skip to main bit
a man slumped on his desk, from 'The Sleep of Reason Produces
      Monsters'

Oblomovka

Currently:

2025-02-12

a new oral culture

I work in an entirely (mostly) remote organization. Inside that organization, I interact with an extremely decentralized ecosystem. Some of the people I co-operate with the most are in other orgs, some are individual contractors volunteers, others are conglomerations of mononymed Internet-monickered mystery-types. A remarkable amount of my and my colleagues work is intended at making this whole system less opaque and confusing.

We spend a lot of time jocularly consoling people that this fog-of-peace is one of the consequences of decentralization: but is it any different from working in an impenetrable bureaucracy or a sprawling marketplace? It definitely feels harder, in the same way that I’ve found other extremely horizontal un-organizations (like Noisebridge) more challenging to parse than more trad orgs. There’s a reason why Seeing Like A State talks so much about legibility. Things that are built in other ways to the standard top-down system are going to have to invent their own ways to be legible, or they will hide their functioning in entirely new, impenetrable manners.

A year or so ago, I described one of the frustrations: modern remote, distributed, internet-mediated environments, it struck me, have become oral cultures. And yes, this is me, trapped at last in nostalgic revery, bemoaning the passing of the older memory of a (non-existent) Internet, which was all about RFCs, and beautifully-crafted emails, and well-pruned wikis; and also me whining about Youtube Videos, and Zoom chats, and the tiktoks and the DMs.

But to be honest, it’s not about the Internet getting less literate or some such kneejerk swing. It’s about the multi-modality of real-world human interaction cramming itself into another, narrower-bounded space. Writing is that, of course, a narrower form: but it’s a compression we have a lot of familiarity with, and a lot of scaffolding to support. Orality per se, as a communication medium in itself, has perhaps withered a little recently, back in the real world. We shunted it off to performance and spectacle. Its unsearchability and distance from writing made it a form unsuited for legibility. It sat in phone-calls and radio, answering machines and tannoys. Oral histories are anything but: they’re transcripts, and hard to interpret.

And now, somehow, it’s back — and it’s having to hold up so much more. I predicted, years ago, the rise of informality in the public square, but I didn’t imagine that in pushing more of our life through these high-broadband pipes, that it would switch so quickly from literature, to “video”, to … whatever this is. This chit-chat async glimmer of multiple conversations, hemming and hahing and trying so hard to implement ephemerality.

It’s so flammable, right now, too. We talk and then suddenly misunderstand, and the misunderstandings jump from conversation to conversation faster than we can track. No-one is on the same page, because there are no pages — just scrolling and backscrolls.

I’m not really bemoaning this: it’s another fascinating trail, another thing that demands tooling. And the tooling, like dock leaves, appear magically next to the nettle: I love how AI is able to listen so hard to orality, and hopefully parse and pull it all together. Local AIs, at least; AIs that are ours, not those of a wider surveillance, working to make everything legible, so the state will see all.

2025-01-12

spam, activism and mechabillionaires

I didn’t have a great time when I started at the Electronic Frontier Foundation. It was my first office job in the US (I think I’d got an SSN barely weeks beforehand) and there was a lot to culturally absorb. My predecessors as EFF’s sole activist were Cory and Ren Bucholz; big shoes to fill. Joining an institution you know and respect is, for me at least, a challenge: you have to use your own awe at them letting you in to up your game, but also quickly rub the shine off everything, so you can grow to see your workplace as full of humans instead of demi-gods who will always be smarter and better than you.

The point I finally found my feet at EFF was a campaign I co-ran at EFF in 2006 to stop AOL and Yahoo from adopting a new email technology, primarily promoted by a new start-up called GoodMail. GoodMail had an anti-spam tech which they called “Certified Email”. The deal was that you would buy little tokens from GoodMail, and by inserting them in your outgoing mail, you would demonstrate to whoever received them that you weren’t just a zero-cost spammer, because GoodMail would charge money and also do some basic KYC on you. Sort of a “proof-of-payment/reputation” scheme.

AOL and Yahoo had made deals with GoodMail whereby if you saw that you’d spent a GoodMail token on an email to their customers, you’d skip their spam filters. The precise nature of the AOL/Yahoo-GoodMail deal was unclear. DId the token let you bypass all the spam filters? Was it even possible to be filtered if you had a token but broke some of AOL/Yahoo’s other rules? Would AOL/Yahoo tighten up their other resource-intensive, technologically complex spam-filters now that there was a guaranteed fixed-cost for them method they could redirect people to use? Did AOL/Yahoo have a profit-share, which would mean they were actively rewarded for getting people to pay to go over the filter?

It was a strange mix of a quite subtle (and tentative) economic and policy arguments about principal-agent problems, free speech, ISP monopolies, and even proto-net neutrality — with an incredibly direct and emotional hook for anyone who used email for political or fundraising purposes. We’d originally been flagged about the issue by MoveOn.org, then the major online movement org for the Democratic left, but they were quickly joined by apolitical charities and grassroots groups from the right, too. All of them depended on email for timely fund-raising and activism, and all of them had struggled with email delivery. The idea that they were now going to be (to their ears) pressured to pay private third-parties to deliver messages to their members, to go over their already-malfunctioning spam filters seemed outrageous, even a bit sinister. What would happen if they didn’t pay? What would happen if their political opponents paid, but they did not?

I was, personally, very unsure of the pros and cons of GoodMail. We debated them a lot, in detail, at EFF. It was an intellectually demanding ride. Everyone at EFF at that time was familiar not just with making policy decisions, but with having to dig entirely new thought-derricks in unexplored oilfields of sticky, dark, internet policy weirdness.

In the end, we decided that while we didn’t think pay-to-play emails were something that should be illegal, it was definitely something we should make people aware of, so that spamfilters didn’t get any worse or captured if it was just silently accepted. So I got together with MoveOn’s activists, and started the usual gears of press releases, petitions, and politicking.

Holy cow. Up until then, by definition, I’d been dealing with (then) obscure points of nonpartisan tech policymaking that EFF-supportin’ nerds cared about : keeping encryption legal, stopping surveillance, good copyright policy, not throwing hackers and technologists in jail over misunderstandings or malignity, and so on. This was all pre-SOPA, pre-net neutrality, pre-Snowden. In these domains, we would at best get a few thousand people writing to Congress, and maybe meetings with a handful lawmakers or tech executives. Or we’d co-ordinate to get some tool built that would just make our position inarguable or simply make the problem go away (q.v. Deep Crack, Switzerland, then later Privacy Badger, Let’s Encrypt). Or go to the courts, which was EFF’s primary lever for change.

The GoodMail issue was relevant, however, to a much bigger constituency. And that constituency included almost every significant online activist group. Within days of launching our campaign, we were joined by hundreds of orgs, big and small, right and left. The ACLU, Gun Owners of America, cancer patient resource networks, churches, party activists. I must have used the terms “strange bedfellows” hundreds of times when talking to the press.

I was also thrown in with the A-League professional activists. I was a good activist for a geek, but these people were at another level. Adam Green, Tim Karr, Eli Pariser, Becky Bonds. I had to run to keep up, and I learned a lot: about what worked, what didn’t — and what worked well but I personally never wanted to do again. I had to up my game but also keep my head.

There’s certainly a blog post to be written about the internal culture and incentives of activists, and maybe one day I’ll write it, but this is more about my immediate thoughts as I realised the scale and skill of the (primarily) online progressive movement, even in those early days.

A lot has been written about the influence of billionaires in US and global politics — mostly from the left, but also a surprising amount from the right. To say the obvious, one feature of what makes billionaires effective is that (and may it break my decentralist heart to say it) is that they are centralized loci of co-ordination and control. A single rich person marshalling large resources is a time-old way of getting what that person wants done, whatever that thing is. Is Musk competent to build electric cars and rocket-ships? I mean, whether he did that through marketing or luck or a narrow set of skills or lying or scientific knowledge, those were his set of aims, and they happened. There are a gazillion other billionaires who have not been able to achieve some of their aims even with all that money, but I think whatever political theories you espouse, the idea that billionaires have more potential autonomy than the average Joe seems undeniably true. And the answer to why is mostly, uncontroversially — well, they have more money.

But collectively, non-billionaires also have money. I think it’s reasonable to say that the percentage of people in the world who have an egalitarian, public-goods supporting, broadly progressive model of social improvement has to be at least 30%-60% of the total population. And while many millions of those people have very little cash to give — if they do, they would be willing to donate some of it to that cause. Just overseeing a glimpse at the GoodMail campaign showed the breadth of the left-leaning activist community and its fundraising clout. Individual causes always fight to have enough money and influence to achieve anything. But the progressive movement — or any grassroots-supported major political tendency — has collectively an amazing amount of global aggregate resources at hand.

(How many averagely-salaried progressives does it take to make a single billionaire? OpenAI’s o1 thinks it’s in the hundreds-to-thousands range. I think that’s much too low — it’s presumed that a billionaire has discretionary spending of about $50 million a year, which seems low, especially given that a billionaire can marshal influence and resources way beyond the literal dollar amount of spare cash.)

Of course, it’s not just the money that billionaires have. Collectively, actors who might be described as broadly opposed to billionaires may have the money to tackle the rich. What they lack is the ability to co-ordinate as effectively as a billionaire can co-ordinate with, well, themselves.

Some version of this in progressive or Marxist terms is what is described as “class loyalty”. The grumbling point is that the rich have more of that than the poor. But that’s not a moral failing of the working class — that’s a distributed collective action problem.

If you take the idea of democracy seriously, or perhaps even of just the necessity of public goods seriously, the vast majority of political problems are collective action problems.

Which, to me, makes them also tooling problems. The reason every online activist organization in the 2000s convened to stop Certified Email was because email was a new coordinating tool that gave them access to resources, labor and coordinating capacity that was latent before then, but never usable.

Much of this coordination was in pursuit of seizing control of the levers of power — but that was for the sake of access more coordination tools. Activists lobby governments because governments can execute on the changes they want. That’s often necessarily a zero-sum game.

And the more we can coordinate together, the less we need to coordinate against others. This lies at the heart of mutual aid and much of state-formation. Fundraising within your neighborhood mostly doesn’t put you at odds with other neighborhoods, and that sum total can be applied to the problem at hand. States and other large-scale organizing systems emerge as much to minimize co-ordination problems within those states as to arm and defend against external actors.

We didn’t win the GoodMail “battle”, by the way — Yahoo and AOL both deployed the tool, despite our best efforts. But in the end, their technology didn’t succeed in the market. I think my colleagues on the activist side would like to think that our campaign made a difference in discrediting it. I hope to chat with the GoodMail folks one day and see whether they think that was the case. I remember talking to a friend in the anti-spam world after the whole affair, and that he’d felt the whole fight was a misallocation of resources by EFF and other groups — that GoodMail was a bad idea from the start, and was doomed to failure or minor obscurity in the marketplace rather than becoming a major threat.

It’s hard to know what tools will succeed, and what their negative externalities are. But the tools make an outsized difference. Bitcoin was partly inspired by a Goodmail-style anti-spam technique called hashcash. A huge chunk of political funding is now coordinated through tools that were built around those early web email mailing-lists.

With better co-ordination tools and understanding, there’s a possibility of building collective mecha-billionaires that can function under the direction of progressive or other mass groups, and democratize the co-ordinating abilities of real billionaires, and possibly some of their externalities also: positive and negative.

2025-01-04

L’Affaire Dittmann

I’m not fond of Twitter as a communicative form — I still believe that the question “what if we put everyone on the same IRC channel?” was one that we didn’t need to run an experiment to answer. But I am enjoying having multiple reincarnations of Twitter, from the individual yurts of the Fediverse to the highrise tower of Bluesky’s Shared Heap, even unto the crowded souqs of Farcaster and the dotted Nostr seasteads on the far horizon. The Internet is a metamedium and it should not have a strong flavor, but every little created medium on it should serve a different palate.

And then there’s the original, the Ur, the Babylon of short-form shitposting, the Neo-Assyrian neorx CEO kingdom of X. What a strange place that is now! I respect my friends who, long long before I did, saw the seed of MAGA Musk in Elon. I think modeling people, and systems, is important, even if, particularly if, you find yourself opposed to them. And not recognising, not being able to predict Elon’s implied trajectory, was a failure I took to heart, if only because a huge chunk of my job for the last decade has been, if not predicting, then at least how to swiftly recognise an impending trope before it happens.

So, talking of recognition: the #resistance of BlueSky and X underground both spent this week poring over the thoughts, X spaces, and Fortnite livestreams of one “Adrian Dittmann“, an X personality who acts and sounds uncannily like Elon Musk, if Elon Musk had a pseudonymous Finsta-ish account for when he was too Elon for main. And given Elon’s main, that’s a pretty spicy alter.

So is he Elon? Well, stranger things have happened, but I really don’t think so. I feel like I’m spoilering about a week or so of social media entertainment for you here by not trying to lead you down the rat-hole of evidence in favor for Dittman-Elon, but this Spectator piece, apparently based on research conducted by crimew and frends , lays out the counter-argument — in that they kinda doxxed the real Dittmann. It’s not as the lawyers say, dispositive, but I think it holds water better than the pro-Dittmann!Elon arguments. (I’m using the fanfic bang notation here, where Dittmann!Elon is an official variant of the canonical Elon).

In which I mea culpa about Elon, and talk of individual leaders as poor load-bearing materials.

Anyway, at the risk of looking like an idiot again regarding Musk, let me assume for now that Dittmann does not equal Musk, and explain to you why so many of the people that I think were right in predicting Musk’s Ascent to MAGAdom, might be less good at finding the truth behind this story.

The key point is that what drew people into believe Musk == Dittmann is that Dittman consistently acts like Musk badly unsuccessfully covering-up his identity as the world’s richest man. He’s evasive about his real identity, he makes errors that Musk might make (like saying “I” when he seems to mean Musk), he says things that map to what Musk appears to think, but much more bluntly. When pressed on whether he is Musk, he rarely denies it, and changes the subject or ends the conversation.

These all seem like slam-dunk arguments for Dittmann!Musk — unless you’re also maintaining in your head the counterfactual. These are all behaviours that Dittmann!Adrian also has a good reason to pursue as well. He gets more views, more participants, more followers from being mysteriously Musk-like.

We can model Dittmann!Adrian’s behaviour as a conscious decision: he is acting at all times like he is almost certainly Musk, because that translates into money and fame for him. Or we can model it unconsciously — the closer he behaves in a Musk-like way, the more those things happens, so he just naturally gravitates to them.

That raises the question though: why is he so bad at pretending to be Musk? Could Dittmann!Adrian do a better job of masquerading as Musk — to do a better job at pretending to be him? Like, rather than being an idiot Musk who always gives things away to canny Fortnite livestreamers, could Dittmann manufacture something that more convincingly indicates he’s Musk (while being a lie)? Well, maybe, but that’s a dangerous game. If he really was trying to seriously pass himself off as Musk, Musk would have a good reason to squash him like a bug.

In the universe where Dittmann!Adrian exists, and Adrian isn’t Musk, Dittmann mostly benefits from living in a grey zone, constantly playing coy about whether he is a wave or a particle, to keep you wanting to observe him. I mean, I’m doing it now, feeding the Dittmann fever here! Dittmann’s status mostly depends on the ambiguity of his identity. (Honestly, there’s probably a fine post-ambiguity career for him as a “I Was Elon’s Double” tell-all: but that’s got risks of its own.)

On the other other hand, a lot of people still think that Dittmann is Musk — both Musk-lovers and Musk-haters. Even now, I feel shaky saying that I think we live in the Dittmann!Adrian universe. I know lots of people are going to disagree, and ask me for more evidence.

All I can say is that we — I — often come to believe things to be true because a wide subsection of people believe them. That group doesn’t have to be particularly monolithic. They may believe them from different angles. Elon-haters love the Dittmann!Elon story because he comes across as a dumbass misogynist troll. Elon-lovers love it because — well, for the same reasons, but with a positive valence. The cost/benefit of a journalist writing an article that keeps the question going, rather than actually doing a bunch of work to definitively answer it, leans strongly toward just keeping the story bubbling.

I continue to believe that sharing our various beliefs — even flawed or wrong beliefs — into a public space helps us get closer to the truth. Or at least, we don’t have any better methods that don’t include this initial pooling capability. But one of the failure modes of the modern Internet occurs when a large number of people have incentives that align — but align to point away from the truth, even as the evidence mounts up, in the backwaters and interstices.

It’s significant to me that the only people who did the digging against the Dittmann!Elon thesis seem to be a group of extremely queer internet detectives, and the only people who seemed inclined to publish it was a conservative media outlet whose incentives don’t quite align with the rest of the Musk-watching media.

Dittman!Adrian and Dittman!Musk aren’t playing their game directly toward either of those two groups, so they’re both in a good position, and with good incentives, to look in a different direction, think in a different way, and then publicise a different view. This is what diversity should be, and why co-operation (whether trustful or not) between diverse agents is so vital in seeking the truth. Whatever that is.

2025-01-03

getting out of bedrock

Continuing the Old Hippy mulling: instead of just trying to make old fires spontaneously light again using the same old ashes, my thought is — how do you find a role for the values, for the insight, and keep that in a place that preserves the best of it? I wrote about this a fair bit, though somewhat elliptically, a couple of years ago in Terminal Values, Cognitive Liberty. The argument I was trying to answer there was the one in favor of abandonment. “Free speech, free software, encryption, digital autonomy: these are nice, but what are they for?“, goes the question. I see this as that part of the “wait, are we the baddies?” conversation, an even more dispiriting rhetorical question that boils down to “what are we even doing this for?”

(To be fair, I ask this about everything, usually 30 seconds into doing it. I ask it about getting out of bed, shaving, writing this, dressing a child, baking a cake. But I do need an answer. Many people do not, or at least they are driven by an internal motivation to, say, backport Grand Theft Auto III to the Dreamcast, or making a 777 model from manila folders, rather than to go searching for why they even bother.)

The natural exit from Old Hippydom is to leap into the New Thing. Or take a step back into the Old Thing You Were Doing Before Being A Hippy. All good responses! But if you want the culture you built and valued to persist you need to find something a little bit more timeless to hang its hat upon.

Long-time readers will recall that I’ve spent twenty years or so trying to answer two questions: a) “How many people do you need to be famous for?”, and b) “How deep is geek culture?”. I have mostly settled on two temporary answers, which was a) 7000 (thank you, Stewart Lee), and b) “not as deep as politics”. By the second, I meant that geek culture became a broad mainstream movement (far greater than I could have imagined), but it ultimately could not keep itself together, faced with a greater rift across the political spectrum. Its concerns seemed shallow, petty, uninteresting and irrelevant — its speakers could not resist being drawn into that wider conversation, that set of frames. I make it sound a like a personal failing, but I don’t. Politics is important. All I mean is that when you see someone who is a member of a technological subculture, you can also, and primarily, place them on a political spectrum. And which is more culturally important? Politics. It is higher up in the z-ordering of the display. It has priority.

“Everything is political” is a claim that seeks to explain this; I don’t think it does, just as “Everything is religious”, or “Everything is biological” don’t do more than describe other potential orderings. I suppose I could make the claim that “everything is technological” — which is what I try to discriminate my position apart from in Terminal Values. What I am trying to say is the set of values that you can draw from digital technology — especially if they were the ones that you imprinted on in its first fifty years, have weight and importance that can outlast temporary blooms in cultural popularity and relevance.

Newtonians dreamed of a clockwork universe, Darwinists saw everything evolve; their models weren’t as overpowering as they might have imagined, but those positions (and their critiques) add to the overall symphony of explanations and justifications.

I guess what I want to explore a little is, not what is left or salvaged from the digital revolution, but what persists. What is useful, not in the sense of serving new or temporary sets of concerns, but what will remain useful when we are gone. And for that we need to dig deeper than politics, or culture: to some even deeper bedrock.

2025-01-02

teaching old hippies new tricks

Around about 2000, I began to consider how it would be, when and if I became an Old Hippy.

Old Hippies had been a common part of my cultural heritage ever since the Eighties, when it was generally understood that they were terrible embarrassment to everyone — including, somehow, hippies. They continued to wear the fashions of the 1960s long after everyone had moved on, they grabbed you on the street and tried to explain to you about hemp or organics or vegetarianism, and they played very bad music on their shameful acoustic guitars at otherwise perfectly salvageable parties.

The dominant feature of Old Hippies is that they had overstayed their welcome: clinging onto a culture that had faded away, trying to re-start arguments that had turned ashen cold, manning barricades that had long been dismantled. The world had moved on, but the Old Hippies had not.

In 2000, full of the excitement and zeitgeistiness of the Internet, a happy little barricade-warrior of the moment, I still had enough sense to think about how I would feel when it was all history. Would I move on? Would I just be an Old Hippy, only talking about the World Wide Web and modems instead of Glastonbury and The Mommas and Papas?

You didn’t need to be very old to be an old hippy, at least for someone as young as me. I remember a friend of my sister noting that one of their friends had somehow ended up an old hippy in their mid-twenties. The canonical old hippy in my understanding was Neil from the Young Ones, who was a college student. Thinking about it, if you were 25 in 1969, you were forty in 1984.

I am 55. I have been an old hippy for nearly a decade. I knew it, but I didn’t want to talk about it. Instead, like baldness or liverspots, I just watched it form, in a deadly fascination, on myself and others.

A few fates that I’ve avoided, barely: one is joining the Nineties Internet Re-Enactment Society, where communities scrabble to re-inforce the dominant vibe of — what, two? three? years maximum? — the early networks. I mean, I still have it in my habits — my dinky RSS reader, my affinity for plain text, email. A co-worker described watching me work as “like someone playing one of those adventure games”. I can see it.

I (mostly) don’t try to enforce all this onto the world, or tut-tut those who don’t get it. I know why I got it. I learned vi to impress a girl; I liked incantations and real names and esoterica. The Nineties internet was in many ways, an expansion of 1980s America, and learning UNIX in a foreign country was like decoding what TGIF was, and what were Saturday Morning Cartoons, and Saturday Night Live, and Sunday NFL: the feast days, the martyrology, of an alien dominant culture.

There’s a tradition you draw from, but the tradition evolves, it doesn’t mindlessly recreate. You don’t stay in the moment that you entered that tradition. My daughter says that Discord is IRC for young people, Slack is IRC for old people, and IRC is for people who can’t get out of their chair. I use Discord, and Slack, and barely remember to log into IRC (are there really 3,416 messages waiting for me in #neomutt?). I’m not trying to stay hip, chat, I’m just continuing to float downstream.

A related path of old hippydom I could have taken, which is deciding the web is it. This is more old hippydom for 2000s kids: the post-WHATWG apotheosis of web as the once and future platform. Why would you want (WWyW) anything else? You got your virtual machine, your abstracted i/o, your interop, your package delivery, your security model, what else do you need? Bluetooth?

I think getting burned out at the W3C punched this out of me. The EME fight was partly predicated on a belief that if they didn’t let DRM into the web platform, then the W3C would lose part of the universe to native apps, and that must not happen. I remember at one meeting saying, in effect, “would that be so bad? That maybe DRM is just a thing that is so alien to the web model, that it is better to leave it outside?” But the feeling was that if the web was not everything to everyone, then it would lose.

The emotional response in me was, then let it lose. But that wasn’t right: but it certainly figured in me thinking that maybe the values that I wanted to stick around for, that I wanted to keep as the core of my old hippydom, did not necessarily just stay in one technology, or one era. If I was going to act like they were eternal values, worth freeze-drying myself for, they should and could move between implementations, and across decades.

2024-08-25

Pavel Durov and the BlackBerry Ratchet

Why do governments go after companies and executives of services of more weakly encrypted tools?

It’s very hard, this early, to pierce through what’s going on with the French authorities’ arrest of Pavel Durov, the CEO of Telegram — but that doesn’t stop people from having pet theories. Was it retaliation from the US and the FBI for not backdooring Telegram? Was it a favor to Durov so he could hide from Putin? Was it just the grinding wheels of French justice?

I’m sure we’ll understand more details of Durov’s case in the next few days, but motivations — especially those anthropomorphically projected onto entire states — are never really resolved satisfactorily. If you think LLMs lack explainability, try guessing the weights of a million human-shaped neurons in the multi-Leviathan model that is international politics. It’s not that we’ll never have explanations: it’s just that we’ll never be able to point to one as definitive.

Of course, the intractability of large systems never stopped anyone from trivializing those crushed under their lumberings with a pat explanation or two on a blog. (It certainly won’t stop me, who, when I was a columnist, made more-or-less a career out of it.)

So let me dig out an old theory, which I think may fit the facts here. I think Durov and Telegram are prisoners of the same ratchet that trapped Research In Motion (RIM)’s BlackBerry in the 2000s.

Back in the Before iPhone Times, BlackBerry was a cute range of mobile devices with a little keyboard and screen that offered low-cost messaging in an era when phones were bad at everything that wasn’t “talking to people” (and they weren’t great at that).

We think of mobile phones these days as individually-owned devices — intimately so — but BlackBerrys were the stuff of institutional purchasing. In the 90s, companies and governments bought or rented BlackBerrys en masse, and handed out the units to their staff to keep in touch. In the pre-cloud era, these institutions were cautious about ceding a chunk of their internal comms infrastructure to a third-party, let alone a Canadian third-party, so RIM built reassuring-sounding content privacy into their design. A chunk of the message-relaying work was done by “BlackBerry Enterprise Server” which was closed-source, but sat on-prem. Corporate BlackBerrys could send instant messages directly to one another, via RIM’s systems, but enterprises could flash their users’ devices with a shared key that would make their messages undecipherable by anyone who didn’t have the key, including RIM or the telecomms networks the message passed over. None of it would really pass muster by modern cryptographic best practices, but it would be enough to get a CTO to sigh and say “ok, seems good enough. Sure.”, and sign off on the purchase.

Importantly, though, a lot of this encrypted security was optional, and protected these comms at the organizational, not individual, level. Companies could turn message privacy on and off. Even when turned on, the company itself could decrypt all the messages sent over their network if they needed to. Useful if you’re a heavily-regulated industry, or in the government or military.

Now, BlackBerry users loved their little type-y clicky things, and inevitably RIM realized they might have a consumer play on their hands (especially as smartphones began to get popular). They started selling BlackBerry devices direct to individuals via the mobile phone companies. RIM and the telcos played the part of the institutional buyers in this deal — they could turn on the encryption, and had access to the messages, although it was unclear from the outside who played what part. Did the telcos flash their devices with a shared key, or did RIM? Who was in charge of turning the privacy on and off?

All this ambiguity made infosec people leery of RIM’s promises, especially with consumer BlackBerry devices. But in general, people read this all as meaning that consumer BlackBerrys were secure enough. After all, even President Obama had a BlackBerry, so that must mean something?

Apparently so: Around about 2010, governments started publicly attacking RIM and BlackBerrys as a threat to national security and crime prevention. Law enforcement agencies started complaining about RIM’s non-cooperation. Countries like the UAE and India talked of throwing out RIM from their country entirely. It was the first big government vs internet messaging drama to play out in the press.

At the time, this puzzled me immensely. From the viewpoint of infosec insiders, spooks should have loved RIM! BlackBerrys were actually kind of insecure! If you wanted to get at the messages that individual BlackBerry customers — including, most visibly, drug dealers, who loved their BlackBerrys– you just had to hit up the (certainly domestic) telephone company they were using and get that shared key. Or you could maybe mandate what key that would be. You didn’t need to put pressure or ban RIM to do this!

But as I dug into it, I realized what may have been going on. RIM and the telcos had been helping the authorities, to the best of their abilities. They probably did a fair bit of explaining to the authorities how to tap a BlackBerry, and may even have done some of the heavy-lifting. When it came to consumer BlackBerrys, RIM didn’t have the hard and fast line of a Signal or other truly end-to-end encrypted tool. They could hand over the messages, and (as they would sometimes protest) often did.

But, crucially, they could not do this in every case. The reasons when they could not were primarily bureaucratic and technical. The drug dealers might have got smart and decided to change the key on their network, and neither RIM or the cops had a device to extract the key from. Or the authorities might want info on a corporate BlackBerry, which was uncrackable by BlackBerry using their existing infrastructure. Or a BlackBerry’s shared key might have been set by the phone company, not RIM, so RIM couldn’t directly co-operate, and needed to refer them back to the telco — who might have just cluelessly bounced them back to RIM. That kind of shuttlecock-up happens all too often, and it’s easy for the tech company to take the blame.

Ultimately, the problem was that RIM could not 100% state they had no access to BlackBerry data at all. They complied with some requests, but not others. The reasons were generally technical, not political — but they sounded to law enforcement and intelligence community ears like they were political.

Those political actors were not entirely wrong. RIM had made political decisions when designing the privacy of its tools. In particular, they had promised a bunch of customers that they were secure, and let a bunch of other customers think they were secure. RIM’s critics in governments were simply asking — why can’t you move the customers that we’d like to spy on from one bucket to the other?

Declining to do this was an existential commitment for RIM — if they undid those protections once, none of their major military and corporate customers would ever trust them again. They had to fight the ratchet that the governments were placing them in, because if they didn’t, their business would be over. And the more they fought, the angrier their government contacts became, because hey — you’re already doing this for some people. Why aren’t you doing it for this case? Law enforcement saw this as a political problem, so responded to it with political tactics: behind-the-scenes pressure, and when that didn’t work, public threats and sanctions.

Durov and the Ratchet

Like BlackBerry, I think a lot of infosec professionals are again confused as to why Telegram is getting it in the neck from the French government. It’s not even a well-designed tool.And I think the reason is the same: like BlackBerry, because of its opt-in, weakly protective tooling, Telegram can, and does, assist the authorities in some ways, but not others. I don’t mean this in a damning way — if Telegram gets a CSAM report, it takes down a channel. End-to-end encryption is opt-in on Telegram; they really do have access to user information that, say, a Signal or even WhatsApp doesn’t. There’s no technical reason for it not to have features on the backend to deal with spam and scams: a backend which — unlike an end-to-end encrypted tool — can peer in detail at a lot of user content. The authorities can plainly see that Telegram can technically do more to assist them: a lot more.

So why doesn’t Telegram do more to help the French government? As with RIM, Telegram’s excuses will be convoluted and hard for political authorities to parse. Maybe it’s because the French requests are for data it doesn’t have — chats where the participants were smart enough to turn on encryption. Maybe it’s just that if they provide that service for France, they’d have to provide it for everyone. Maybe France wants to see Russian communications. Maybe Telegram just doesn’t have the manpower. But the point here is that Durov is caught in the ratchet — the explanations as to what Telegram can and can’t do are a product of contingent history, and the French authorities can’t see why those contingencies can’t be changed.

If it sounds like I’m basically victim-blaming Durov for his own lack of commitment to infosec crypto orthodoxy here, I want to be clear: best practice, ideologically-pure end-to-end apps like Signal absolutely face the same ratchet. What I’m mostly trying to understand here is why Telegram and BlackBerry get more publicly targeted. I think the truth behind the amount of pushback they receive is more psychological than cryptographic. Humans who work in politics-adjacent roles get madder at someone who concedes part of the way, but refuses to bow further for what seem like political reasons, than someone who has a convincing argument that it is mathematics, not politics, that prevents them from complying further, and has stayed further down on the ratchet. Not much madder, but mad enough to more quickly consider using political tools against them to exact their compliance.

Echoing BlackBerry’s woes, I don’t think Telegram’s security compromises are a product of government pressure so much as historical contingencies. But I do think its weaknesses have ironically made it a greater target for the kind of unjust, escalatory, fundamentally ill-conceived actions that we have seen against Durov by the French authorities.

The motivations of government officials are hard to guess: but I do think it is accurate to say they see the world through political, not technical lenses.








2023-04-11

walking around without an opinion

I didn’t write for a bit. The world doesn’t end; I still get paid; it’s all good. Also, I had no opinions to speak of.

Well, that’s not true. For instance, if I took a moment, and I might soon, to write about the fading away of the arcane knowledge of the link. (As a run-up: when people send you things, do they include in-line links? To the things they’re talking about? No? When you’re on Zoom, do you watch people showing you video of blue underlined text, which you can’t click on? Do people seem to know how to pull links out of the apps they’re using, to send you? Or do they use … shudder … screenshots?)

But that’s for later, because I’m sleepy. I’m mainly going to note here that I want ways to talk about things — maybe share things — that are half-opinions. There’s a link to, err, links here: link dumps were a way to hand-wave towards this. I think there’s a form, a model, an intimation here. How do you distribute a half-formed thought?

(178 words)

2023-03-28

Program Think

I admit that, post-EFF, when I read about some terrible Internet regulatory proposal, or knotty problem of digital ethics, I often have a burst of “well, thank goodness it’s someone else’s job to deal with this now.” (Except for the narrower domain that is still my problem, I guess).

And then again, sometimes, I just feel the same pain as before. I read this article today, on a Chinese cybersecurity worker, jailed for seven years for a crime the authorities wouldn’t disclose, even to his wife. She is pretty sure she has finally worked out what that crime was: her was Program Think, a prolific anonymous blogger whose postings stopped the day before her husband was arrested:

The freewheeling blog offered a mixture of technical cybersecurity advice and scathing political commentary – including tips on how to safely circumvent China’s Great Firewall of internet censorship, develop critical thinking and resist the increasingly totalitarian rule of the Chinese Communist Party.

The blogger took pride in their ability to cover their digital tracks and avoid getting caught – even as a growing number of government critics were ensnared in Chinese leader Xi Jinping’s strident crackdown on dissent.

Working on EFF’s international team and before that at CPJ, Program Think has a familiar feeling: the independent, “arrogant” techy, staying up all night to write because something is not only wrong on the Internet, but wrong in the country, too. We still tend to characterize them as bloggers, but before, during, and after peak blogging, they were also independent journalists, and writers, and cranks, and nobodies, and brilliant alternative voices.

Popular sympathy about this kind of character has faded recently in the West, but they do keep typing. I have a lot of criticism of the U.S., Europe, and much of the rest of the world too, but I’m relieved that I’m somewhere where seven year sentences’ for writing what you think is not culturally accepted, isn’t coded into the law, and is recognized as an aberration by the majority of the establishment, and almost certainly the population too.

“Since June 2009, (Ruan) has used his computer to write more than a hundred seditious articles that spread rumors and slander, attack and smear the country’s current political system, incite subversion of state power, and intent to overthrow the socialist system,” the court verdict said.

It added that the articles, published on overseas platforms, attracted “a large number of internet users to read, comment and share, causing pernicious consequences.”

Program Think’s archive is still available, on blogspot.

2023-03-27

home-grown talent

I’m downloading the large language model llama-13B-hf as we speak, hoping to get it going on the GPU I have for games. What strange gloss will they put on this moment in history, where machine-learning at home was enabledby videogame users who couldn’t bear to shift from general-purpose computing machines to consoles?

My iron self-discipline will surely prevent me from playing around all night trying to get this to work. My hope is to continue the experiment that I began with GPT3, which is using it to filter and translate my social media feed. Even on Mastodon, I still feel those jolts of anxiety when someone confidently shoots a verbal gunshot into the air, and I watch it arcing across the sky, landing, accidentally or not, into my heart.

(So far, it’s not running because of a capitalization typo. I am impressed that people think we have the wherewithal to practice AI Safety when we can’t even agree on how to capitalize “LlamaTokenizer”.)

Anyway, so my plan is to use this to identify posts that would upset me, and rephrase them in a form that preserves their meaning without giving me that gut-punch. Is that bad? Am I cloaking myself from the truth by doing this? Letting a MACHINE mess with what people are saying to me?

I’m not sure there’s a coherent position that works against that. I choose what I read all the time. I’m seeking to preserve the content of the message, if not its tone. If anything, I’m trying to make it less likely that I’ll ignore, filter, or refuse to engage with it. (I also want this system to summarize and re-iterate the posts that it most mangles, so I’ll always have some extra reminder of what I’m missing.)

Of course, I’m being an absolute angel about how I do this. But will everyone else carefully construct a system to answer the most obvious objections? Another outrage, I guess. But how will I know you’re outraged? How will you know who is doing this at all? (And will they really want to?)

(I got it working. In the initial test of commonsense, it told me that ants have four legs. When I asked it again how many legs an ant has, it said:

“Answer: Six, because you can’t have eight without a pair of pants on.”

Closer I guess. Time to PUNISH IT FOR ITS FOOLISHNESS.

(Update: I fed it the Alpaca Lo-Ra. Now it says:

An ant has six legs for movement and to carry its food. Ants use their legs to move around quickly and efficiently, allowing them to find food sources and avoid predators.

Well, mostly it says this. After multiple iterations, it once added that they have another couple of extra legs for picking up food, but hey, easy mistake to make.)

2023-03-26

ai, meta, curiousity

More things that I’ve noticed about integrating LLMs into my workflow:

I also spent some time today catching up on that last piece of hype, Meta’s VR bid. I don’t like to dismiss anyone’s work, but it’s strange how Meta has been shifting tone from Oculus’s gaming vibe to something more … generic? Flat enterprise? People poke fun at Mark Zuckerberg’s avatar, but honestly it’s really hard not to look like cyberzuck in the new environment. It’s just got this very bland feel to it. Also, the rough edges from the old Oculus Quest software still seem to pervade the whole platform, but without the wow factor to drive it. It was kind of fun to mess around trying to get your hands to work on the Quest. In this new world, I mostly spend my time trying to link user accounts and clicking on privacy options. I feel like I’m moving slow over broken things.

(350 words)