Last month, we wrote about Bruce Schneier's warning that certain unknown parties were carefully testing ways to take down the internet. They were doing carefully configured DDoS attacks, testing core internet infrastructure, focusing on key DNS servers. And, of course, we've also been talking about the rise of truly massive DDoS attacks, thanks to poorly secured Internet of Things (IoT) devices, and ancient, unpatched bugs.
That all came to a head this morning when large chunks of the internet went down for about two hours, thanks to a massive DDoS attack targeting managed DNS provider Dyn. Most of the down sites are back (I'm still having trouble reaching Twitter), but it was pretty widespread, and lots of big name sites all went down. Just check out this screenshot from Downdetector showing the outages on a bunch of sites:
You'll see not all of them have downtime (and the big ISPs, as always, show lots of complaints about downtimes), but a ton of those sites show a giant spike in downtime for a few hours.
So, once again, we'd like to point out that this is as problem that the internet community needs to start solving now. There's been a theoretical threat for a while, but it's no longer so theoretical. Yes, some people point out that this is a difficult thing to deal with. If you're pointing people to websites, even if we were to move to a more distributed system, there are almost always some kinds of chokepoints, and those with malicious intent will always, eventually, target those chokepoints. But there has to be a better way -- because if there isn't, this kind of thing is going to become a lot worse.
We talk about porn filters occasionally here at Techdirt. Usually those discussions revolve around how useless and easily circumvented those filters are, even as the more clueless in government insist that we need more of this non-filtering filtering. This is not one of those stories. Instead, it is the story of one of the most tone-deaf individuals with a penchant for excuse-making I've ever come across.
We start with Gizmodo, a website that used to be owned by Gawker Media until a rich guy decided to show America exactly what a rich guy with a lot of money could do and had Gawker shut down, presumably then diving into a pile of gold coins and rubbing hundred dollar bills on his nipples. Gizmodo recently filed an FOIA request to get at documents involving the misuse of computer equipment with the Department of Homeland Security. The site was hoping to see if there were any cases of overreach and abuse of technology by the department. Instead, it uncovered four cases of people watching porn, including one really special case involving a border patrol agent that simply would not stop looking at porn while on the job.
According to the report obtained by Gizmodo, this particular case, where names have been redacted to protect the privacy of the agent, involves thousands of attempts to access porn on government computers in 2015.
The government says the unnamed agent tried to access porn 644 times in just a two-day span in July of 2015. The DHS internet software filters denied him access 467 times during those two days. Some of the porn was accessed simply because it was hosted on sites that weren’t recognized as exclusively for porn, like Flickr and Tumblr.
644 instances of watching porn while at work is the kind of dedication one likes to see out of an employee actually doing his or her job. That kind of relentless drive to jacking it while on the clock, however, isn't generally smiled upon. An investigation was conducted, which included an interview with the man caught loving himself. The agent had an excuse, however, and it's glorious.
He said that he knew he shouldn’t have been accessing porn at work, but that part of the blame was really with the Customs and Border Protection (CBP) office for not having “adequate web filters.”
Just drink that in for a moment. A border agent, part of an organization that is essentially a filter for those traveling across our borders, has said that part of the blame for his constant porn-viewing rests with the fact that the internet filter used didn't do a good enough job blocking his attempts to look at pornographic material. One immediately wonders if this excuse might be ported to the analog world of illegal immigration. Should an illegal immigrant caught by INS be able to simply shrug and say the blame for his or her illegal entry is really on the CBP for not stopping them? One might even imagine a caught illegal immigrant suggesting that CBP agents clearly didn't mind their entry if they spent so much time watching porn rather than, you know, catching those attempting to illegally cross the border. After all, if the filter isn't catching them, let's just blame that, right?
Are porn filters easily circumvented? Yes. Is that to blame for a CBP agent trying to find porn at work at a rate of near Olympic proportions? Mmm, no.
California Gov. Jerry Brown on Saturday signed legislation that requires certain entertainment sites, such as IMDb, to remove – or not post in the first place – an actor’s age or birthday upon request.
The law, which becomes effective January 1, applies to database sites that allow paid subscribers to post resumes, headshots or other information for prospective employers. Only a paying subscriber can make a removal or non-publication request. Although the legislation may be most critical for actors, it applies to all entertainment job categories.
Quotes from actors' guild representatives and "industry leaders" present this as a positive change. Supposedly the removal of this information will result in fewer actors and actresses from being passed over for roles because they're "too old." Ageism may be an industry-wide problem but the correct solution would be to change Hollywood culture, not tap dance across the First Amendment.
“We are disappointed that AB 1687 was signed into law today,” said Internet Association spokesman Noah Theran. “We remain concerned with the bill and the precedent it will set of suppressing factual information on the internet.”
“Requiring the removal of factually accurate age information across websites suppresses free speech,” Beckerman wrote. “This is not a question of preventing salacious rumors; rather it is about the right to present basic facts that live in the public domain. Displaying such information isn’t a form of discrimination, and internet companies should not be punished for how people use public data.”
That's the problem with this law: it shoots the messenger rather than addresses the underlying problem. The government as a whole has passed many laws aimed at reducing discrimination, but in this case, the California assembly decided the onus should be on data aggregators that have absolutely nothing to do with the process of casting films.
It's unlikely this law will survive a Constitutional challenge, seeing as it prohibits the publication of facts. While any website can voluntarily choose to withhold this information, adding the government into the equation makes it a form of censorship.
The crafters of this law are claiming this speech suppression will benefit the little guy (and girl) the most:
[California Assemblyman Ian] Calderon said the law was more for actors and actresses not as well known as big stars.
“While age information for Hollywood’s biggest stars is readily available from other online sources, this bill is aimed at protecting lesser known actors and actresses competing for smaller roles,” Calderon said in the release. “These actors should not be excluded from auditioning simply based on their age.”
Calderon is correct. Actors should not be excluded simply because of their age. But that's a problem studios need to solve. And if they can't and legislators like himself still feel compelled to step in, the law should target discriminatory hiring practices, not IMDb and other sites like it.
How many living, breathing human beings really read Techdirt? The truth — the most basic, rarely-spoken truth — is that we have no earthly idea. With very few exceptions, no media property big or small, new or old, online or off, can truly tell you how big its audience is. They may have never thought about it that way — after all, we all get as close as we can to what we think is a reasonably accurate estimation, though we have no way of confirming that — but all these numbers are actually good for (maybe) is relative comparisons. What does it really mean when someone says "a million people" saw something? Or ten or a hundred million? I don't know, and neither do you. (Netflix might, but we'll get to that later.)
Where should we start? How about this: internet traffic is half-fake and everyone's known it for years, but there's no incentive to actually acknowledge it. The situation is technically improving: 2015 was hailed (quietly, among people who aren't in charge of selling advertising) as a banner year because humans took back the majority with a stunning 51.5% share of online traffic, so hurray for that I guess. All the analytics suites, the ad networks and the tracking pixels can try as they might to filter the rest out, and there's plenty of advice on the endless Sisyphean task of helping them do so, but considering at least half of all that bot traffic comes from bots that fall into the "malicious" or at least "unauthorized" category, and thus have every incentive to subvert the mostly-voluntary systems that are our first line of defence against bots... Well, good luck. We already know that Alexa rankings are garbage, but what does this say about even the internal numbers that sites use to sell ad space? Could they even be off by a factor of 10? I don't know, and neither do you. Hell, we don't even know how accurate the 51.5% figure is — it could be way off... in either direction.
Okay, so what about TV ratings? Well, there's a reason they've been made fun of on the shows themselves for as long as our culture has been able to handle "meta" jokes without getting a headache. Nielsen ratings in their classic form are built on monitoring such a tiny sample of households that the whole country's viewing profile can probably be swayed because someone forgot to turn off the TV before going on vacation. They sucked before DVRs and digital distribution began transforming the single household television into a quaint anachronism, and now it's just chaos. Nielsen was slow to catch up with DVRs, and now the TV industry juggles scattered measurements including three or seven days of viewing beyond live air, and constantly complains that the ratings are off — specifically, that they're too low. And they might be right, in the sense that they are too low by comparison to the garbage ratings from the pre-digital age that everyone eventually embraced as a standard for relative rankings. How big are these audiences really, in terms of real living breathing human beings? I don't know, and neither do you.
YouTube view counts? Subject to all the same fake internet traffic problems, plus the fact that there's an opaque system for supposedly ignoring too-short incomplete views according to the genre and nature of the video, but good luck finding out how accurate that is. Channel operators know their length-of-view statistics, but you don't see them bandying them about much. Plus, how often have you heard public view counts casually referred to as the number of "people" who watched something, even though (especially when it comes to short-and-cute viral animal hits and their ilk) the bulk of them probably come from obsessive re-watching? Yeah.
So what about Facebook stats? Everything from impressions to simultaneous live video viewers is padded out by the most transient of idly-scrolling-through-the-newsfeed interactions. Twitter followings and tweet stats? Dig into the bowels of any list of followers, or any trending link, and see how much of it is mindless bots. Print readerships? Don't even get me started. Did you know it's common practice for newspapers to calculate their readership by applying a multiplier to their actual circulation, to account for an imaginary surplus of "readers per copy"? Yes, that soggy "local" paper that's been sitting out in the rain on your porch for two days, and that only exists to give them an excuse to deliver flyers to your door, is not only being counted — it's probably being counted five times. So are all the free/cheap copies that big national papers give to hotels. Oh, and when these companies distribute multiple publications in different channels — with newspapers, magazines and paywalled websites all being given away with each other as free cross-subscriptions, in order to pad out all three subscriber numbers — they add them all up and then try to determine the actual number of individual people they are reaching. How? By applying an opaque "deduplication" formula. I once pressed a newspaper's stats person about what this formula could possibly entail, but details were not forthcoming — because I suspect they just knock off 20% and call it a day, despite the fact that the magazine is distributed inside the newspaper whose audience they are supposedly "deduplicating" it from, and half the website subscriptions were free add-ons with print delivery. That's awfully generous when the truth is they don't know, and neither do I, and neither do you.
So who does know how big of an audience they really have? Well, maybe Netflix, Amazon and other digital subscription services. Their paywalls insulate them from the bulk of random bot traffic, and their proprietary ecosystems give them the ability to closely monitor all activity. Netflix, of course, is famously secretive about viewer numbers and insists on the inaccuracy of those who claim to have worked them out. The most common assumption is that they do this to avoid giving content creators too much leverage, and because the data can be seen as a valuable commodity — but I propose another reason: Netflix's likely-more-accurate statistics, if made public, would have zero context in the topsy-turvy world of nonsense TV ratings. They would probably look exceptionally low, giving the legacy bosses who would like nothing more than to downplay the importance of digital distribution (and there are as many of those as there are record execs who can't spell mp3) a chance to project whatever narrative they wanted onto the numbers.
So why does any of this matter? Because advertising is a multibillion dollar industry, and whenever an industry is worth that much, you have to ask: is that because there are billions of dollars of worthwhile transactions happening, or because every bloodsucker in a ten-industry radius wanted in on the action? So, so much of the advertising industry is pure waste. How much exactly is as impossible to determine as the audience sizes themselves. This is hardly a new idea (in fact it's a century-old quote) but it's probably more true now than ever, despite the fact that in theory technology could have delivered us from uncertainty.
Finally, what can be done about this? There's no simple answer, and maybe no answer at all. Here at Techdirt, we've been working to come up with good advertising solutions by focusing almost entirely on what we know our community likes and might be interested in (as in, our real community of people who talk in our comments and we can say, with confidence, exist) and paying less attention to raw numbers — both a luxury and a necessity for a smaller publication, depending on how you look at it. That's not always easy though, as we face an advertising industry ruled by metrics, where there are often ten spreadsheet-wielding interns between us and someone who might actually care about our creativity. In our experiments with more traditional algorithmic display advertising to monetize the raw traffic numbers we do have, we keep running up against what appears to be a universal truth: the bulk of the global internet ad ecosystem runs on trash. Gigantic prestigious online media brands can sell display campaigns straight to the same people who buy Superbowl ads — everyone else receives a hundred pitches a week from new ad networks that claim to deliver great, relevant content but in fact litter your site with ads for fad diets and ambulance-chasers (at best). And this lowest-common-denominator filler appears to be the only reliably successful form of internet advertising! At least, it never goes away when the good stuff does, and the proud quality networks eventually embrace their roles as crap-peddlers. "Good" internet advertising is a rickety ship navigating an endless roiling ocean of spam, clickbait and outright fraud — but it couldn't float at all without it.
I realize I've painted a grim picture, but these are (more or less) the facts. I'm surely wrong in some of my guesses, but like everything discussed here, nobody knows how wrong or in which direction. We'll never even really know how many people read this — we'll just have a vague estimate that can be compared to other posts on Techdirt. But for now that's the reality, so maybe more people should stop worrying about the supposed size of their audience, and focus on making the content they want to make.
So, just a few hours ago, the reports were still spreading that the Senate would absolutely include Ted Cruz's preferred language that would block the (largely symbolic, but really important) transfer of control over the IANA functions of ICANN away from the Commerce Department. We've explained over and over and over again why this is important -- including once this morning in response to Donald Trump suddenly taking a stand (an incredibly ignorant one, but a stand) on the issue.
And then... poof. The Senate Appropriations Committee released its "short term continuing resolution" (CR for short) and it does not include any language on blocking the IANA transition. So... all the talk and (misleading) hype was apparently a bunch of grandstanding and hot air over nothing. It may have just been posturing and used to negotiate something else. Or, maybe (just maybe) people who actually understood what was happening with the IANA transition were actually able to explain to those in charge how stupid all this rhetoric was. That would certainly be a nice explanation for this -- though it seems tragically unlikely.
But, for the short term, this means a very dangerous thing for the internet, pushed for by Ted Cruz (and, as of yesterday, Donald Trump) has been avoided. It's possible that the House could try to somehow move to block the transition, but that seems unlikely. So, we may have actually won one here and narrowly avoided political grandstanding mucking up a piece of the internet. Phew.
Every so often, we see (probably) well-intentioned, but incredibly stupid, attempts to "fight" online harassment and bullying through laws that make saying things that are "offensive" against the law. In the US, such laws (if they actually get passed) are usually thrown out once someone makes a First Amendment challenge over them, but elsewhere in the world there's no First Amendment to fall back on. Over in Italy, some officials have proposed what may be one of the dumbest such laws in history, written so broadly that it will outlaw a lot more than the kind of "cyberbullying" it's supposedly intended to combat:
Under the proposed law, the "site manager" of Italian media, including bloggers, newspapers and social networks would be obliged to censor "mockery" based on "the personal and social condition" of the victim -- that is, anything the recipient felt was personally insulting. The penalty for failing to take action is a fine of €100,000. Truthfulness is not a defense in suits under this law -- the standard is personal insult, not falsehood.
Yes, mockery on the internet could get you a €100,000 fine. Mockery. The internet. The internet is made for mockery. And now is the time that everyone should be mocking this idiotic law -- and the politicians who proposed it without having the slightest idea of how such a thing would be abused all the time. As Cory Doctorow at BoingBoing notes:
... what it will do is create a tool for easy censorship without due process or penalty for misuse. The standard proposed in the bill is merely that the person on the receiving end of the argument feel aggrieved. Think of the abuse of copyright takedowns: online hosts already receive millions of these, more than they could possibly evaluate, and so we have a robo-takedown regime that lets the rich and powerful routinely remove material that puts them in an unflattering light.
As bad as that is, at least it makes censorship contingent on something specific and objective: copyright infringement, which has a wealth of caselaw defining its contours. Indeed, so much that you need to be a trained expert to adjudicate a claim of infringement. But at least you can objectively assess whether a copyright infringement has taken place.
The standard set by the proposed Italian law allows for purely subjective claims to be made, and for enormous penalties to be imposed on those who question them before undertaking sweeping acts of censorship.
There are some efforts under way to "improve" the law by making it not quite so draconian, but maybe, just maybe, the "improvement" should be to recognize that you're never going to successfully outlaw mockery on the internet.
Today is "International Talk like a Pirate Day." While it's a lot of fun to act like a pirate, drink rum and catch up on Errol Flynn movies, piracy is also a serious issue with real economic and legal significance. As electronic devices become an increasingly ubiquitous part of our lives, the content we consume has moved from analog to digital. This has made copying – as well as pirating – increasingly easy and prevalent.
Adding fuel to the flames of this rising "pirate generation" has been the content industry's recalcitrant and often combative attitude toward digital markets. Piracy, and the reactions to it, has had an immense impact on the daily lives of ordinary Americans, shaping their digital experience by determining how they can share, transfer and consume content.
As soon as electronic storage and communication technology was sufficiently developed, digital piracy became accessible. Whether it's a song, movie, video game or other piece of software, you could suddenly reproduce it without having to steal it off a shelf or obtain any specialized machinery to counterfeit it. Additionally, if you wanted to listen to an mp3 of the latest Britney Spears album on your computer, there weren't many lawful options. This led to a surge in online piracy and helped foster a culture of online file-sharing.
The music industry historically has a reputation for being hostile to, or at least slow to embrace, digital markets. Yet there were also some major artists who were early innovators in the space.
Before Spotify or iTunes, there was BowieNet. This music-focused internet service provider launched in July 1998 and gave users 5MB of space to create and share their own websites, content and chat. On BowieNet, according to Ars Technica: "[f]ans could get access to unreleased music, artwork, live chats, first-in-line tickets, backstage access, tickets to private, fan club-only concerts." David Bowie saw the potential to help his fan base access his content and discuss it in a social way in the early days of the internet, before Facebook or Myspace. He remarked at the time: "If I was 19 again, I'd bypass music and go right to the internet."
Bowie wasn't the only early music pioneer of the internet. Prince was also an early unsung hero. In the early 2000s, he created NPG Music Group, later Lotusflow3r. He even won a Webby Lifetime Achievement Award in 2006. Unlike BowieNet, NPG and later Lotusflow3r provided releases of full albums.
As musicians and users were experimenting with new ways to share content on the internet, the United States was working with other World Intellectual Property Organization (WIPO) member countries to create the most comprehensive "digital" update to the Copyright Act. In 1998, President Clinton signed into law the Digital Millennium Copyright Act, which implemented U.S. WIPO treaty obligations, as well as several other significant titles (including the Vessel Hull Design Protection Act – which pirates of the nautical variety might care about). Of particular importance were the sections providing for "safe harbor" (Sec. 512), which protected service providers from infringing content generated by their users, and "anti-circumvention" (Sec. 1201), which was meant to stop pirates from hacking digital rights management (DRM) and similar restriction technologies.
Indeed, it has not been smooth sailing. The DMCA has subsequently generated great controversy from civil society groups, internet companies and the content industry itself. As Cary Sherman, chairman and CEO of Recording Industry Association of America, stated back in 2015:
Unfortunately, while the system worked when isolated incidents of infringement occurred on largely static web pages—as was the case when the law was passed in 1998—it is largely useless in the current world where illegal links that are taken down reappear instantaneously. The result is a never-ending game that is both costly and increasingly pointless.
While lawmakers were hard at work trying to find ways to quell online piracy, the courts weren't taking a nap. Indeed, going back to the 1980s, there were important judicial fights that would set the stage for how content would be handled on our electronic devices.
The U.S. Supreme Court's 1984 Sony Corp. of America v Universal City Studios Inc.decision coined what is known as "time shifting," referring to a user's ability to record a live show using the Betamax to watch it later. The court's decision set the precedent that a manufacturer would not be held liable for any contributory negligence or potential infringement where they did not have actual knowledge of infringement and their devices were sold for a legitimate, non-infringing purpose. As Justice John Paul Stevens wrote in the majority opinion:
One may search the Copyright Act in vain for any sign that the elected representatives of the millions of people who watch television every day have made it unlawful to copy a program for later viewing at home, or have enacted a flat prohibition against the sale of machines that make such copying possible. It may well be that Congress will take a fresh look at this new technology, just as it so often has examined other innovations in the past. But it is not our job to apply laws that have not yet been written.
But not everyone was so enthusiastic. Jack Valenti, former president of the Motion Picture Association of America said in a congressional hearing two years prior [regarding VHS technology]:
We are going to bleed and bleed and hemorrhage, unless this Congress at least protects one industry that is able to retrieve a surplus balance of trade and whose total future depends on its protection from the savagery and the ravages of this machine.
The 9th U.S. Circuit Court of Appeals would take another approach in 2000s A&M Records v Napster. The court affirmed the district court's ruling that peer-to-peer services could be held for contributory infringement and vicarious liability. Even though their service merely facilitated the exchange of music as an intermediary, they were on the hook. Judge Marilyn Hall Patel wrote in the district court's ruling:
…virtually all Napster users engage in the unauthorized downloading or uploading of copyrighted music; as much as eighty-seven percent of the files available on Napster may be copyrighted, and more than seventy percent may be owned or administered by plaintiffs
Napster lodged several defenses, including fair use, but the most important (in lieu of the Sony decision) was the concept of "space-shifting," referring to the process of a user converting a compact disc recording to mp3 files, then using Napster to transfer the music to a different computer. Patel concluded Sony did not apply, because Napster retained control over their product, unlike Sony's Betamax, which was manufactured and sold, but not actively monitored.
The courts would continue ruling in a similar manner as other peer-to-peer services found themselves in the courtroom. At times, users would be targeted. And in the 2003 case of In re: Aimster, the pirates' bluntness for wanting to bring the music industry to its knees did not help the situation
What you have with Aimster is a way to share, copy, listen to, and basically in a nutshell break the law using files from other people's computers…. I suggest you accept aimster for what it is, an unrestricted music file sharing database – (posted by zhardoum, May 18, 2001)
Naturally with all of the music-sharing services were being shut down, the pirates found a new way to connect, share files and shape the industry. Which brings us to BitTorrent and websites like The Pirate Bay and Swepiracy. Torrenting does not require a central server, does not require direct streaming from one peer to another and the host does not contain any full file contents. All of the content received is from other users.
Sweden brought Pirate Bay to trial for both civil and criminal penalties. Per E. Samuelson, the site's attorney, lodged the now-famous (and familiar, for U.S. copyright scholars) King Kong defense:
EU directive 2000/31/EC says that he who provides an information service is not responsible for the information that is being transferred. In order to be responsible, the service provider must initiate the transfer. But the admins of The Pirate Bay don't initiate transfers. It's the users that do and they are physically identifiable people.
The defense was unsuccessful. Which brings many questions to mind for future cases — how will courts begin to rule with such complex systems of file transfer as fragmented torrents? Targeting users is widely unpopular, especially in the United States, where statutory penalties range from $750 to $300,000 per willful infringing use and $200 to $150,000 for non-willful infringement.
Efforts around the world have continually been made to combat piracy. But maybe it's time we take a fresh look at the market. As the Copia Institute observed in a recent report, whenever there are new ways to share content legally, users ultimately respond by employing those technologies.
On this International Talk like a Pirate Day, let's take a moment to remember the pirates and how they have helped shape the internet era. While CD sales and digital downloads may be declining, new streaming services are on the rise (vinyl records are also doing remarkably well). The digital revolution has, indeed, changed how we consume and access our music. It has given us access to (nearly) everything, through services like Spotify and Apple music, at a reasonable price and with unparalleled convenience.
From the consumer's perspective, you now carry hundreds of hours of music on your phone and listen to it whenever you want – no need for one of those bulky CD binders. The slot where the CD used to go in your car is now an auxiliary cable jack.
From an artist perspective's, these are new challenges that require adaptation. Particularly in the case of music licensing, our pre-existing laws are unnecessarily complex, cumbersome and antiquated. However, innovative technologies and services are not to blame. Instead, we should seek new and equally innovative ways for artists to be compensated through more direct and transparent payments (such as Ujo).
While our copyright laws are far from perfect, we still have substantial freedom to remix, repurpose and share creative content online in a social context. This is essential to online free expression, digital commerce and the proper functioning of the internet itself. As additional discussions in Congress and in the courts move forward, let's make sure we keep it that way.
There's been a lot of buzz over respected computer security expert Bruce Schneier recently talking about how someone, or some organization, or (most likely) some state actor, is running a series of tests that appear to be probing for ways to take down the entire internet. Basically, a bunch of critical infrastructure providers have noticed some interesting attacks on their systems that look like they're probing to determine defenses.
Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.
The attacks are also configured in such a way as to see what the company's total defenses are. There are many different ways to launch a DDoS attacks. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they've got to defend themselves. They can't hold anything back. They're forced to demonstrate their defense capabilities for the attacker.
This article is getting a collective "oh, shit, that's bad" kind of reaction from many online -- and that's about right. But, shouldn't it also be something of a call to action to build a better system? In many ways, it's still incredible that the internet actually works. There are still elements that feel held together by duct tape and handshake agreements. And while it's been surprisingly resilient, that doesn't mean that it needs to remain that way.
Schneier notes that there's "nothing, really" that can be done about these tests -- and that's true in the short term. But it seems, to me, like it should be setting off alarm bells for people to rethink how the internet is built -- and to make things even more distributed and less subject to attacks on "critical infrastructure." People talk about how the internet was originally supposed to be designed to withstand a nuclear attack and keep working. But, the reality has always been that there are a few choke points. Seems like now would be a good time to start fixing things so that the choke points are no longer so critical.
The door to modernizing Cuba's communications networks opened slightly wider recently after the FCC removed the country from the agency's banned nation list. That allows fixed and wireless companies alike to begin doing business in Cuba as part of an overall attempt to ease tensions between the States and the island nation. And while Cuba has been justly concerned about opening the door to NSA bosom buddies like AT&T and Verizon, it's still apparently not quite ready to give up some of its own, decidedly ham-fisted attempts to crack down on free speech over telecom networks.
A recent investigative report by blogger Yoani Sanchez and journalist Reinaldo Escobar found that the nation has been banning certain words sent via text message with the help of state-owned telecom monopoly ETECSA. The report, confirmed in an additional investigation by Reuters, found that roughly 30 different keywords are being banned by Cuba's government, including "democracy," "human rights," and the name of several activists and human rights groups. Words containing such keywords simply aren't delivered, with no indication given to the sender of the delivery failure.
Initially, the researchers thought this was just incompetence on the part of ETECSA:
"Eliecer Avila, head of opposition youth group Somos Mas, which participated in the investigation, said 30 key words that triggered the blocking had been identified but there could be more.
"We always thought texts were vanishing because the provider is so incompetent, then we decided to check using words that bothered the government," he said. "We discovered not just us but the entire country is being censored," he said. "It just shows how insecure and paranoid the government is."
You can understand some degree of paranoia when you've got the United States and Russia battling over who gets to bone graft surveillance technology into your fledgling communications networks, but the clumsy censorship also isn't too surprising for a nation that still bans advertising across the island.
That said, the real problem for most Cubans remains that broadband and wireless communications is a luxury commodity well out of reach of most residents. Only between 5 and 25% of Cubans even have access to the internet, and while many can access Wi-Fi via hotspots opened just last year, the cost of connection is roughly $2 an hour, or around a tenth of the average monthly Cuban salary. As such, Cubans are "fortunate" in that they can't yet even afford to be comprehensively spied on.
Just a few months ago, we wrote up a decently long post explaining why the upcoming "transition" of a piece of internet governance away from the US government was both a good thing and not a big deal. You can read those two posts on it, but the really short version is twofold: (1) the Commerce Department's "control" over ICANN's IANA (Internet Assigned Numbers Authority) was always pretty much non-existent in the first place; and (2) even having that little connection to the US government, though, only provided tremendous fodder for foreign governments (mainly: Russia & China) to push to take control of the internet themselves. That's what that whole disastrous UN/ITU/WCIT mess was a few years back. Relinquishing the (non-existent) control, with clear parameters that internet governance wouldn't then be allowed to jump into the ITU's lap, helps on basically every point. It takes away a key reason that other countries have used to claim they need more control, and it makes it clear that internet governance needs to remain out of any particular government's control.
As we noted, this is all a good thing.
But for unclear reasons, Senator Ted Cruz keeps insisting that this "transfer" is about the US giving control over the internet to the UN. He's ramped up this rhetoric lately as the transition gets closer:
"Today our country faces a threat to the internet as we know it. In 22 short days, if Congress fails to act, the Obama administration intends to give away the internet to an international body akin to the United Nations," Cruz said in a speech on the Senate floor Thursday. "I rise today to discuss the significant, irreparable damage this proposed internet giveaway could wreak not only on our nation but on free speech across the world."
Except that's hogwash. The plan does exactly the opposite. We've made this point over and over again, and thankfully others are doing so as well. Fusion has a long and detailed article that highlights that Cruz's claims are a fantasy and have no basis in reality. It goes through the whole history of IANA (if you don't know the story of Jon Postel and Joyce Reynolds, and how the two of them basically kept the internet running in their spare time for a few decades, you should...), but then points out that Cruz is just wrong:
To be clear: ICANN has about as much control over the internet as Ted Cruz has a grasp on how DNS actually works–which is to say, very little. But the perpetuation of the fiction that ICANN controls the internet is representative of the completely understandable human impulse to try and assign control of the internet to someone or something, particularly in a time where the systems that shape most users’ experience of the internet are increasingly opaque and unaccountable to users.
Saying any one group controls the internet is as absurd as saying who “controls” capitalism or globalization itself. But everyone has their version of control. Silicon Valley billionaires may insist we surrender to the invisible hand of the network, which simply chooses disruption and convenience over accountability and ethics. For the federal government, it’s far easier to accuse the private sector of being in control and thwarting national security than admit that mass surveillance is an expensive and incompetent tactic. For critics (or those who’d prefer that control be in their hands), it would be far simpler to point at a single oligarch or Bohemian Club or ICANN that needs to be overthrown; it might redeem what today at times seems like a fractal trainwreck of an internet, and somehow bring us back to John Perry Barlow’s never-realized promise of an independent cyberspace.
And it also points out that the biggest "threat" to how internet governance is handled is if Cruz actually succeeds in blocking the transition:
Mostly, when I asked people at ICANN about worst-case scenarios with the transition, they pointed to Ted Cruz’s efforts. The transition not going through–either through a blocking action from this current Congress through some legislative action or Congress just delaying until the next president comes into office–would not only undermine the work that a lot of people have already put into the transition plan, it also would create even further mistrust and frustration among countries like Brazil that continue to be frustrated by US control. Maybe that would be enough to justify a fragmentation of the root zone. Or it could just make it harder for the multistakeholder model to function by undermining trust in the community as a whole, making consensus harder to achieve. Which is kind of to say it could start to look a lot more like the US Congress.
In other words, as we've explained before, Ted Cruz's concerns over the internet here are completely backwards. Up is down, black is white, night is day kind of stuff. Keeping the IANA connection to the US government is the kind of thing that opens up the possibility for Russia/China to exert more control over internet governance by routing around ICANN and its flawed, but better than the alternative, "multistakeholder" setup. Moving ICANN away from the US government, with strict rules in place that basically keep it operating as is, takes away one of the key arguments that foreign countries have been using to try to seize control over key governance aspects of the internet.
If Cruz fears foreign governments taking control of internet governance, he should do the exact opposite of what he's doing now. Let the Commerce Dept. sever the almost entirely imaginary leash it has on ICANN. Otherwise, other countries' frustration with the US's roles is a much bigger actual threat to how the internet is managed.