Kirby Ferguson, who created the remarkable Everything is a Remix series, has a new podcast hosted by the Recreate Coalition called Copy This and he hosted me on the debut episode (MP3) where we talked about copying, creativity, artists, and the future of the internet (as you might expect!).

Are you one of the many Star Wars fans eagerly awaiting the release of Rogue One: A Star Wars Story later this month? As you watch – and rewatch – the trailer, take a break to tune into Re:Create’s new Copy This podcast to learn about copyright and the role it’s played in the success of the fan-favorite series. As part of our ongoing work to elevate the discussion around copyright issues, the role copyright plays in our lives, and the need for balanced laws, Re:Create today launched Copy This hosted by writer, director and remixer Kirby Ferguson. The monthly podcast will bring to listeners conversations with some of the leading authors, policy minds, legal experts, and members of the creative community to take on the important questions and topics driving the copyright debate today.

New Re:Create Podcast Shows What Star Wars Can Teach Us About Copyright
[Recreate]

Mr Robot is the most successful example of a small but fast-growing genre of “techno-realist” media, where the focus is on realistic portrayals of hackers, information security, surveillance and privacy, and it represents a huge reversal on the usual portrayal of hackers and computers as convenient plot elements whose details can be finessed to meet the story’s demands, without regard to reality.

There’s a problem with this: information security really matters, and practically no one understands it, and most of what people think they know comes from (usually terrible) media portrayals. The Computer Fraud and Abuse Act, used to prosecute Aaron Swartz, was passed after a Wargames-inspired moral panic about teenagers starting WWIII from their bedrooms, and the next president thinks that hackers are 400 pound guys in their bedrooms and wants to rely on his 10 year old nephew to thwart them.

In my feature article for MIT Tech Review, I discuss the techno-realist movement, how it applies to my own novel Little Brother and its adaptation at Paramount, and what it portends for the future of art, security and law.

The show excels not only at talk but also at action. The actual act of hacking is intrinsically boring: it’s like watching a check-in clerk fix your airline reservation. Someone types a bunch of obscure strings into a terminal, frowns and shakes his head, types more, frowns again, types again, and then smiles. On the screen, a slightly different menu prompt represents the victory condition. But the show nails the anthropology of hacking, which is fascinating as all get-out. The way hackers decide what they’re going to do, and how they’re going to do it, is unprecedented in social history, because they make up an underground movement that, unlike every other underground in the past, has excellent, continuous, global communications. They also have intense power struggles, technical and tactical debates, and ethical conundrums—the kind of things found in any typical Mr. Robot episode.

Mr. Robot wasn’t the first technically realistic script ever pitched, but it had good timing. In 2014, as the USA Network was deliberating over whether to greenlight Mr. Robot’s pilot for a full season, Sony Pictures Entertainment was spectacularly hacked. Intruders dumped everything—prerelease films, private e-mails, sensitive financial documents—onto the Web, spawning lawsuits, humiliation, and acrimony that persists to this day. The Sony hack put the studio execs in a receptive frame of mind, says Kor Adana, a computer scientist turned screenwriter who is a writer and technology producer on the series. Adana told me the Sony hack created a moment in which the things people actually do with computers seemed to have quite enough drama to be worthy of treating them with dead-on accuracy.

Mr. Robot Killed the Hollywood Hacker

“Information Doesn’t Want to Be Free” is my 2014 nonfiction book about copyright, the internet, and earning a living, and it features two smashing introductions — one by Neil Gaiman and the other by Amanda Palmer.

I released an audio edition of the book in 2014, read by the incomparable Wil Wheaton, who also read the audiobook of my novel Homeland). At the time, I tried to get Neil and Amanda into a studio to record their intros, but we couldn’t get the stars to align.

But good things come to those who wait! Neil Gaiman’s 2016 essay collection The View From the Cheap Seats includes his introduction to my book, and the audiobook edition — which Neil himself read — therefore includes Neil’s reading of this essay.

Thanks to Neil, his agents, and the kind people at Harper Audio, I was able to get permission to include Neil’s reading of his essay for a remastered audio version of the audiobook (many thanks to Wryneck Studios’ John Taylor Williams for turning this around very quickly!), and as of today, you can buy the new edition for $15. As with every one of my audiobooks, this is DRM-free, and makes a snazzy holiday gift.

Information Doesn’t Want to Be Free audiobook featuring Neil Gaiman [Craphound]

Here’s the 32 minute video of my presentation at last month’s O’Reilly Security Conference in New York, “Security and feudalism: Own or be pwned.”

Cory Doctorow explains how EFF is battling the perfect storm of bad security, abusive business practices, and threats to the very nature of property itself, fighting for a future where our devices can be configured to do our bidding and where security researchers are always free to tell us what they’ve learned.

Melbourne’s Deakin University commissioned me to write a science fiction story about the design and regulation of self-driving cars, inspired by my essay about the misapplication of the “Trolley Problem” to autonomous vehicles.

The story, Car Wars, takes the form of a series of vignettes that illustrate the problem with designing cars to control their drivers, interspersed with survey questions to spur discussion of the wider issues of governments and manufacturers being able to control the operation of devices we own and depend on.

It’s pretty much the most beautiful treatment any of my stories has ever had online, and I love how it’s been embedded in a wider context.

– PLAUSIBLE DENIABILITY –

‘We’re dead.’

‘Shut up, Jose, we’re not dead. Be cool and hand me that USB stick. Keep your hands low. The cop can’t see us until I open the doors.’

‘What about the cameras?’

‘There’s a known bug that causes them to shut down when the LAN gets congested, to clear things for external cams and steering. There’s also a known bug that causes LAN traffic to spike when there’s a law-enforcement override because everything tries to snapshot itself for forensics. So the cameras are down inside. Give. Me. The. USB.’

Jose’s hand shook. I always kept the wireless jailbreaker and the stick separate – plausible deniability. The jailbreaker had legit uses, and wasn’t, in and of itself, illegal.

I plugged the USB in and mashed the panic-sequence. The first time I’d run the jailbreaker, I’d had to kill an hour while it cycled through different known vulnerabilities, looking for a way into my car’s network. It had been a nail-biter, because I’d started by disabling the car’s wireless – yanking the antenna out of its mount, then putting some Faraday tape over the slot – and every minute that went by was another minute I’d have to explain if the jailbreak failed. Five minutes offline might just be transient radio noise or unclipping the antenna during a car-wash; the longer it went, the fewer stories there were that could plausibly cover the facts.

But every car has a bug or two, and the new firmware left a permanent channel open for reconnection. I could restore the car to factory defaults in 30 seconds, but that would leave me operating a vehicle that was fully uninitialised, no ride history – an obvious cover-up. The plausibility mode would restore a default firmware load, but keep a carefully edited version of the logs intact. That would take three to five minutes, depending.

‘Step out of the vehicle please.’

‘Yes, sir.’

I made sure he could see my body cam, made it prominent in the field of view for his body cam, so there’d be an obvious question later, if no footage was available from my point of view. It was all about the game theory: he knew that I knew that he knew, and other people would later know, so even though I was driving while brown, there were limits on how bad it could get.

‘You too, sir.’

Car Wars [Cory Doctorow/Deakin University]

In 2014, lawyer and eminent Sherlockian Les Klinger comprehensively won the legal battle to establish that Sherlock Holmes is in the public domain and available for anyone to use, abuse, alter, celebrate or mock; now with a new anthology of completely unauthorized Sherlock tales, Echoes of Sherlock Holmes, Klinger and co-editor Laurie R. King have shown just how much life there is in the old tales.

I’m one of the contributors to the anthology. My story, “Sherlock Holmes and the Adventure of the Extraordinary Rendition,” uses the Snowden documents I was the first to publish as the basis for a cautionary tale about surveillance, secrecy and corruption.

It’s just one of 17 stories in Echoes, which has been getting rave reviews since its launch earlier this month.

Tomorrow (Wednesday) night at 7PM, three of us authors (Gary Phillips, Anne Perry and me), as well as Les Klinger, are gathering at Los Angeles’s Chevalier Books for a launch, signing, talk, Q&A and reading.

I hope you’ll join us!

If you’re based in the Valley, have no fear: we’ll be doing a second event on December 10 at Burbank’s Dark Delicacies.

Foremost Sherlockian Les Klinger Sounds The Depths with Echoes of Sherlock Holmes’ Contributors Cory Doctorow, Gary Phillips and Anne Perry [Chevalier Books]

In the 18th century, William Blackstone wrote the seminal “Commentaries on the Laws of England,” which contained one of the foundational definitions of property: “that sole and despotic dominion which one man claims and exercises over the external things of the world, in total exclusion of the right of any other individual in the universe.”

Today, software enabled devices can and are controlled by their manufacturers long after they’ve been sold on to customers, and laws like Section 1201 of the DMCA make it a crime to prevent this kind of meddling. This allows companies to force their customers to arrange their affairs to the maximum benefit of the manufacturers’ shareholders, not their own, and to punish customers for taking steps that thwart the manufacturers’ business models.

In my latest Locus column, Sole and Despotic Dominion, I describe how this is a kind of new feudalism, in which the only “people” who have sole and despotic dominion are the artificial life forms known as corporations, and this new aristocracy makes us into tenant farmers of our toasters and thermostats, cars and pacemakers — and I describe how the Electronic Frontier Foundation has launched a lawsuit to make it legal to use your devices in the ways that are most advantageous to you, even if the manufacturers don’t like it.

If you make a gadget with software inside it, you can simply add a thin skin of DRM to it, and configure the device so that the DRM has to be bypassed in order to do anything that lowers your profits. GM uses it to prevent third-party mechanics from diagnosing problems in their cars (and VW used it to prevent independent researchers from discovering that they were cheating on emissions tests). Philips uses it to make sure that you only buy Philips lightbulbs to go in your Philips sockets. Google’s Nest smart thermostats use it to make sure that only they can extend the device’s features, so they can promise power authorities that when the authority turns down your furnace, you can’t turn it back up again.

This is almost too good to be true. Every company has commercial preferences that they wished were legal obligations. Now, thanks to a stupid law from 1998 and the proliferation of cheap computation, every company can make their wish come true.

This is an affront to Blackstone. If the mere presence of a copyrighted work in a device means that its manufacturer never stops owning it, then it means that you can never start owning it. There’s a word for this: feudalism. In feudalism, property is the exclusive realm of a privileged few, and the rest of us are tenants on that property. In the 21st century, DMCA-enabled version of feudalism, the gentry aren’t hereditary toffs, they’re transhuman, immortal artificial life-forms that use humans as their gut-flora: limited liability corporations.

Under DMCA 1201 rules, security researchers who learn of defects in covered products can be threatened, prosecuted, and jailed just for disclosing that the manufacturer made a dumb mistake (the manufacturers get to decide who can embarrass them by revealing those mistakes), meaning that the camera in your living room and the wireless insulin pump your six-year-old is wearing and the Internet connected car you’re driving down the highway every day are all reservoirs of long-lived digital pathogens that criminals are free to discover and exploit, but that security researchers are not able to tell you about.

Obviously, this is a disaster.

Sole and Despotic Dominion [Locus]

I was interviewed for the IEEE-USA Insight Podcast last summer in New Orleans, during their Future Leaders Summit, where I was privileged to give the keynote (MP3)

Jason Klamm stopped my office to interview me for his Comedy on Vinyl podcast, where I talked about the first comedy album I ever loved: Allan Sherman’s My Son, the Nut.

I inherited my mom’s copy of the album when I was six years old, and listened to it over and over until I discovered — the hard way — that you can’t leave vinyl records on the dashboard of a car on a hot day.

Our discussion ranged far and wide, over the golden age of novelty flexidiscs, Thomas Piketty, Hamilton, corporate anthems and many other subjects.

Episode 199 – Cory Doctorow on Allan Sherman – My Son, The Nut
[Comedy on Vinyl]

https://vimeo.com/54762523

I’m the “Honourary Steward” for this year’s Shuttleworth Fellowship, this being a valuable and prestigious prize given to people who are undertaking to make the world a better, more open place (“social innovators who are helping to change the world for the better and could benefit from a social investment model with a difference”).

Being Honourary Steward means that I help choose the grantees; I’m the second Honourary Steward, following in Joi Ito’s footsteps. I’m incredibly honoured to be a part of this; the list of fellows is nothing less than amazing.

The application process is simple and relatively painless; applications are due on Nov 1.

We are thrilled to announce that Cory Doctorow has agreed to be our next Honorary Steward, selecting Fellows for the March 2017 Fellowship round. As a journalist, science fiction writer, copyright activist and technologist, Cory brings a breadth of experience, combined into a unique perspective. We are excited to have him on board and look forward to him expanding the perspective of the fellowship. We support individuals to implement their vision for positive social change, with openness at the centre of their approach. We continue to look for applicants with a strong idea of the world they would like to live in and the contribution they can make towards it. Cory will help us identify which of the candidates best embrace openness and whose innovative idea has the most potential to make a difference in their chosen field.

Doctorow/Shuttleworth collaboration
[Shuttleworth Foundation]

I’ve got a busy couple of weeks coming up! I’m speaking tomorrow at Powell’s in Portland, OR for Banned Books Week; on Wednesday, I’m at UC Riverside speaking to a Philosophy and Science Fiction class; on Friday I’ll be at the University of Southern California in Los Angeles, speaking on Canada’s dark decade of policy denial from climate science to digital locks; and then on Oct 6, I’m coming to SFMOMA to talk about museums, technology, and free culture. I hope to see you soon!

(Image: Alex Schoenfeldt Photography, www.schoenfeldt.com, CC-BY)

I did an interview with the Changelog podcast (MP3) about my upcoming talk at the O’Reilly Open Source conference in London, explaining how it is that the free and open web became so closed and unfree, but free and open software stayed so very free, and came to dominate the software landscape.

“Desperate” is often the opposite of “open”: it’s when we’re in trouble that we’re most likely to compromise on our principles. How, then, did open become the default for so many tools and applications? Because when you use irrevocable open/free licenses, you lock your code open, defending it from anyone who would lock it up again—including a future version of you, in a moment of weakness.

Open licenses have served us well for more than two decades, but they need help if we’re going to survive the era in which computers invade our bodies and the structures we keep those bodies in. Cory Doctorow explains that we can lock the whole future Web open, if we do it right.

#221: How We Got Here with Cory Doctorow
[The Changelog]

(Image: Tux Droid, Sunny Ripert, CC-BY-SA)

Last month, I filed comments with the Federal Trade Commission on behalf of Electronic Frontier Foundation, 22 of EFF’s supporters, and a diverse coalition of rightsholders, public interest groups, and retailers, documenting the ways that ordinary Americans come to harm when they buy products without realizing that these goods have been encumbered with DRM, and asking the FTC to investigate fair labeling for products that come with sneaky technological shackles.

In my latest Guardian column, DRM products are defective by design. Time to tell users what they’re buying, I describe the process by which we came to file, and what we’re hoping will come of it.

In our open letter on DRM labelling – a letter signed by a diverse coalition of rights holders, public interest groups, and publishers – we ask the FTC to take action to ensure that people know what they’re getting when they buy products encumbered with DRM. DRM-free publishers love this idea, because where DRM-labelling prevails, customers overwhelmingly favour DRM-free products.

But DRM-encumbered publishers should also love this, because they keep telling us that people don’t mind DRM. One significant challenge to DRM labelling is that the restrictions imposed by DRM can be incredibly complex – a video may play back on most manufacturers’ displays, but not all, and not at every resolution, and not if the video player believes that it is running in a virtual machine or has been relocated to a different country.

What’s more, most modern DRM is designed for “renewability” – which is a DRM-vendor euphemism for a remote kill-switch. These DRM tools phone home periodically for updates, and install these updates without user intervention, and then disable some or all of the features that were there when you bought the product.

DRM products are defective by design. Time to tell users what they’re buying
[The Guardian]

In my latest Locus column, The Privacy Wars Are About to Get A Whole Lot Worse, I describe the history of the privacy wars to date, and the way that the fiction of “notice and consent” has provided cover for a reckless, deadly form of viral surveillance capitalism.

As bad as things have been, they’re about to get much, much worse: the burgeoning realm of the “Internet of Things” is filled with surveillance devices that you can’t even pretend to give your consent to.

It’s possible that we can prevent the proliferation of reckless overcollection and retention of data, maybe by the eventual success of a few ambitious class-action lawyers, but that will only happen if we stop the accompanying plague of “binding arbitration,” which takes away your right to seek justice for corporate malfeasance.

You will ‘‘interact’’ with hundreds, then thou­sands, then tens of thousands of computers every day. The vast majority of these interactions will be glancing, momentary, and with computers that have no way of displaying terms of service, much less presenting you with a button to click to give your ‘‘consent’’ to them. Every TV in the sportsbar where you go for a drink will have cameras and mics and will capture your image and process it through facial-recognition software and capture your speech and pass it back to a server for continu­ous speech recognition (to check whether you’re giving it a voice command). Every car that drives past you will have cameras that record your like­ness and gait, that harvest the unique identifiers of your Bluetooth and other short-range radio devices, and send them to the cloud, where they’ll be merged and aggregated with other data from other sources.

In theory, if notice-and-consent was anything more than a polite fiction, none of this would hap­pen. If notice-and-consent are necessary to make data-collection legal, then without notice-and-consent, the collection is illegal.

But that’s not the realpolitik of this stuff: the reality is that when every car has more sensors than a Google Streetview car, when every TV comes with a camera to let you control it with gestures, when every medical implant collects telemetry that is collected by a ‘‘services’’ business and sold to insurers and pharma companies, the argument will go, ‘‘All this stuff is both good and necessary – you can’t hold back progress!’’

It’s true that we can’t have self-driving cars that don’t look hard at their surroundings all the time, and pay especially close attention to humans to make sure that they’re not killing them. However, there’s nothing intrinsic to self-driving cars that says that the data they gather needs to be retained or further processed. Remember that for many years, the server logs that recorded all your inter­actions with the web were flushed as a matter of course, because no one could figure out what they were good for, apart from debugging problems when they occurred.

The Privacy Wars Are About to Get A Whole Lot Worse [Locus Magazine]

I’m about to switch off my email until September 5 and drive to Black Rock City for 10 days of incinerating the dude.

If you’re going this year, drop by Liminal Labs — with whom I am immensely privileged to camp — and have some cold brew and say hi! We’re at 5&F this year (look for the giant steel gate, the flaming chandelier, and the flying car).

I’m also giving my annual talk at Palenque Norte/Soft Landing which is at 8:00 & Botticelli this year. It’s called “When the better web we’re making crashes, how will we soften the landing?” and it’s at 5PM on Friday, Sept 2.

I’ll see you on the playa!

On this just-released episode of the O’Reilly Radar podcast (MP3), I talk about EFF’s lawsuit against the US government to invalidate Section 1201 of the DMCA, which will make it legal to break DRM in order to fix security vulnerabilities in the Internet of Things devices that, today, are almost invariable insecure, and are also designed to be as privacy-invading as possible (to create “monetizable” data-streams) — a brutal combo.

Auditing IoT products is a liability for security researchers

Think about the conditions under which IoT companies operate. Their business plan—the thing they show to VCs to get the money to go into the business—is to monetize data. They’re all designed with security as an afterthought. They’re all designed with the minimum viable security to make this product not immediately burst into flames after you put it inside your body or put your body inside of it. Even worse, security researchers face total, brutal liability for investigating these devices and telling people which ones are and aren’t safe. It is completely nightmarish.
New pro-security business models

Note: The Electronic Frontier Foundation is representing Bunnie Huang and Matthew Green in a case challenging the constitutionality of Section 1201 of the DMCA.

One of the things that our DMCA lawsuit would provide for is a pro-security business model. Imagine if you could start a commercial consultancy that would come in and deworm your IoT household. It could come in and jailbreak all the devices and check their firmware loads, and replace the firmware loads with open firmware or patched firmware, or something else that sits in between. All of those things, all that commercial stuff as well, is currently off-limits, and would be available in the same way that you can enable third-party parts and services if there are no legal impediments. The hardware service and support market in the U.S. for all classes of goods, from lawnmowers to cars to air conditioners to computers, is 2 to 4% of America’s GDP. It’s a gigantic multi-billion-dollar sector, and in many cases, these are small and medium-size enterprises.

While I was in NYC to keynote the 11th Hackers on Planet Earth convention, I sat down with the Radio Statler folks and explained what I was going to talk about, as well as bantering with the hosts about the relative merits of DEFCON and HOPE and the secret to managing cons and marriages (MP3).

I’m keynoting the O’Reilly Security Conference in New York in Oct/Nov, so I stopped by the O’Reilly Security Podcast (MP3) to explain EFF’s Apollo 1201 project, which aims to kill all the DRM in the world within a decade.

A couple things changed in the last decade. The first is that the kinds of technologies that have access controls for copyrighted works have gone from these narrow slices (consoles and DVD players) to everything (the car in your driveway). If it has an operating system or a networking stack, it has a copyrighted work in it. Software is copyrightable, and everything has software. Therefore, manufacturers can invoke the DMCA to defend anything they’ve stuck a thin scrim of DRM around, and that defense includes the ability to prevent people from making parts. All they need to do is add a little integrity check, like the ones that have been in printers for forever, that asks, “Is this part an original manufacturer’s part, or is it a third-party part?” Original manufacturer’s parts get used; third-party parts get refused. Because that check restricts access to a copyrighted work, bypassing it is potentially a felony. Car manufacturers use it to lock you into buying original parts.

This is a live issue in a lot of domains. It’s in insulin pumps, it’s in voting machines, it’s in tractors. John Deere locks up the farm data that you generate when you drive your tractor around. If you want to use that data to find out about your soil density and automate your seed broadcasting, you have to buy that data back from John Deere in a bundle with seed from big agribusiness consortia like Monsanto, who license the data from Deere. This metastatic growth is another big change. It’s become really urgent to act now because, in addition to this consumer rights dimension, your ability to add things to your device, take it for independent service, add features, and reconfigure it are all subject to approval from manufacturers.

All of this has become a no-go zone for security researchers. In the last summer, the Copyright Office entertained petitions for people who have been impacted by Section 1201 of the DMCA. Several security researchers filed a brief saying they had discovered grave defects in products as varied as voting machines, insulin pumps and cars, and they were told by their counsel that they couldn’t disclose because, in so doing, they would reveal information that might help someone bypass DRM, and thus would face felony prosecution and civil lawsuits.

Cory Doctorow on legally disabling DRM (for good)
[Courtney Nash/O’Reilly]

I’m flying into Kansas City for part of Midamericon II, the 74th World Science Fiction Convention, and while there, I’ll be on panels, give a reading, and sit down with fans for a kaffeeklatsch.

Here’s my schedule:

Thursday:

Is Cyberpunk Still a Thing?
Thursday 12:00 – 13:00, 3501H (Kansas City Convention Center)
Cyberpunk hit with a big splash, but as personal computers became more prevalent, smaller, and portable, the genre seems to have faded. Or has it? Our panelists take a renewed look at the state of Cyberpunk at the ripe young age of 35.
Ms Pat Cadigan, Cory Doctorow (M), Matt Jacobson, Alvaro Zinos-Amaro, James Patrick Kelly, Patrick Nielsen Hayden

Friday
Patents, Copyrights, Trademarks, and Other Forms of Intellectual Property
Friday 10:00 – 11:00, 2502B (Kansas City Convention Center)
A look at the purpose of patents, copyrights, and trademarks. What is their historical purpose, how is the need for them changing, and where will they go in the future?
Cory Doctorow, Eric Flint, Allan Dyen-Shapiro (M), Sarah Frost, Lisa Macklem

An Idiot’s Guide Revisited, circa 2000
Friday 13:00 – 14:00, 2208 (Kansas City Convention Center)
It’s circa 2000 and authors Cory Doctorow and Karl Schroeder just published /The Complete Idiot’s Guide to Publishing Science Fiction/. Fast-forward 16 years later, and the world of publishing has evolved, but how much has it really changed? Cory and Karl take a look back and discuss what they got right, what they got wrong, and how things have changed over the years.
Karl Schroeder, Cory Doctorow, Patrick Nielsen Hayden

Reading: Cory Doctorow
Friday 16:00 – 16:30, 2202 (Readings) (Kansas City Convention Center)

Saturday
Kaffeeklatsch: Alexander James Adams, Cory Doctorow, Yanni Kuznia, Ada Palmer
Saturday 12:00 – 13:00, 2211 (KKs) (Kansas City Convention Center)
Alexander James Adams, Cory Doctorow, Ada Palmer, Yanni Kuznia

I hope to see you there!

Upcoming Appearances [Cory Doctorow/Craphound]

The Electronic Frontier Foundation has just filed a lawsuit that challenges the Constitutionality of Section 1201 of the DMCA, the “Digital Rights Management” provision of the law, a notoriously overbroad law that bans activities that bypass or weaken copyright access-control systems, including reconfiguring software-enabled devices (making sure your IoT light-socket will accept third-party lightbulbs; tapping into diagnostic info in your car or tractor to allow an independent party to repair it) and reporting security vulnerabilities in these devices.

EFF is representing two clients in its lawsuit: Andrew “bunnie” Huang, a legendary hardware hacker whose NeTV product lets users put overlays on DRM-restricted digital video signals; and Matthew Green, a heavyweight security researcher at Johns Hopkins who has an NSF grant to investigate medical record systems and whose research plans encompass the security of industrial firewalls and finance-industry “black boxes” used to manage the cryptographic security of billions of financial transactions every day.

Both clients reflect the deep constitutional flaws in the DMCA, and both have standing to sue the US government to challenge DMCA 1201 because of its serious criminal provisions (5 years in prison and a $500K fine for a first offense).

The US Trade Rep has propagated the DMCA’s anticircumvention rules to most of the world’s industrial nations, and a repeal in the US will strengthen the argument for repealing their international cousins.

Huang has written an inspirational essay explaining his reasons for participating in this suit, explaining that he feels it is his duty to future generations:

Our recent generation of Makers, hackers, and entrepreneurs have developed under the shadow of Section 1201. Like the parable of the frog in the well, their creativity has been confined to a small patch, not realizing how big and blue the sky could be if they could step outside that well. Nascent 1201-free ecosystems outside the US are leading indicators of how far behind the next generation of Americans will be if we keep with the status quo.

Our children deserve better.

I can no longer stand by as a passive witness to this situation. I was born into a 1201-free world, and our future generations deserve that same freedom of thought and expression. I am but one instrument in a large orchestra performing the symphony for freedom, but I hope my small part can remind us that once upon a time, there was a world free of such artificial barriers, and that creativity and expression go hand in hand with the ability to share without fear.

The EFF’s complaint, filed minutes ago with the US District Court, is as clear and comprehensible an example of legal writing as you could ask for. It builds on two recent Supreme Court precedents (Golan and Eldred), in which the Supremes stated that the only way to reconcile free speech with copyright’s ability to restrict who may utter certain words and expressions is fair use and other exemptions to copyright, which means that laws that don’t take fair use into account fail to pass constitutional muster.

In this decade, more and more companies have figured out that the DMCA gives them the right to control follow-on innovation and suppress embarrassing revelations about defects in their products; consequently, DMCA 1201-covered technologies have proliferated into cars and tractors, medical implants and home security systems, thermostats and baby-monitors.

With this lawsuit, the EFF has fired a starter pistol in the race to repeal section 1201 of the DMCA and its cousins all over the world: to legitimize the creation of commercial businesses that unlock the value in the gadgets you’ve bought that the original manufacturers want to hoard for themselves; to open up auditing and disclosure on devices that are disappearing into our bodies, and inside of which we place those bodies.

I’ve written up the lawsuit for the Guardian:

Suing on behalf of Huang and Green, EFF’s complaint argues that the wording of the statute requires the Library of Congress to grant exemptions for all conduct that is legal under copyright, including actions that rely on fair use, when that conduct is hindered by the ban on circumvention.

Critically, the supreme court has given guidance on this question in two rulings, Eldred and Golan, explaining how copyright law itself is constitutional even though it places limits on free speech; copyright is, after all, a law that specifies who may utter certain combinations of words and other expressive material.

The supreme court held that through copyright’s limits, such as fair use, it accommodates the first amendment. The fair-use safety valve is joined by the “idea/expression dichotomy”, a legal principle that says that copyright only applies to expressions of ideas, not the ideas itself.

In the 2015 DMCA 1201 ruling, the Library of Congress withheld or limited permission for many uses that the DMCA blocks, but which copyright itself allows – activities that the supreme court has identified as the basis for copyright’s very constitutionality.

If these uses had been approved, people such as Huang and Green would not face criminal jeopardy. Because they weren’t approved, Huang and Green could face legal trouble for doing these legitimate things.

MATTHEW GREEN, ANDREW HUANG and ALPHAMAX, LLC v U.S. DEPARTMENT OF JUSTICE,
LORETTA LYNCH: COMPLAINT FOR DECLARATORY
AND INJUNCTIVE RELIEF [EFF]

America’s broken digital copyright law is about to be challenged in court
[Cory Doctorow/The Guardian]

Why I’m Suing the US Government
[Andrew “bunnie” Huang]

Section 1201 of the DMCA Cannot Pass Constitutional Scrutiny

(Image: Bunnie Huang, Joi Ito, CC-BY)

Science fiction novelist, blogger and technology activist Cory Doctorow joins us for Tuesday’s AU. In a recent column, Doctorow says that “all the data collected in giant databases today will breach someday, and when it does, it will ruin peoples’ lives. They will have their houses stolen from under them by identity thieves who forge their deeds (this is already happening); they will end up with criminal records because identity thieves will use their personal information to commit crimes (this is already happening); … they will have their devices compromised using passwords and personal data that leaked from old accounts, and the hackers will spy on them through their baby monitors, cars, set-top boxes, and medical implants (this is already hap­pening)…” We’ll talk with Cory Doctorow about technology, privacy, and intellectual property.

Cory Doctorow is the co-editor of popular weblog Boing Boing and a contributor to The Guardian, Publishers Weekly, Wired, and many other newspapers, magazines and websites. He is a special consultant to the Electronic Frontier Foundation, a non-profit civil liberties group that defends freedom in technology law, policy, standards and treaties. Doctorow is also an award-winning author of numerous novels, including “Little Brother,” “Homeland,” and “In Real Life.”

MP3

My op-ed in today’s issue of The Tech, MIT’s leading newspaper, describes how browser vendors and the W3C, a standards body that’s housed at MIT, are collaborating to make DRM part of the core standards for future browsers, and how their unwillingness to take even the most minimal steps to protect academics and innovators from the DMCA will put the MIT community in the crosshairs of corporate lawyers and government prosecutors.

If you’re a researcher or security/privacy expert and want to send a message to the W3C that it has a duty to protect the open web from DRM laws, you can sign this open letter to the organization.

The W3C’s strategy for “saving the web” from the corporate-controlled silos of apps is to replicate the systems of control that make apps off-limits to innovation and disruption. It’s a poor trade-off, one that sets a time-bomb ticking in the web’s foundations, making the lives of monopolists easier, and the lives of security researchers and entrepreneurs much, much more perilous.

The Electronic Frontier Foundation, a W3C member, has proposed a compromise that will protect the rights of academics, entrepreneurs, and security researchers to make new browser technologies and report the defects in the old ones: we asked the W3C to extend its patent policy to the DMCA, so that members who participated in making DRM would have to promise not to use the DMCA to attack implementers or security researchers.

But although this was supported by a diverse group of W3C members, the W3C executive did not adopt the proposal. Now, EME has gone to Candidate Recommendation stage, dangerously close to completion. The purpose of HTML5 is to provide the rich interactivity that made apps popular, and to replace apps as the nexus of control for embedded systems, including the actuating, sensing world of “internet of things” devices.

We can’t afford to have these devices controlled by a system that is a no-go zone for academic work, security research, and innovative disruption. Although some of the biggest tech corporations in the world today support EME, very few of them could have come into being if EME-style rules had been in place at their inception. A growing coalition of leading international privacy and security researchers have asked the W3C to reconsider and protect the open web from DRM, a proposal supported by many W3C staffers, including Danny Weitzner (CSAIL/W3C), who wrote the W3C’s patent policy.

Browsers’ bid for relevance is turning them into time-bombs
[Cory Doctorow/The Tech]

(Image: Wfm stata center, Raul654, CC-BY-SA)

My latest Locus column, “Peak Indifference”, draws a comparison between the history of the “debate” about the harms of smoking (a debate manufactured by disinformation merchants with a stake in the controversy) and the current debate about the harms of surveillance and data-collection, whose proponents say “privacy is dead,” while meaning, “I would be richer if your privacy were dead.”

Smoking’s harms were hard to pin down in part because the gap between cause (a drag on a cigarette) and effect (cancer) was not immediate nor was it absolute. Most drags on cigarettes don’t cause cancer, just like most privacy disclosures don’t harm you. But with enough drags — or enough private information sucked up via surveillance capitalism, disaster is inevitable.

Long before smoking became unacceptable, there was a moment of “peak indifference,” the moment when the number of people who weren’t worried about smoking started to decline, and never recover. The privacy wars are reaching that moment now, with millions of people having their lives ruined by data breaches, and that means there’s a new tactical challenge for privacy advocates.

Rather than convincing people to care about privacy, now we have to convince them to do something about it.

The anti-smoking movement made great strides with this. They made sure that people who had cancer – or whose loved ones did – understood that tobacco’s use wasn’t a blameless, emergent phenomenon. They named names and published documents, showing exactly who conspired to destroy lives with cancer in order to enrich themselves. They surfaced and highlighted the risks to non-smokers’ lives from smoking: not just second-hand smoke, but also the public health burdens and the terrible losses felt by survivors after their loved ones had perished. They de­manded architectural changes – bans on smoking – and legal ones, and market ones, and normative ones. Peak indifference let those activists move from convincing to fighting back.

That’s why it’s time for privacy activists to start thinking of new tac­tics. We are past peak indifference to online surveillance: that means that there will never be a moment after today in which fewer people are alarmed by the costs of sur­veillance. The bad news is that 20 years of failing to convince people of the risks of online privacy has built up a reservoir of inevitable harms: all the data collected in giant databases today will breach someday, and when it does, it will ruin peoples’ lives. They will have their houses stolen from under them by identity thieves who forge their deeds (this is already happening); they will end up with criminal records because identity thieves will use their personal information to commit crimes (this is already happening); they will be accused of terrorism or other life-destroying categories of crimes because an algorithm has mined their data to come to a conclusion they aren’t allowed to see or interrogate (this is already happening); they will have their devices compromised using passwords and personal data that leaked from old accounts, and the hackers will spy on them through their baby monitors, cars, set-top boxes, and medical implants (this is already hap­pening); they will have the sensitive information they disclosed to the government to attain security clearance breached and warehoused by blackmailing enemy states (this is already happening); their employers will fail when their personal information is used to commit industrial espionage (this is already happening).

Peak Indifference [Locus Magazine]

The monthly Report on Business magazine in the Canadian national paper The Globe and Mail profiled my work on DRM reform, as well as my science fiction writing and my work on Boing Boing.

I’m grateful to Alec Scott for the coverage, and especially glad that the question of the World Wide Web Consortium’s terrible decision to standardize DRM as part of HTML5 is getting wider attention.

If you want learn more, here’s a FAQ, and here’s a letter you can sign onto in which we’re asking the W3C to take steps to protect security disclosures and competition on the web.

He doesn’t always have the last word with Berners-Lee, though. “I was surprised and disappointed that he recently announced that W3C was going to start standardizing DRM.…There is a sense among a lot of people that the Web is cooked.”

W3C is the World Wide Web Consortium, which Berners-Lee runs, and Doctorow is upset because it’s setting up a standardized regime for digital rights management, or DRM—the locks that tech and entertainment companies put on their products—to prevent people from sharing their wares.

Doctorow criticizes American and Canadian legislation that makes it an offence to tamper with these locks. After all, analog publishers can’t control what use purchasers make of their books. And the locks seldom help the creatives who originally produced the content. (1) In joking homage to Isaac Asimov’s laws of robotics, Doctorow has his own law: “Any time someone puts a lock on something that belongs to you and won’t give you the key, that lock isn’t there for your benefit.”

The crusader fighting lock-happy entertainment conglomerates
[Alec Scott/The Globe and Mail]

Earlier this month, I gave the afternoon keynote at the Internet Archive’s Decentralized Web Summit, and my talk was about how the people who founded the web with the idea of having an open, decentralized system ended up building a system that is increasingly monopolized by a few companies — and how we can prevent the same things from happening next time.

The speech was very well received — it got a standing ovation — and has attracted a lot of discussion since.

Jonke Suhr has done me the service of transcribing the talk, which will facilitate translating it into other languages as well as making it accessible to people who struggle with video. Many thanks, Jonke!

This is also available as an MP3 and a downloadable video.

I’ve included an edited version below:

So, as you might imagine, I’m here to talk to you about dieting advice. If you ever want to go on a diet, the first thing you should really do is throw away all your Oreos.

It’s not that you don’t want to lose weight when you raid your Oreo stash in the middle of the night. It’s just that the net present value of tomorrow’s weight loss is hyperbolically discounted in favor of the carbohydrate rush of tonight’s Oreos. If you’re serious about not eating a bag of Oreos your best bet is to not have a bag of Oreos to eat. Not because you’re weak willed. Because you’re a grown up. And once you become a grown up, you start to understand that there will be tired and desperate moments in your future and the most strong-willed thing you can do is use the willpower that you have now when you’re strong, at your best moment, to be the best that you can be later when you’re at your weakest moment.

And this has a name: It’s called a Ulysses pact. Ulysses was going into Siren-infested waters. When you go into Siren-infested waters, you put wax in your ears so that you can’t hear what the Sirens are singing, because otherwise you’ll jump into the sea and drown. But Ulysses wanted to hear the Sirens. And so he came up with a compromise: He had his sailors tie him to the mast, so that when he heard the call of the Sirens, even though he would beg and gibber and ask them to untie him, so that he could jump into the sea, he would be bound to the mast and he would be able to sail through the infested waters.

This is a thing that economists talk about all the time, it’s a really critical part of how you build things that work well and fail well. Now, building a Web that is decentralized is a hard thing to do, and the reason that the web ceases to be decentralized periodically is because it’s very tempting to centralize things. There are lots of short term gains to be had from centralizing things and you want to be the best version of yourself, you want to protect your present best from your future worst.

The reason that the Web is closed today is that people just like you, the kind of people who went to Doug Engelbart’s demo in 1968, the kind of people who went to the first Hackers conference, people just like you, made compromises, that seemed like the right compromise to make at the time. And then they made another compromise. Little compromises, one after another.

And as humans, our sensory apparatus is really only capable of distinguishing relative differences, not absolute ones. And so when you make a little compromise, the next compromise that you make, you don’t compare it to the way you were when you were fresh and idealistic. You compare it to your current, “stained” state. And a little bit more stained hardly makes any difference. One compromise after another, and before you know it, you’re suing to make APIs copyrightable or you’re signing your name to a patent on one-click purchasing or you’re filing the headers off of a GPL library and hope no one looks too hard at your binaries. Or you’re putting a backdoor in your code for the NSA.

And the thing is: I am not better than the people who made those compromises. And you are not better than the people who made those compromises. The people who made those compromises discounted the future costs of the present benefits of some course of action, because it’s easy to understand present benefits and it’s hard to remember future costs.

You’re not weak if you eat a bag of Oreos in the middle of the night. You’re not weak if you save all of your friends’ mortgages by making a compromise when your business runs out of runway. You’re just human, and you’re experiencing that hyperbolic discounting of future costs because of that immediate reward in the here and now. If you want to make sure that you don’t eat a bag of Oreos in the middle of the night, make it more expensive to eat Oreos. Make it so that you have to get dressed and find your keys and figure out where the all-night grocery store is and drive there and buy a bag of Oreos. And that’s how you help yourself in the future, in that moment where you know what’s coming down the road.

The answer to not getting pressure from your bosses, your stakeholders, your investors or your members, to do the wrong thing later, when times are hard, is to take options off the table right now. This is a time-honored tradition in all kinds of economic realms. Union negotiators, before they go into a tough negotiation, will say: “I will resign as your negotiator, before I give up your pension.” And then they sit down across the table from the other side, and the other side says “It’s pensions or nothing”. And the union leaders say: “I hear what you’re saying. I am not empowered to trade away the pensions. I have to quit. They have to go elect a new negotiator, because I was elected contingent on not bargaining away the pensions. The pensions are off the table.”

Brewster has talked about this in the context of code, he suggested that we could build distributed technologies using the kinds of JavaScript libraries that are found in things like Google Docs and Google Mail, because no matter how much pressure is put on browser vendors, or on technology companies in general, the likelihood that they will disable Google Docs or Google Mail is very, very low. And so we can take Google Docs hostage and use it as an inhuman shield for our own projects.

The GPL does this. Once you write code, with the GPL it’s locked open, it’s irrevocably licensed for openness and no one can shut it down in the future by adding restrictive terms to the license. The reason the GPL works so well, the reason it became such a force for locking things open, is that it became indispensable. Companies that wanted to charge admission for commodity components like operating systems or file editors or compilers found themselves confronted with the reality that there’s a huge difference between even a small price and no price at all, or no monetary price. Eventually it just became absurd to think that you would instantiate a hundred million virtual machines for an eleventh of a second and get a license and a royalty for each one of them.

And at that point, GPL code became the only code that people used in cloud applications in any great volume, unless they actually were the company that published the operating system that wasn’t GPL’d. Communities coalesced around the idea of making free and open alternatives to these components: GNU/Linux, Open- and LibreOffice, git, and those projects benefited from a whole bunch of different motives, not always the purest ones. Sometimes it was programmers who really believed ethically in the project and funded their own work, sometimes talent was tight and companies wanted to attract programmers, and the way that they got them to come through the door is by saying: “We’ll give you some of your time to work on an ethical project and contribute code to it.”

Sometimes companies got tactical benefits by zeroing out the margins on their biggest competitor’s major revenue stream. So if you want to fight with Microsoft, just make Office free. And sometimes companies wanted to use but not sell commodity components. Maybe you want to run a cloud service but you don’t want to be in the operating system business, so you put a bunch of programmers on making Linux better for your business, without ever caring about getting money from the operating system. Instead you get it from the people who hire you to run their cloud.

Everyone of those entities, regardless of how they got into this situation of contributing to open projects, eventually faced hard times, because hard times are a fact of life. And systems that work well, but fail badly, are doomed to die in flames. The GPL is designed to fail well. It makes it impossible to hyperbolically discount the future costs of doing the wrong thing to gain an immediate benefit. When your investor or your acquisition suitor or your boss say “Screw your ethics, hippie, we need to make payroll”, you can just pull out the GPL and say: “Do you have any idea how badly we will be destroyed if we violate copyright law by violating the GPL?”

It’s why Microsoft was right to be freaked out about the GPL during the Free and Open Source wars. Microsoft’s coders were nerds like us, they fell in love with computers first, and became Microsoft employees second. They had benefited from freedom and openness, they had cated out BASIC programs, they had viewed sources, and they had an instinct towards openness. Combining that with the expedience of being able to use FLOSS, like not having to call a lawyer before you could be an engineer, and with the rational calculus, that if they made FLOSS, that when they eventually left Microsoft they could keep using the code that they had made there, meant that Microsoft coders and Microsoft were working for different goals. And the way they expressed that was in how they used and licensed their code.

This works so well that for a long time, nobody even knew if the GPL was enforceable, because nobody wanted to take the risk of suing and setting a bad precedent. It took years and years for us to find out in which jurisdictions we could enforce the GPL.

That brings me to another kind of computer regulation, something that has been bubbling along under the surface for a long time, at least since the Open Source wars, and that’s the use of Digital Rights Management (DRM) or Digital Restrictions Management, as some people call it. This is the technology that tries to control how you use your computer. The idea is that you have software on the computer that the user can’t override. If there is remote policy set on that computer that the user objects to, the computer rejects the user’s instruction in favor of the remote policy. It doesn’t work very well. It’s very hard to stop people who are sitting in front of a computer from figuring out how it works and changing how it works. We don’t keep safes in bank robbers’ living rooms, not even really good ones.

But we have a law that protects it, the Digital Millennium Copyright Act (DMCA), it’s been around since 1998 and it has lots of global equivalents like section 6 of the EUCD in Europe, implemented all across the EU member states. In New Zealand they tried to pass a version of the DMCA and there were uprisings and protests in the streets, they actually had to take the law off the books because it was so unpopular. And then the Christchurch earthquake hit and a member of parliament reintroduced it as a rider to the emergency relief bill to dig people out of the rubble. In Canada it’s Bill C-11 from 2011. And what it does is, it makes it a felony to tamper with those locks, a felony punishable by 500,000 dollars fine and five years in jail for a first offense. It makes it a felony to do security auditing of those locks and publish information about the flaws that are present in them or their systems.

This started off as a way to make sure that people who bought DVDs in India didn’t ship them to America. But it is a bad idea whose time has come. It has metastasized into every corner of our world. Because if you put just enough DRM around a product that you can invoke the law, then you can use other code, sitting behind the DRM, to control how the user uses that product, to extract more money. GM uses it to make sure that you can’t get diagnostics out of the car without getting a tool that they license to you, and that license comes with a term that says you have to buy parts from GM, and so all repair shops for GM that can access your diagnostic information have to buy their parts from GM and pay monopoly rents.

We see it in insulin pumps, we see it in thermostats and we see it in the “Internet of Things rectal thermometer”, which debuted at CES this year, which means we now have DRM restricted works in our asses. And it’s come to the web. It’s been lurking in the corners of the web for a long time. But now it’s being standardized at the World Wide Web Consortium (W3C) to something called Encrypted Media Extensions (EME). The idea of EME is that there is conduct that users want to engage in that no legislature in the world has banned, like PVR’ing their Netflix videos. But there are companies that would prefer that conduct not to be allowed. By wrapping the video with just enough DRM to invoke the DMCA, you can convert your commercial preference to not have PVRs (which are no more and no less legal than the VCR was when in 1984 the Supreme Court said you can record video off your TV) into something with the force of law, whose enforcement you can outsource to national governments.

What that means, is that if you want to do interoperability without permission, if you want to do adversarial interoperability, if you want to add a feature that the manufacturer or the value chain doesn’t want, if you want to encapsulate Gopher inside of the Web to launch a web browser with content form the first day, if you want to add an abstraction layer that lets you interoperate between two different video products so that you can shop between them and find out which one has the better deal, that conduct, which has never been banned by a legislature, becomes radioactively illegal.

It also means, that if you want to implement something that users can modify, you will find yourself at the sharp end of the law, because user modifiability for the core components of the system is antithetical to its goals of controlling user conduct. If there’s a bit you can toggle that says “Turn DRM off now”, then if you turn that bit off, the entire system ceases to work. But the worst part of all is that it makes browsers into no-go zones for security disclosures about vulnerabilities in the browser, because if you know about a vulnerability you could use it to weaken EME. But you could also use it to attack the user in other ways.

Adding DRM to browsers, standardizing DRM as an open standards organization, that’s a compromise. It’s a little compromise, because after all there’s already DRM in the world, and it’s a compromise that’s rational if you believe that DRM is inevitable. If you think that the choice is between DRM that’s fragmented or DRM that we get a say in, that we get to nudge into a better position, then it’s the right decision to make. You get to stick around and do something to make it less screwed up later, as opposed to being self-marginalized by refusing to participate at all.

But if DRM is inevitable, and I refuse to believe that it is, it’s because individually, all across the world, people who started out with the best of intentions made a million tiny compromises that took us to the point where DRM became inevitable, where the computers that are woven into our lives, with increasing intimacy and urgency, are designed to control us instead of being controlled by us. And the reasons those compromises were made is because each one of us thought that we were alone and that no one would have our back, that if we refuse to make the compromise, the next person down the road would, and that eventually, this would end up being implemented, so why not be the one who makes the compromise now.

They were good people, those who made those compromises. They were people who were no worse than you and probably better than me. They were acting unselfishly. They were trying to preserve the jobs and livelihoods and projects of people that they cared about. People who believed that others would not back their play, that doing the right thing would be self-limiting. When we’re alone, and when we believe we’re alone, we’re weak.

It’s not unusual to abuse standards bodies to attain some commercial goal. The normal practice is to get standards bodies to incorporate your patents into a standard, to ensure that if someone implements your standard, you get a nickel every time it ships. And that’s a great way to make rent off of something that becomes very popular. But the W3C was not armtwisted about adding patents back into standards. That’s because the W3C has the very best patents policy of any standards body in the world. When you come to the W3C to make a standard for the web, you promise not to use your patents against people who implement that standard. And the W3C was able to make that policy at a moment in which it was ascendant, in which people were clamoring to join it, in which it was the first moments of the Web and in which they were fresh.

The night they went on a diet, they were able to throw away all the Oreos in the house. They were where you are now, starting a project that people around the world were getting excited about, that was showing up on the front page of the New York Times. Now that policy has become the ironclad signifier of the W3C. What’s the W3C? It’s the open standards body that’s so open, that you don’t get to assert patents if you join it. And it remains intact.

How will we keep the DMCA from colonizing the Locked Open Web? How will we keep DRM from affecting all of us? By promising to have each others’ backs. By promising that by participating in the Open Web, we take the DMCA off the table. We take silencing security researchers, we take blocking new entrances to the market off the table now, when we are fresh, when we are insurgent, before we have turned from the pirates that we started out as into the admirals that some of us will become. We take that option off the table.

The EFF has proposed a version of this at the W3C and at other bodies, where we say: To be a member, you have to promise not to use the DMCA to aggress against those, who report security vulnerabilities in W3C standards, and people who make interoperable implementations of W3C standards. We’ve also proposed that to the FDA, as a condition of getting approval for medical implants, we’ve asked them to make companies promise in a binding way never to use the DMCA to aggress against security researchers. We’ve taken it to the FCC, and we’re taking it elsewhere. If you want to sign an open letter to the W3C endorsing this, email me: [email protected]

But we can go further than that, because Ulysses pacts are fantastically useful tools for locking stuff open. It’s not just the paper that you sign when you start your job, that takes a little bit of money out of your bank account every month for your 401k, although that works, too. The U.S. constitution is a Ulysses pact. It understands that lawmakers will be corrupted and it establishes a principal basis for repealing the laws that are inconsistent with the founding principles as well as a process for revising those principles as need be.

A society of laws is a lot harder to make work than a society of code or a society of people. If all you need to do is find someone who’s smart and kind and ask them to make all your decisions for you, you will spend a lot less time in meetings and a lot more time writing code. You won’t have to wrangle and flame or talk to lawyers. But it fails badly. We are all of us a mix of short-sighted and long-term, depending on the moment, our optimism, our urgency, our blood-sugar levels…

We must give each other moral support. Literal moral support, to uphold the morals of the Decentralized Web, by agreeing now what an open internet is and locking it open. When we do that, if we create binding agreements to take certain kinds of conduct off the table for anything that interoperates with or is part of what we’re building today, then our wise leaders tomorrow will never be pressurized to make those compromises, because if the compromise can’t be made, there is no point in leaning on them to make it.

We must set agreements and principles that allow us to resist the song of the Sirens in the future moments of desperation. And I want to propose two key principles, as foundational as life, liberty, and the pursuit of happiness or the First Amendment:

1) When a computer receives conflicting instructions from its owner and from a remote party, the owner always wins.

Systems should always be designed so that their owners can override remote instructions and should never be designed so that remote instructions can be executed if the owner objects to them. Once you create the capacity for remote parties to override the owners of computers, you set the stage for terrible things to come. Any time there is a power imbalance, expect the landlord, the teacher, the parent of the queer kid to enforce that power imbalance to allow them to remotely control the device that the person they have power over uses.

You will create security risks, because as soon as you have a mechanism that hides from the user, to run code on the user’s computers, anyone who hijacks that mechanism, either by presenting a secret warrant or by breaking into a vulnerability in the system, will be running in a privileged mode that is designed not to be interdicted by the user.

If you want to make sure that people show up at the door of the Distributed Web asking for backdoors, to the end of time, just build in an update mechanism that the user can’t stop. If you want to stop those backdoor requests from coming in, build in binary transparency, so that any time an update ships to one user that’s materially different from the other ones, everybody gets notified and your business never sells another product. Your board of directors will never pressurize you to go along with the NSA or the Chinese secret police to add a backdoor, if doing so will immediately shut down your business.

Throw away the Oreos now.

Let’s also talk about the Computer Fraud and Abuse Act. This is the act that says if you exceed your authorization on someone else’s computer, where that authorization can be defined as simply the terms of service that you click through on your way into using a common service, you commit a felony and can go to jail. Let’s throw that away, because it’s being used routinely to shut down people who discover security vulnerabilities in systems.

2) Disclosing true facts about the security of systems that we rely upon should never, ever be illegal.

We can have normative ways and persuasive ways of stopping people from disclosing recklessly, we can pay them bug bounties, we can have codes of conduct. But we must never, ever give corporations or the state the legal power to silence people who know true things about the systems we entrust our lives, safety, and privacy to.

These are the foundational principles. Computers obey their owners, true facts about risks to users are always legal to talk about. And I charge you to be hardliners on these principles, to be called fanatics. If they are not calling you puritans for these principles you are not pushing hard enough. If you computerize the world, and you don’t safeguard the users of computers form coercive control, history will not remember you as the heroes of progress, but as the blind handmaidens of future tyranny.

This internet, this distributed internet that we are building, the Redecentralization of the Internet, if it ever succeeds, will someday fail, because everything fails, because overwhelmingly, things are impermanent. What it gives rise to next, is a function of what we make today. There’s a parable about this:

The state of Roman metallurgy in the era of chariots, determined the wheel base of a Roman chariot, which determined the width of the Roman road, which determined the width of the contemporary road, because they were built atop the ruins of the Roman roads, which determined the wheel base of cars, which determined the widest size that you could have for a container that can move from a ship, to a truck, to a train, which determined the size of a train car, which determined the maximum size of the Space Shuttle’s disposable rockets.

Roman metallurgy prefigured the size of the Space Shuttle’s rockets.

This is not entirely true, there are historians who will explain the glosses in which it’s not true. But it is a parable about what happens when empires fall. Empires always fall. If you build a glorious empire, a good empire, an empire we can all be proud to live in, it will someday fall. You cannot lock it open forever. The best you can hope for is to wedge it open until it falls, and to leave behind the materials, the infrastructure that the people who reboot the civilization that comes after ours will use to make a better world.

A legacy of technology, norms and skills that embrace fairness, freedom, openness and transparency, is a commitment to care about your shared destiny with every person alive today and all the people who will live in the future.

Cory Doctorow: “How Stupid Laws and Benevolent Dictators can Ruin the Decentralized Web, too”
[Transcript by Jonke Suhr]