
IT for Oppression - jcr
http://www.schneier.com/essay-420.html
======
smutticus
I would like to tell a story about a small part I played in this game once.

I was working for a network equipment manufacturer, let's call them Acme
Routers, and I was visiting a medium sized residential ISP in a EU country.
The reason I was visiting this ISP was because they wanted us to develop a
feature for them to "trap-and-trace" their residential internet subscribers.
In the industry we call this "lawful interception" and it's how the government
snoops on people. Acme Routers didn't want to develop this feature and we were
making a display of showing how difficult it would be for us and how much it
would cost us. We wanted guarantees that they would purchase more from us if
we developed this feature.

It was only during the actual meeting that I realized the ISP didn't want this
feature either. No one wanted to deal with this feature. The ISP didn't want
the hassle and added expense and Acme wanted to spend time on features that
would make us more competitive. But the ISP needed this feature in order to be
compliant with their laws. They would face penalties if they could not give
law enforcement access to their subscribers.

If Acme decided not to make this feature the ISP would just pick another
vendor. So we developed the feature for them.

The moral of the story is that technical people don't always get to decide the
direction of technology. It's policy makers and their penalties that sometimes
force technical folks into developing things they would rather not. There is
no getting around the law as an operator if you wish to remain an operator for
long.

" The world is run by men who use laws for tools." -- Talib Kweli

So we have to change the law, because that's the only way we can remove the
tools of evil men. As technologists we want to think there is a technical
solution to this dilemma, but there isn't. The only way to prevent technology
from being used as a tool of oppression is to change the law so it cannot be
used in such a way. And if we cannot change the law then we must change those
wielding it, through peaceful means if possible and violent means if
necessary.

Education plays a primary role here. As a technologist other people look to
you for interpretations of our modern world and technology. Lead them by
example and explain your actions along the way. Educate those around you about
issues relating to technology and ethics. We take for granted just how many
people there are who don't know anything about these issues. They might care
about it but they are truly ignorant of the issues. Fix that. Let's make the
term technologist synonymous with a person who understands ethics and
technology.

~~~
snowwrestler
I wish I could upvote you more than once. That laws (not technology) are the
enduring limits of culture is an insight that a lot of very smart engineers
seem to miss.

There are a lot of people active on the Internet who think that if they just
invent the right crypto archive, the right chat system, the right social
network, the right mobile app, they will free us all from oppression. But
there is no getting around the power of the law.

~~~
mindslight
On the other hand, laws only exist if they're not rejected by the majority.
People today are so hopelessly disempowered that they just consent to whatever
the propaganda tells them is necessary for "safety". If their only exposure to
computer security is prime time TV, they'll likely believe in a centralized
narrative where everything is rightfully tracked by super-serious
organizations. If they instead have easy to use software that grants them free
communications, they'll be able to see how privacy specifically benefits them
and will hopefully begin to separate their perspective from that of their
rulers.

------
jcr
The most interesting part that Schneier gets right is the relationships
between the technologies used for censorship, propaganda, surveillance, and
control. For example, if you want to use privacy to thwart surveillance and
censorship, then you unfortunately make propaganda much easier, and in the
sense that propaganda is effective, you also make control much easier.

Though Schneier is great for stating the issues and relationships, he tends to
avoid proposing any solutions, and also avoids citing any existing attempts
towards solutions.

~~~
mikecane
>>>Though Schneier is great for stating the issues and relationships, he tends
to avoid proposing any solutions, and also avoids citing any existing attempts
towards solutions.

That's like criticizing someone who has discovered a disease because he hasn't
also simultaneously created a cure.

~~~
jcr
If you look at my HN submissions over the last half decade, you'll see I'm a
huge fan of Bruce Schneier, I tend to follow his work closely. My criticism is
quite mild and fair; he really does ask great questions and does a fantastic
job of illuminating difficult problems, but he does so without proposing his
own solutions or citing the proposed solutions of others.

I believe part of the reason for his approach is for the sake of maintaining a
strong defensive posture. For example, as the person who coined the phrase
"Security Theater" in regards to the DHS airport screening, he did a great job
of illuminating the problems. On the other hand, if he had proposed a
solution, then he would have left himself open to criticism from political
pundits. If he had stood up and said, "Abolish the DHS," then many would
portray him as a kook and many would have written off his views.

What he does is clever, but I'm uncertain how effective it is. Citing the
research/proposals of others, without endorsement, would allow people to also
see potential/proposed solutions, as well as see the problems.

~~~
mikecane
>>>If you look at my HN submissions over the last half decade

Who does that? Does anyone? Don't take an objection personally. It's all about
the ideas here.

~~~
lifeisstillgood
I think the parent was trying to say "I have been a supporter of Schneier and
I have a track record (should anyone care to look) to demonstrate that"

I doubt he is expecting you to review his comments pages. Probably full of
typos anyway :-)

------
hp50g
This is an interesting dilemma. I'd rather have no technology than live under
oppression powered by it.

~~~
wladimir
I understand your feeling, I know it very well. But that isn't a choice. There
is no way to "stop technology". Humanity has always been about technology,
from the moment we started picking up sticks.

All we can really do is make sure that technology, and knowledge about it, is
more evenly distributed, so that central control is more difficult: make sure
it isn't seen as kind of magic to people that they deem is impossible to
understand and out of reach to them. Technology is simply a set of tools and
should be regarded as such.

Centralized technologies with easily controlled, single points of failure are
by far the most dangerous, and the most attractive for oppression. This is why
DRM, for example, is really bad. It lives by obfuscation and being hard and/or
undesirable to understand.

~~~
ohwp
I don't agree with you. The problem with IT technology is that it's connected.
It is (evenly) distributed, but connected. This gives people who want bad a
much wider perspective.

Centralized technologies are not dangerous because they can be easily broken
by revolutions. That's why DRM does not work. It's being hacked all the time.

And ofcrouse you always have a choice. You can put down the stick, or
disconnect. But the choice is becoming harder as we rely (too) much on
technology.

~~~
jiggy2011
The reason DRM gets broken all the time is because it's _decentralised_ and it
attempts to act like it like it is centralised.

There is a DRM system with a very high success rate , it's called SaaS.

~~~
hp50g
It's not that high a success rate. We have escrow agreements and all sorts in
place because people don't trust our SaaS.

~~~
jiggy2011
Difficult to comment without knowing the specifics but I assume there is some
transfer of data/code under specific conditions? As in your customers can't
just say "gimmie your code , we want to fork it".

That's a little bit different and in most cases for consumer SaaS
(facebook,gmail etc) there is no way to get at the software itself. All the
consumer gets is a thin client layer.

------
TomJoad
This is exactly why I don't take government work that comes with a clearance,
despite it being the most plentiful and profitable work in my area (D.C.).
Some people's work gets put to malicious purposes despite their best
intentions, but someone has to develop that maliciousness. I personally sleep
better at night knowing I am not developing that maliciousness.

------
minikites
Ted Kaczynski made a similar point:

[http://www.washingtonpost.com/wp-
srv/national/longterm/unabo...](http://www.washingtonpost.com/wp-
srv/national/longterm/unabomber/manifesto.text.htm)

(context starts at section 171)

>In that case the average man may have control over certain private machines
of his own, such as his car or his personal computer, but control over large
systems of machines will be in the hands of a tiny elite—just as it is today,
but with two differences. Due to improved techniques the elite will have
greater control over the masses; and because human work will no longer be
necessary the masses will be superfluous, a useless burden on the system. If
the elite is ruthless they may simply decide to exterminate the mass of
humanity. If they are humane they may use propaganda or other psychological or
biological techniques to reduce the birth rate until the mass of humanity
becomes extinct, leaving the world to the elite. Or, if the elite consists of
soft- hearted liberals, they may decide to play the role of good shepherds to
the rest of the human race. They will see to it that everyone’s physical needs
are satisfied, that all children are raised under psychologically hygienic
conditions, that everyone has a wholesome hobby to keep him busy, and that
anyone who may become dissatisfied undergoes “treatment” to cure his
“problem.” Of course, life will be so purposeless that people will have to be
biologically or psychologically engineered either to remove their need for the
power process or to make them “sublimate” their drive for power into some
harmless hobby. These engineered human beings may be happy in such a society,
but they most certainly will not be free. They will have been reduced to the
status of domestic animals.

>127\. A technological advance that appears not to threaten freedom often
turns out to threaten it very seriously later on. For example, consider
motorized transport. A walking man formerly could go where he pleased, go at
his own pace without observing any traffic regulations, and was independent of
technological support-systems. When motor vehicles were introduced they
appeared to increase man’s freedom. They took no freedom away from the walking
man, no one had to have an automobile if he didn’t want one, and anyone who
did choose to buy an automobile could travel much faster and farther than a
walking man. But the introduction of motorized transport soon changed society
in such a way as to restrict greatly man’s freedom of locomotion. When
automobiles became numerous, it became necessary to regulate their use
extensively. In a car, especially in densely populated areas, one cannot just
go where one likes at one’s own pace one’s movement is governed by the flow of
traffic and by various traffic laws. One is tied down by various obligations:
license requirements, driver test, renewing registration, insurance,
maintenance required for safety, monthly payments on purchase price. Moreover,
the use of motorized transport is no longer optional. Since the introduction
of motorized transport the arrangement of our cities has changed in such a way
that the majority of people no longer live within walking distance of their
place of employment, shopping areas and recreational opportunities, so that
they HAVE TO depend on the automobile for transportation. Or else they must
use public transportation, in which case they have even less control over
their own movement than when driving a car. Even the walker’s freedom is now
greatly restricted. In the city he continually has to stop to wait for traffic
lights that are designed mainly to serve auto traffic. In the country, motor
traffic makes it dangerous and unpleasant to walk along the highway. (Note
this important point that we have just illustrated with the case of motorized
transport: When a new item of technology is introduced as an option that an
individual can accept or not as he chooses, it does not necessarily REMAIN
optional. In many cases the new technology changes society in such a way that
people eventually find themselves FORCED to use it.)

~~~
wladimir
He was spot-on with some of the issues (too bad he acted so tragically...).
Writer Derrick Jensen makes this point as well. The problem is that none of
these anti-technologists really come up with a solution, except maybe to live
in a hut in the forest and avoid all technology after 1800. That's not really
a sustainable thing that all people on the world could (or would) start doing.

~~~
gabex
Actually, Derrick Jensen has proposed a very specific solution. The book "Deep
Green Resistance" explains it. Some of it's online:
<http://www.deepgreenresistance.org/dew/>

------
snowwrestler
Oppression is a cultural and legal problem, and can only be addressed with
cultural and legal solutions. You have to define your preferred reality and
then convince other people to agree with you. You have to become politically
active to achieve political solutions.

Granted: this is hard for engineers to wrap their heads around. In the
engineering mindset, math and physics can be trusted; people and institutions
cannot. But math and physics don't have police powers--people and institutions
do. The rules that govern our actions matter more than what we know and can
prove mathematically.

It doesn't matter how well-built a bridge is, if men with guns can keep you
from crossing it.

The Genetic Information Nondiscrimination Act is an example of how it's
possible to set limits on the cultural and legal implications of powerful new
technologies.

Internet activists looking for a model should look a lot more carefully at the
SOPA campaign, than at the latest crypto chat tool or peer to peer software.
Internet activists and companies beat that law through better propaganda, not
better technology.

------
lifeisstillgood
This is not a technology issue - we should not expect everyone to become uber
hackers in order to live free (silicon-chip rats?)

This is about living under a constitution guaranteed by law. Syria and china
are oppressed because people obey orders. Regimes have only ever changed
because people stop obeying orders or get invaded.

China knows if it uses totalitarian digital tools to opress it's citizens,
they will simply avoid the digital world. And chinas growth will crumble and
then there really will be a revolution.

Yes privacy is dead, yes we need to create new laws that give a level playing
field in surveillance, but when we solve that problem, it will not solve the
problem that Facebook knows you are gay, so some people will sell you tickets
to G.A.Y. And some wil put a pink triangle on your shirt.

I do not believe that we should put vast resources into evading tracking so
that people living under these regimes can do the digital equivalent of living
like Anne Frank.

The problem is not better hiding places - the problem is having to hide in the
first place

~~~
lsc
>The problem is not better hiding places - the problem is having to hide in
the first place.

You are missing the point of privacy.

the whole point of privacy is that society is sometimes wrong. And if you
can't tell I'm doing it without peeking in my bedroom window? (which is to
say, if you can't tell I'm doing something without violating my privacy) well,
that makes a reasonable heuristic for "maybe you shouldn't enforce rules about
it"

~~~
lmm
The amount of things we can infer from publicly available information - where
you were seen on the public streets, what you've worn when visiting certain
groups - is growing immensely. For many, many things we only ever had "privacy
through obscurity"; this is going away now and will not be coming back, and
trying to make our lives private again is like trying to make bits uncopyable
or water not wet. We should be figuring out how to adapt rather than trying to
go back to how we were.

~~~
lifeisstillgood
Thank you - exactly right.

There is no defence, just new forms of trust. To my mind the biggest single
defence is for everyone who snoops on me, I should know they are snooping -
the act of collecting data should itself become public knowledge.

Maybe its not a great defence - but I would welcome any discussion on the
topic, because it seems not to be discussed much.

~~~
lmm
What exactly would you require of whom? Everyone who takes a photo, scrapes a
website? To what, register their activities in some centralized database?
There are lots of approaches that sound like easy solutions until you start
thinking about the details of how they would work.

~~~
lifeisstillgood
Well, where better to debate some of the details:-)

I would simply suggest that any company that performs a "data match" - between
data held internally and an "internal or external identifier" that can be
directly linked to an individual person

must publish that they hold data, on that person, on their site
(example.com/datamatch) and have matched that data. And make that data
available to that person or duly authorised agents.

Essentially, if you hold personal data, you have to give a copy of that to the
person. And it is recursive. No one can collect data on me without my knowing
it, because a cottage industry will spring up of people telling me just how
much is out there.

It will put a significant cost on personal data processing, and force everyone
to evaluate the cost - I think the loss of privacy is simple an example of an
externality. Adjust the price to its true cost.

~~~
lsc
>Essentially, if you hold personal data, you have to give a copy of that to
the person.

I actually think that's a really good idea, and customers ought to demand that
be added to privacy policies.

Really, I think it's a reasonable law; some sort of "corporate freedom of
information act" - If I ask you what data you have on me, you are legally
required to respond and to tell me what data you have on me.

Now, uh, for me? it would impose some costs (I mean, that's why my privacy
policy doesn't include that clause. It'd be work to setup that portal, and
liability, too... I mean, what if I miss some personal data? And besides, not
one customer has asked for such a portal. Doing work that you /think/
customers want, without any actual customers demanding it? well, let's just
say that it only happens after I get all the work that I /know/ I need to do
done.) but, I think those costs are reasonable, and maybe even good (for
society) 'cause it would cause me (or any service provider) to think long and
hard about just how much data they were collecting, and it would add some cost
to keeping old data around.

Now, those costs would be different, I believe, for advertising-based
businesses, as they may claim to 'anonymize' their data... but we've seen over
and over again that anonymized data really is not anonymized at all. But yeah,
working that part out would be the hard part of writing the law. If the data
is easily connected to a real identity, then yeah, you'd want that real
identity to be able to get the data... but how do you tell the difference
between stuff that really is fairly anonymous, and stuff that isn't? you need
someone smarter than me to write that test.

But still... if customers immediately started demanding that the privacy
policies of service providers included a 'privacy portal' where they could log
in and view all the data that the provider has about them? that is really
pretty doable. It's work, sure, and it's not going to happen without customer
demand, but it's not an impossible amount of work.

------
denzil_correa
Like most other things designed for humans, technology is a double edged
sword. I wonder if there would be a "technology disarmament" treaty someday on
the lines of "nuclear disarmament". I guess before that happens there would be
a technological disaster viz. the Hiroshima/Nagasaki equivalent of IT.

------
zalew
From a few recent posts around here I guess he's not very liked in the tech
bubble circles, but in case anyone is interested in reading a tiny bit more
about this topic, I recommend Morozov's book [http://www.amazon.com/The-Net-
Delusion-Internet-Freedom/dp/1...](http://www.amazon.com/The-Net-Delusion-
Internet-Freedom/dp/1610391063)

------
doctornemo
Interesting to see Schneier make this point. Assange et al argue similarly in
_Cypherpunks_.

------
youngerdryas
>Surveillance is necessary for personalized marketing

Say that to yourself a few times. It's newspeak. Personalized marketing is
creepy in the same way a robot that looks human is creepy. The more accurate
it is the creepier it becomes.

~~~
willismichael
That's a fascinating variant of the Uncanny Valley principle that I hadn't
considered before (<https://en.wikipedia.org/wiki/Uncanny_valley>)

------
LatvjuAvs
Telly says so, must be true. Also, illusion. Illusion of fear, truth and lies.
And sadly loss of self thinking.

Works very well together.

------
Vlaix
I personally support the use of IT as a means of oppression by various
regimes. Not so much because of some peculiar esteem I'd have for said
regimes, but because I'm kind of fed up by squinty libertarians and source-
code rioters telling us what software and IT are and what they should be used
for. Not even talking about the validity of armchair journalists' opinions
about world politics. IT is a bunch of tools, and tools don't have a nature or
an intrinsic value but functions. Now a tool that is used to control
information _will_ be used to slow its spreading if needed, even though its
creator had another idea in mind. Damn, using a network to forbid information
when it was intended to spread it is even a form of hacking if you thing about
it.

Now regarding the IT industry : the liberalism that allows startups to pop-up
all the time at a tremendous rate also allows a company to sell products to
clients that would be deemed shady in said company's nation. When you get by a
system, you either accept its flows as well or play this hyper-hypocritical
game of being outraged when things don't go your way.

~~~
EliRivers
"I personally support the use of IT as a means of oppression ... because I'm
kind of fed up by squinty libertarians and source-code rioters telling us what
software and IT are and what they should be used for"

Fortunately for the rest us of, children aren't allowed to vote, so maybe by
the time you've grown up you'll have grown out of your tantrum and you won't
approve of screwing everybody over because you're annoyed at a handful of
people.

~~~
Vlaix
I've been able to vote for quite a long time, and never did so out of
principle (in a country where 80%+ of the population votes, very much unlike
the US).

I actually think the need of surveillance for a number of nations (in
particular Syria, which has been the target of widespread disinformation,
slander and lies lately) is perfectly legitimate and I deem this opinion
perfectly reasonable considered my general worldview. I put away childish
things a long time ago.

Where being screwed over is concerned, I'm fairly familiar with it and as
nothing always goes the way I pray it won't, I feel entitled to a bit of
vaguely legitimate retribution. It's widely unpopular, especially on a site
such as HN where the average Joe has the mind-openness of a witch's tit
(whatever the whole hacker/geek ethos might suggest), but I gave away
popularity when I started socializing with anything else than cats.

~~~
EliRivers
That's nice for you, although off-topic. My problem isn't with your opinions
on the need for a nation to carry out legitimate surveillance.

The problem is that you approve of oppressing people via IT because you don't
like some hearing people's opinion on what IT should be used for. Oppression
is not legitimate surveillance, and oppressing people because you're having a
tantrum is childish.

"I feel entitled to a bit of vaguely legitimate retribution."

In favour of oppressing people via IT because you don't like _hearing_ the
opinion to the contrary - so fantastically childish that your claim to not be
childish becomes some kind of satire.

