Two Important Speeches: The Threats To The Future Of The Internet... And How To Protect An Open Internet

from the pay-attention dept

Last week, I came across two separate speeches that were given recently about the future of the internet -- both with very different takes and points, but both that really struck a chord with me. And the two seem to fit together nicely, so I'm combining both of them into one post. The first speech is Jennifer Granick's recent keynote at the Black Hat conference in Las Vegas. You can see the video here or read a modified version of the speech entitled, "The End of the Internet Dream." It goes through a lot of important history -- some of which is already probably familiar to many of you. But, it's also important to remember how we got to where we are today in order to understand the risks and threats to the future of the internet. The key point that Granick makes is that for too long, we've been prioritizing a less open internet, in favor of a more centralized internet. And that's a real risk:

For better or for worse, we’ve prioritized things like security, online civility, user interface, and intellectual property interests above freedom and openness. The Internet is less open and more centralized. It’s more regulated. And increasingly it’s less global, and more divided. These trends: centralization, regulation, and globalization are accelerating. And they will define the future of our communications network, unless something dramatic changes.

Twenty years from now,

• You won’t necessarily know anything about the decisions that affect your rights, like whether you get a loan, a job, or if a car runs over you. Things will get decided by data-crunching computer algorithms and no human will really be able to understand why.
• The Internet will become a lot more like TV and a lot less like the global conversation we envisioned 20 years ago.
• Rather than being overturned, existing power structures will be reinforced and replicated, and this will be particularly true for security.
• Internet technology design increasingly facilitates rather than defeats censorship and control.

Later in the speech, she digs deeper into those key trends of centralization, regulation and globalization:

• Centralization means a cheap and easy point for control and surveillance.
• Regulation means exercise of government power in favor of domestic, national interests and private entities with economic influence over lawmakers.
• Globalization means more governments are getting into the Internet regulation mix. They want to both protect and to regulate their citizens. And remember, the next billion Internet users are going to come from countries without a First Amendment, without a Bill of Rights, maybe even without due process or the rule of law. So these limitations won’t necessarily be informed by what we in the U.S. consider basic civil liberties.

This centralization is often done in the name of convenience -- because centralized systems currently offer up plenty of cool things:

Remember blogs? Who here still keeps a blog regularly? I had a blog, but now I post updates on Facebook. A lot of people here at Black Hat host their own email servers, but almost everyone else I know uses gmail. We like the spam filtering and the malware detection. When I had an iPhone, I didn’t jailbreak it. I trusted the security of the vetted apps in the Apple store. When I download apps, I click yes on the permissions. I love it when my phone knows I’m at the store and reminds me to buy milk.

This is happening in no small part because we want lots of cool products “in the cloud.” But the cloud isn’t an amorphous collection of billions of water droplets. The cloud is actually a finite and knowable number of large companies with access to or control over large pieces of the Internet. It’s Level 3 for fiber optic cables, Amazon for servers, Akamai for CDN, Facebook for their ad network, Google for Android and the search engine. It’s more of an oligopoly than a cloud. And, intentionally or otherwise, these products are now choke points for control, surveillance and regulation.

So as things keep going in this direction, what does it mean for privacy, security and freedom of expression? What will be left of the Dream of Internet Freedom?

She goes on to note how this centralization comes with a very real cost: mainly in that it's now one-stop shopping for government surveillance.

Globalization gives the U.S. a way to spy on Americans…by spying on foreigners we talk to. Our government uses the fact that the network is global against us. The NSA conducts massive spying overseas, and Americans’ data gets caught in the net. And, by insisting that foreigners have no Fourth Amendment privacy rights, it’s easy to reach the conclusion that you don’t have such rights either, as least when you’re talking to or even about foreigners.

Surveillance couldn’t get much worse, but in the next 20 years, it actually will. Now we have networked devices, the so-called Internet of Things, that will keep track of our home heating, and how much food we take out of our refrigerator, and our exercise, sleep, heartbeat, and more. These things are taking our off-line physical lives and making them digital and networked, in other words, surveillable.

At the end of her speech, Granick talks about the need to "build in decentralization where possible," to increase strong end-to-end encryption, to push back on government attempts to censor and spy.

And that's where the second speech comes in. It's by the Internet Archive's Brewster Kahle. And while he actually gave versions (one longer one and one shorter one) earlier this year, he just recently wrote a blog post about why we need to "lock the internet open" by building a much more distributed web -- which would counteract many of Granick's quite accurate fears about our growing reliance on centralized systems.

Kahle also notes how wonderful new services are online and how much fun the web is -- but worries about the survivability of a centralized system and the privacy implications. He notes how the original vision of the internet was about it being a truly distributed system, and it's the web (which is a subsegment of the internet for those of you who think they're the same), seems to be moving away from that vision.

Contrast the current Web to the Internet—the network of pipes on top of which the World Wide Web sits. The Internet was designed so that if any one piece goes out, it will still function. If some of the routers that sort and transmit packets are knocked out, then the system is designed to automatically reroute the packets through the working parts of the system. While it is possible to knock out so much that you create a chokepoint in the Internet fabric, for most circumstances it is designed to survive hardware faults and slowdowns. Therefore, the Internet can be described as a “distributed system” because it routes around problems and automatically rebalances loads.

The Web is not distributed in this way. While different websites are located all over the world, in most cases, any particular website has only one physical location. Therefore, if the hardware in that particular location is down then no one can see that website. In this way, the Web is centralized: if someone controls the hardware of a website or the communication line to a website, then they control all the uses of that website.

In this way, the Internet is a truly distributed system, while the Web is not.

And, thus, he wants to build a more distributed web, built on peer-to-peer technology that has better privacy, distributed authentication systems (without centralized usernames and passwords), a built-in versioning/memory system and easy payment mechanisms. As he notes, many of the pieces for this are already in existence, including tools like BitTorrent and the blockchain/Bitcoin. There's a lot more in there as well, and you should read the whole thing.

Our new Web would be reliable because it would be hosted in many places, and multiple versions. Also, people could even make money, so there could be extra incentive to publish in the Distributed Web.

It would be more private because it would be more difficult to monitor who is reading a particular website. Using cryptography for the identity system makes it less related to personal identity, so there is an ability to walk away without being personally targeted.

And it could be as fun as it is malleable and extendable. With no central entities to regulate the evolution of the Distributed Web, the possibilities are much broader.

Fortunately, the needed technologies are now available in JavaScript, Bitcoin, IPFS/Bittorrent, Namecoin, and others. We do not need to wait for Apple, Microsoft or Google to allow us to build this.

What we need to do now is bring together technologists, visionaries, and philanthropists to build such a system that has no central points of control. Building this as a truly open project could in itself be done in a distributed way, allowing many people and many projects to participate toward a shared goal of a Distributed Web.

Of course, Kahle is hardly the first to suggest this. Nearly five years ago we were writing about some attempts at a more distributed web, and how we were starting to see elements of it showing up in places the old guard wouldn't realize. Post-Snowden, the idea of a more distributed web got a big boost, with a bunch of other people jumping in as well.

It's not there yet (by any stretch of the imagination), but a lot of people have been working on different pieces of it, and some of them are going to start to catch on. It may take some time, but the power of a more decentralized system is only going to become more and more apparent over time.

Filed Under: black hat, brewster kahle, centralized, decentralized, distributed internet, jennifer granick, open internet

Inside Craigslist's Increasingly Complicated Battle Against Spammers

from the spam-fight dept

John Nagle writes in with a fascinating dissection of the ongoing battle between Craigslist and spammers. The back and forth nature of this battle is fascinating -- and somewhat disturbing when you realize the lengths to which spammers will go to get spam onto Craigslist, and the extent to which an entire ecosystem of scammers and software providers seems to have been built up around this effort:

"Spam on Craigslist has been a minor nuisance for years. Not any more. This year, the spammers started winning and are taking over Craigslist. Here's how they did it. Craigslist tries to stop spamming by checking for duplicate submissions. They check for excessive posts from a single IP address. They require users to register with a valid E-mail address. They added a CAPTCHA to stop automated posting tools. And users can flag postings they recognize as spam.

Several commercial products are now available to overcome those little obstacles to bulk posting. A tool called CL Auto Posting Tool is one such product. It not only posts to Craigslist automatically, it has built-in strategies to overcome each Craigslist anti-spam mechanism.

Random text is added to each spam message to fool Craigslist's duplicate message detector. IP proxy sites are used to post from a wide range of IP addresses. E-mail addresses for reply are Gmail accounts conveniently created by Jiffy Gmail Creator ("Who Else Wants to Create Unlimited Gmail Accounts in Seconds Flat Without Breaking a Sweat?") An OCR system reads the obscured text in the CAPTCHA. Automatic monitoring detects when a posting has been flagged as spam and reposts it.

CL Auto Poster isn't the only such tool. Other desktop software products are AdBomber and Ad Master. For spammers preferring a service-oriented approach, there's ItsYourPost.

With these power tools, the defenses of Craigslist have been overrun. Some categories on Craigslist have become over 90% spam. The personals sections were the first to go, then the services categories, and more recently, the job postings.

Craigslist is fighting back. Its latest gimmick is phone verification. Posting in some categories now requires a callback phone call, with a password sent to the user either by voice or as an SMS message. Only one account is allowed per phone number. Spammers reacted by using VoIP numbers. Craigslist blocked those. Spammers tried using number-portability services like Grand Central and Tossable Digits. Craigslist blocked those. Spammers tried using their own free ringtone sites to get many users to accept the Craigslist verification call, then type in the password from the voice message. Craigslist hasn't countered that trick yet.

Much of the back and forth battle can be followed in various forums.

It's not clear yet who will win. Craigslist may find something that works. If it doesn't, however, it could be toast for the success story of Craigslist."

Filed Under: battles, black hat, marketing, spam
Companies: craigslist