are a lot of people who are richer for bad policy. There’s this formal definition that a common misuse of corruption which is that it is systems that have concentrated gain and diffused costs. And so what happens is that if all the money is being made by a small number of people when all the costs are being borne by everyone else, the people making all the money can use some of it to lobby for the continuation and the expansion of the policies that benefit them. The people who are being affected by it—well, they have a much harder time all clubbing together to make a difference.
A good example of this would be privacy law: When the European Union brought in its Privacy Directive, it was the most lobbied directive in European history. The policies it came up with, this idea that if you have personally identifying information you have to treat it with an enormous amount of care and gravitas, but you can take stats not in the directive to turn that personally identifying information into de-identified information, and you can treat it as if it has no risk at all to the people that generated it.
Computer scientists don’t really think there is a thing called de-identified information, not in large data sets. Over and over again we get these allegedly de-identified data sets that are again re-identified to a large extent with relatively simple undertaking—sometimes by merging multiple data sets, sometimes by finding unique identifiers and what have you. This issue, the reason that it was lobbied for so hard is because there are a bunch of companies that make shedloads of money by gathering huge amounts of data on people. So they created this carta that is not so much a loophole as a 16-lane motorway right through the directive that effectively says that if you sprinkle some de-identification pixie dust on some data, then you get all the benefits of being able to pretend that you were in a very privacy protecting industry without having to do any of the messy protection of privacy. This will be familiar to anyone that’s ever opened a bank account with a gas bill: The banks in the UK were told that they needed to prevent money laundering by taking industry standard steps to identify and know their customers. But the statute didn’t say what the industry standard steps were and so the industry converged on nonsense steps, which is producing sheets of A4 that came off an inkjet printer that say you’re an EDS customer.
LXF: Yes, no one can doubt the authenticity of a bit of paper if it has a logo on it.
CD: Right, I mean don’t anyone ever tell ISIS that with an Inkjet printer you can open as many bank accounts as you need. This was beneficial for the banks because they got to go on doing something that wasn’t unduly burdensome for them, but it turned out to be pretty bad news for anyone that cares about money laundering, but also anyone who doesn’t happen to be the only person in the house that pays the gas bill. Y’know, most houses have more than one person living in them, but also only one name on the gas bill. So it’s become hard to open a bank account in the UK without it becoming hard to launder money in the UK.
LXF: A lot of new technologies now seem to be finding uses in subverting the law. Moxie Marlinspike has this idea that ‘It should be possible to break the law’. It’s not a sentiment that sits well with, say, prime minister May, and technology in general, especially as concerns encryption, is getting vilified by lawmakers. All they do is parrot the same diatribe—what Schnier called the Four Horsemen of the Information Apocalypse (terrorists, drug dealers, kidnappers and child pornographers). What are they not getting here?
CD: We have to be careful about setting apart these technologies’ uses and their reputation as counter cultural or illegal activities. There’s a kind of corollary here to the shibboleth that pornographers are technology early adopters. This is a thing that John Gilmore really set me straight on. The idea is that pornography was the first use of VHS and the Internet and so on. And this means that there’s something about the sex trade that is intimately bound up with technology. Gilmore said no—you have a form of communication that enjoys unrestricted access to the existing channels, so you have no reason to invest the energy in figuring out how to use a new channel. But if your communications are restricted, then you are already paying a tax to communicate, because you have to avoid the restrictions in the real world. So in the days of pornography you would have to find customers who were willing to receive plain brown envelopes full of your product, and therefore the internet or VHS or any of these other technologies, they offer a dividend that overcomes the cost. Because the cost is already being borne by you. If you’re going to pay a cost to communicate, you might as well pay this cost in the form of acquiring technical know-how. In the same way people who are already marginalised may want to choose what state of mind they’re in and invest the time and energy in sustaining the legal risk of doing so. But it doesn’t mean that there’s something inextricable about it. If you look back to the age of legal psychedelics, the brief period after their first synthesis in the lab.
LXF: I’m reading this great book called PiHKAL just now.
CD: Of course you are… All of our stuff on SSRIs comes out of that research, the idea that extremely small doses of chemicals could have gross effects on the mind. And that turned into the whole pharmacological basis for treating depression and anxiety. But back then they were a pretty mainstream phenomenon. It wasn’t just beatniks and hippies, the smart set in the New York cocktail parties doing these things. Once things become illegal the game changes. To go back to the Silk Road example, people weren’t selling heroin and assassination services on eBay because they couldn’t, so they invested the time in learning Tor and Bitcoin.
LXF: And all the command line switches for GPG, no one’s going to do that for a hobby.
CD: Right. Another side of it is that refugees are heavy users of VoIP and video conferencing technologies—because they don’t have any money and they need to use free services and they’ll pay the tax to figure out how to use them.
LXF: You’ve been nominated as the Honorary Steward for the Shuttleworth Foundation Fellowship program. Tell us about that.
CD: Mark Shuttleworth is a philanthropist who obviously has a deep involvement with GNU/ Linux, he’s the founder of Canonical and the Ubuntu Project. He made lots of money from running a certificate authority and he uses that money to do good deeds. He used to give grants to organisations, as a lot of foundations do. When I worked for EFF as European Director, it was a grant from his foundation that funded the work I did. But over time they hit on this very novel strategy for funding good works, which is investing early stage in people who have visionary, radical ideas that are plausible and giving them money separate from any institution they’re affiliated with to spend as they choose. And so the process is really easy to apply for—it’s six questions that have a maximum of 1,500 characters each and then you record a video of no more than five minutes, and then a CV. My understanding is that in the last few years the success rate has been about one percent, which is pretty high for granting proposals. As Honorary Steward I’ll be helping to make the final determination, so I’ll be working from a shortlist.
LXF: You’ve put across this dichotomy that on the one hand FOSS has won, primarily due to the GPL, but at the same time DRM has also won. How do you reconcile those two notions?
CD: With GPL code there’s this irrevocable legal construct around free and open source software that prevents enclosure—once something has been opened it can’t be closed again. That’s why tivo-isation, if you remember these debates about licensing, was such a big deal. Because at the level where people think about licenses, there’s this understanding that irrevocability is hugely important to defending against changes in management.
There were people who worked for SCO who were pretty horrified to discover that the company that they helped build was being used to sue over the Linux kernel. There are lots of changes in management all of the time. So when I met my wife at an event in Finland, I was living in San Francisco and she was living in London, and one of the other people at that event was a guy who’d just started a videogame called GameNeverending that we were both alpha testers on. He came out to visit me in San Francisco later and asked me how the long distance relationship was going. I said “it’s great, but it’s hard to share photos of our daily lives and that’s something we like to do to keep the relationship going”. He said “Oh, we have photo sharing coming for the game, I’ll just move it up in the product roadmap”. And he did, and it was so successful that he shut down the game and renamed the company Flickr and sold it to Yahoo! for $30 million. So I’ve been a lifelong user, literally one of the first users, of Flickr and Flickr is now part of Yahoo!. When I started putting all of my photos and articulating my social graph on there I felt like I had a good reason to trust Yahoo!, not just because of what the company had done, but because the founder of Flickr was working for Yahoo! at the time (he’s not any more, he founded another company called Slack that’s doing something else rather successfully).
Now it turns out that Yahoo! is delivering rootkits for the NSA in its infrastructure, so there is no irrevocable element about my relationship with Yahoo!. And that manifests slowly over time because things fall apart, Yahoo! got worse and worse and I was more and more bound to this declining thing as the years went by. I think that the thing that made FLOSS powerful was the inability to take away and turn around the freedom that had been granted in the name of FLOSS. But DRM is actually a mechanism for doing just that—DRM has a very slow fuse because it only applied to locks that restrict access to copyrighted works. Originally that was for things like making sure people didn’t de-regionalise DVDs or make third-party CDs that played in Sega Dreamcasts. People tried to use it to restrict what people could do with printer cartridges— in the mid-2000s Lexmark sued a competitor called Static Control Components. They said ‘We have a 12-byte long program in our printer cartridge, and that program registers when the cartridge is empty. So if you refill it, you won’t be able to use it because the cartridge still thinks that it’s empty. So when SCC reverseengineered that chip, it violated our copyright, because we have a copyright on that 12-byte long program’. The Federal Circuit said that a 12-byte program isn’t copyrightable—it’s too short. But now an ink cartridge, a lightbulb, any of these technologies have full-blown operating systems—they have embedded Linux, networking stacks, Wi-Fi access points, all kinds of technologies that is assuredly copyrightable. If Linux isn’t copyrightable then the GPL doesn’t apply to it, so we’d better hope that Linux rises to the standard of copyrightability. What’s happened is that over time software stacks have gotten so cheap that they’ve infiltrated all of our technology, which has allowed DRM to be used to configure that technology so that legally you are only allowed to use it in a way that is most beneficial to the manufacturer. So ironically the proliferation of open source software components, along with this dumb law from the mid-1990s, has managed to make DRM into this triumphant force in our new softwareindustrial complex. LXF: The inclusion of DRM as used by Encrypted Media Extensions (EME, required for Netflix) in Firefox has been something of a contentious issue, we used to feel like we were making a principled stand by using Firefox instead of Chrome, but now Firefox doesn’t seem to have quite that same Good Guy ethos, and we sort of mourn for that. How do you feel about Mozilla’s decisions in
this regard?
CD: I’m certainly sad about it, I don’t know that I’m mourning Firefox because I still think Mozilla does good work and still I’m a great supporter of the Foundation and I still use Firefox. But I think that it set up a false dichotomy when it decided that the only way it could get users was to put DRM in there. So Brave, which was founded by Mozilla’s former CEO Brendan Eich, it also shipped EME support but without DRM. Brave breaks the DRM and it takes the legal risk. Firefox has more money and more resources than Brave, yet it decided that it wouldn’t take that risk. And so far it hasn’t supported a proposal at the W3C that it’ll promise not to use the DMCA to attack security researchers. I think that Mozilla’s failure to make that promise has been a particularly galling disappointment. And I really hope that we can find a way to work together again on this, because I think that it has and should continue to be a force for good in the open internet.
LXF: You’re an Ubuntu user too, I hear. Do you find Linux as frustrating as do some of our readers?
CD: Ha ha, no it’s not that bad at all. I’ve had frustrations with every OS that I’ve used. I used to be CIO for a Mac shop and they are every bit as many frustrations in every modern OS as there are in Linux. Generally speaking, my software works really, really well. I have two outstanding gripes right now though. One is that some fullscreen videos freeze my computer and require a reboot. That’s a known bug in the chipsets of Thinkpads and the current Ubuntu. The other is the controller for the unified headphone/microphone jack doesn’t work as advertised, and as a result I can’t get an external microphone to work off that jack, which has led to me suspending my podcast.
LXF: Do you use one of the old Thinkpad’s that can do Libreboot?
CD: Alas no, I wish I could be that pure, but y’know, I need the hi-res screen, my eyes aren’t what they used to be. I used to be a smoker and when I quit my doctor said “You need a better reason than not getting cancer in 40 years to quit because next week you’re going to really want a cigarette and some benefit that’s 40 years off won’t convince you not to have one, you need an immediate benefit”. So I figured, well, I am spending two laptops a year on fags, so I’m just going to give up and buy a laptop every year for the rest of my life. And so every year I buy the new Thinkpad X series and I never feel any guilt and I feel like I’m ahead of the game.
LXF: You’re part of the Apollo 1201 project whose goal is to destroy all DRM.
CD: Apollo 1201 starts with the idea that if we can challenge the legality of Section 1201 of the DMCA, that we can harness the four forces that Lawrence Lessig identified as the levers for social change to get rid of DRM everywhere. Because DRM only really exists because of the DMCA, if it wasn’t illegal to break DRM, then people would just break it.
Technically, the idea that I can make a device that tries to enforce a policy against you by hiding a secret and then assume that you’ll never figure out where that secret is when you have the device—that’s a dumb idea. Even the very best bank safes are kept in the bank vaults, and not in the bank robber’s living room. If your adversary has a device that has a secret in it, then your adversary will find out what that secret is for sure. So DRM without the DMCA, without Article 6 of the EUCD, without Canada’s Bill C11, without New Zealand’s Bill 92-I and so on, without these rules there’s no reason to make DRM because competitors will just come along and break it and make cheaper tools.
So what we say is that if we can just weaken the DMCA, we can introduce some ambiguity into the enforceability of Section 1201 by having a court case that’s moving forwards. There are a ton of high-risk investors who are willing, for example, to invest in Uber on the off chance that some day it will be legal to create Uber, or invest in Airbnb on the off chance that one day that practice will be legalised. There are companies that are prepared to take similar risks to make DRM-breaking technology, because the only reason to deploy DRM is to limit the competition and cause your customers to spend as much money as possible actively buying your product. GM charges $70,000 per mechanic to get a diagnostic tool to diagnose GM cars, and it has designed the cars so that getting the diagnostics out without that tool involves bypassing DRM—so risking a prison sentence or a $500,000 fine.
Once a law is in place no one knows whether that law is enforceable or not. There’s going to be entrepreneurs who come along to break that. And there’s going to be code makers who make code to break it. And they’re going to start coming in out of the cold, it’s not going to be that you download some blob from the internet to unlock your iPhone—it’s going to be open collectives of computer scientists and security researchers who make these tools. So we’ll see industry and technology working together to create markets and code for breaking DRM while the law is changing to make DRM and that’s going to change the norms of DRM. We’re going to have to change the idea that it’s legitimate for a manufacturer to decide how you can use your device.
Right now the pitch that the manufacturers make is ‘Well we never told you you were allowed to use third party cartridges, we never told you, you were allowed to use a third-party app store. If you don’t like it don’t buy it”. That’s not how property works! No one every told me that I could toast whatever bread I wanted in my toaster. It doesn’t mean that if a manufacturer puts ‘Sunbeam toasters for Wonderbread’ on the box that I’m not allowed to use bread of my choosing in my toaster. But, of course, we’re one vision system away from a toaster that can be configured to only toast manufacturerapproved bread. So we’re going to challenge that norm as well, and we’re doing a bunch of different projects to make that happen.
One of them is this project with the W3C, to get them to reform their practices; to get them to adopt this rule that if you make DRM at the W3C you have to promise not to abuse laws like DMCA 1201. We got the open source initiative to amend its definition of what constitutes an open standard to say that if you make DRM and you don’t have this codicil in your membership rules or licensing rules, you can’t call it an open standard. That’s really important because UK government rules say that they can only procure technology built according to open standards, which means that W3C standards are becoming illegible for implementation for UK government contracts, so this is a big lever to move, but also to help weaken the legitimacy of laws like DMCA 1201 and Section 6 of the EUCD and so on. So all of those pieces come together over the course of the next decade or so, to kill all the DRM in the world.