Oblomovka

My day job and my current obsession conveniently criss-crossed today: Rebecca MacKinnon, co-founder of Global Voices, and one of the most perceptive commentators on the international Net writing in English, wrote a thoughtful piece on the edge, and Silicon Valley’s benevolent dictatorship. As a suddenly-outed lbrtrn, of course, I must tow the party line and say that, despite Rebecca’s concerns, capitalism really can bring freedom to everyone (in the event of capitalism failing to comply, please return within 7 days in original packaging for full refund and your ecology back).

More sceptically, I do marvel how much we currently depend on the fair-weather compliance of others to preserve our privacy and our liberty — both from corporations and from individuals.

It’s not just Google suddenly throwing up its hands and going “Alright, sinister government guy, take everyone’s data, see if we care.” If you’ve ever spent any time as a systems administrator or helping out one, you’ll (briefly) know the power those individuals wield.

If you are a sysadmin, you’ll no doubt be heartedly sick of that power. You’ve been handed huge amounts of power, and responsibility — and nobody else but you seems to care.

There’s a good reason why sysadmins and doctors share the same morbid, callous sense of humour — both groups find themselves dealing with more responsibility towards others than you can reasonably expect a sane human to take. (At least doctors can expect their customers to understand what they might be palming off to another person.  Sysadmins have to live with the equivalent in medical terms of somebody leaving a naked body on the doorstep at 9AM, with a Post-IT note attached to it saying “Had sex with twenty people last night and now I think the kidney isn’t working. Could you get this back to me with my IQ intact for my 10AM appointment?”)

Like doctors, sysadmin’s throwaway jokes usually hide a very serious attention to protecting the privacy and dignity of their users. What that means, among other things, is that they try very hard not to accidentally lose millions of social security numbers. But what are they doing with access to that data in the first place? Well, because we hand it to them. We fob off that power to them, with very little support, both legally, infrastructurally, and frankly, without much emotional support either.

When you have that amount of responsibility, it’s very hard to conceive of reducing your power. That’s not because of greed: it’s because you don’t want people to get hurt, or company’s to go bust. Terry Childs, the San Francisco sysadmin who refused to handover passwords to anyone but Gavin Newsom, even after being jailed, wasn’t holding back because he wanted to hurt someone. He was holding back because the only way he could take on the responsibility he’d elected to assume was by also asserting a fantastic amount of control. Great power, great responsibily can get very commutative at times.

One of the fun parts of my job has been going around to conferences like LISA and MySQLcon, and encouraging – okay, I admit it, begging – sysadmins to turn off logging. Pervasive logging is a civil liberties trainwreck waiting to happen. The list of data that the data retention directive requires ISPs to collect is derived, in part, from the data that ISPs would expect to collect anyway. Business practice now determines later what courts and intrusive governments imagine is “reasonable” to obtain. One of the most chilling conversations I’ve had recently is with Charles Miller, the Secretary to the Data Communications Group at the UK’s Home Office — basically the folk who determine the policy and ethics of interception and surveillance. He had been talking about the data that ISPs now collect as part of the data retention directive. I wanted him to confirm that this data, whose retention was ostensibly for the investigation of serious crime only, was also available to civil litigants. Of course, he said, a civil court order can reach anything that’s reasonable.

What’s reasonable? Think how much more others know about you — and expect to know about you, because Apache has generally shipped with logging turned on, instead of off. What governments will want tomorrow will be based on what your software’s defaults were yesterday.

These talks incidentally have a field effect of about 24 hours for most people, I estimate. You have some guy in an EFF t-shirt telling you about awful things that might happen in Uzbekistan if you even mount /var/log, and you go home and maybe have a few nightmares. Then, freaking PHP starts leaking memory and dragging down one of the servers again, and dammit, where are yesterdays logs? Where is my information? Noo! My precioussss!

I’m sympathetic: I wish our law gave them more power to say no to their bosses (though it’s always worthwhile in some cases to point out that the FTC can kick asses if you violate your own privacy policy). But more and more, I wish that we had alternatives to handing that power out to others, willy-nilly, and got to keep more for ourselves. I think the standard unit that it’s healthy for anyone to be responsible for that much. The interests of a person keeping tabs on a million people’s data is different from a person keeping tabs on their own.

The other reason why it’s good to have alternative power bases is highlighted by this piece by Rachel Chalmers, where she points out that if we can fall back on our own devices, corporations will be rather more civil to us: and hopefully compete on privacy and responsiveness as much as other values:

Software vendors got away with some pretty coercive licenses for many years by making the assumption that users didn’t care all that much. Richard Stallman helped change all that. Not everyone cares about software licenses today, but many do, and any OS vendor that regards such concerns as external to their business is clearly wrong. Cloud providers who assume that their users won’t care how their data is handled are likely to find themselves equally mistaken. These issues have to be quantified somehow and included in the cost-benefit analysis.

We’ve seen flickers of this: a few search engine companies have overtly competed with Google on their privacy practices. But to bring the full pressure of the market to bear, the real power we need as consumers is the ability to take our ball and leave the market entirely, not just go next door to the second-worst provider.

This entry was posted on Wednesday, July 30th, 2008 at 11:27 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS/Atom feed. Both comments and pings are currently closed.