In Slovenia, panoramic photography comes under regulatory attack

Posted on by

In the European Union it is in the main legal to take photographs from public spaces and then publish them, even if they include identifiable people — and people do so every day in the millions to sites like Flickr, Facebook, Twitter, or to their own blogs. This precedence of the right to free expression over the right to privacy in the public space is a long-standing legal norm, and it has made possible some of the past century’s best photography — street photography, pioneered by the likes of Henri Cartier-Bresson and Robert Frank, who obsessively recorded the everyday gestures and habits of urban life, away from the headlines of the day.

In Slovenia, however, the past few months has seen a bizarre new legal constraint emerge: Should you take photographs in a public space in Slovenia that are social documents but not newsworthy (for example of a street merchant, or a moped driver) and opt to transform them into a 360-degree panorama format before publishing them, you are now obliged to first remove all recognizable faces, or face fines. Furthermore, this decree is applied retroactively, to all panoramas ever taken in Slovenia.

What happened? The Slovenian information commissioner has decreed that 360-degree immersive panoramas by their very nature cannot have the same purpose as conventional photographs, but also that the balance of rights between free expression and privacy depends on a photograph’s purpose — in this case, as expressed by the photographer’s choice of technical format.

The upshot is that if the following panorama had been taken in Slovenia, all faces would need to be removed before it can legally be published online, because it does not indisputably record a newsworthy “event” such as a concert, protest march or accident, even though it is clearly an example of street photography:


Tin suq, Sana’a, Yemen in Yemen

A conventional photograph in the genre of street photography, however, would have no such constraints, even if it is more invasive of individual privacy in the pursuit of free expression:


Chinese-Arab cultural exchange in Alexandria, Egypt

What is currently unclear, however, is if conventional photography taken in Slovenia that does not pass muster as street photography — with an architectural object as its subject, or a snapshot of friends with strangers in the background — requires the anonymization of people in the image:


Building with Verandas, Kashgar, China

(So that we’re all on the same page: 360-degree panoramas are made by taking several wide-angle photographs from the exact same spot and then using computer software to stitch them together so that they seamlessly portray the view in all directions. The resulting image can be displayed as an interactive experience on a computer screen, an equirectangular flat image format or as an image in any number of different projections. There are edge cases too: A conventional-looking flat photograph may be stitched together from several component images, such as this one (6 images) or this one (5 images). There are panorama cameras that take ultra wide-angle conventional photographs, while smartphone applications let consumers sweep their phone camera to make panoramas, up to and including 360-degree panoramas.)

So how did an arbitrary technical distinction come to decide whether an uncensored photograph is legal or illegal in Slovenia? The following is a cautionary tale of what happens when non-technical regulators meet a new-to-them technological innovation they are ill-equipped to judge. It is also a case study of how Google, by voluntarily implementing facial blurring in its relatively new but hugely popular Street View automated 360-degree panoramas, created norms in the minds of regulators that they are now eager to set in stone legally. By focusing on the technical details distinguishing Street View from more conventional photography formats, these regulators have managed to condemn an entire emerging field of photography to burdensome and invasive censorship requirements that are impossible to scale without Google-sized automation resources.

(This is perhaps a good place to mention that there is currently no Google Street View in Slovenia, and there likely won’t be for some time. That’s because Slovenia said it would require Google to keep the raw Street View images in Slovenia until they were blurred — no unblurred images were allowed to leave the country. Because the blurring makes use of Google’s servers, none of which are in Slovenia, Google respectfully declined to add Slovenia to its Street View program.)

Slovenia’s unfortunate regulatory turn came to a head because Slovenia happens to be home to Boštjan Burger, one of the pioneers of immersive photography. For almost two decades, Burger has been recognized inside Slovenia (and abroad) as an important cultural geographer, collaborating with museums and schools to create immersive exhibitions and courseware using his panoramas. Years before Google Street View, he was creating panoramas of everyday street scenes in Slovenia; in these scenes, he didn’t blur faces — his intention was to be a social documentarian, where these individuals are part of the story. He hosted this “open-air museum” on his personal website.

In July 2011, out of the blue, he was placed under investigation by Slovenia’s information commissioner. The (anonymous) complaint: He was making personally identifiable information available in his panoramas, because he hadn’t blurred faces. Never mind that his 11,000 panoramas had been published on his website for years without issue; pending the result of the investigation, Burger was told his panoramas were “most probably illegal” without facial blurring, and so he opted to take many of them offline.

In September 2011, the office of the information commissioner released a legal opinion which stated that conventional street photography engaged in social documentation did not need to have faces removed under Slovenian law, but that panoramas such as Google Street View did, because Street View’s purpose is as tool for getting a sense of the architecture of a place or for finding a location, not social documentation. When the purpose of a photograph is not social documentation, an individual’s right to privacy gains precedence.

This prompted more questions: Who decides what the purpose of a photograph is? Who decides what passes for social documentation? How can a photograph’s format determine its purpose? Burger asked these questions.

In October 2011, in response to Burger’s requests for clarification, the information commissioner released a directive (not online) which explained what kinds of panoramic photography can legally be published in Slovenia with faces unblurred. The directive decided there were just three different kinds of panoramas:

  1. Panoramas without identifiable people in them — these are not in contention.
  2. Panoramas of events such as concerts, protest marches, accidents — in these cases, the photographs have some news value, and so faces need not be blurred, for example if published on a news site.
  3. Photography of public spaces without newsworthy events, where the purpose is to show the architecture or scenery of a specific place — this kind is meant to contain Street View-type panoramas, and here people’s faces must be anonymized. The commissioner decided that a portion of Burger’s panoramas are of this kind. (There is no fourth kind, for social documentation in non-event situations, which is what street photographers most often pursue.) In addition, Burger may not send the original unblurred versions to others in Slovenia or abroad. He faces fines of up to 5,500 euros if he does not comply.

Burger told me that in face-to-face meetings at the commissioner’s office, he was told that this test of newsworthiness, although applied just to panoramic photography in the directive, was in fact valid for conventional photography as well. He then decided to comply with the directive for the long term, either by keeping his panoramas offline or by creatively masking faces on published panoramas so that individuals were not recognizable.

When news of Burger’s meeting spread through the Slovenian photographers’ community, it was immediately pointed out that this test of newsworthiness directly contradicted the legal opinion from Sept 2011, which had specifically upheld the legality of publishing street photography with faces unblurred. So Burger asked for a further clarification: He was told in yet another meeting that the September 2011 opinion defending street photography was only meant for “master photographers” and artists, pursuing creative work. Of course they would not need to blur images if they were exhibiting their work in a gallery or book, for example. In any case, there would be a further statement, he was told.

That statement arrived today.

In it, the commissioner first references Wikipedia to define street photography and then apparently concludes that while this kind of photography has broad legal protection, the test for what constitutes street photography is also rather precise: (Translated via Google Translate, edited for clarity)

In the opinion of the commissioner, street photography is a photograph of the individual in special circumstances, situations, interactions with living and inanimate nature, or with other individuals. The point [of the photograph] is therefore an individual — a representation of an individual as an integral part of society. It is not so important where exactly a person is depicted. The focus is on an individual’s social position and the consequences resulting therefrom, and his/her interaction with other individuals and the environment, and expressed feelings. The location where the photo was taken is of secondary importance.

It is important to note here is that the commissioner is referring to photography in general. There is apparently a class of photographs — those which are neither street photographs nor news photographs — that do not deserve the same legal protection, for example because their purpose is depicting architecture or perhaps because they fail to be sufficiently artistic. In this class of photographs, whether they be flat or panoramic, the right to privacy of the individuals in them would appear to trump the right to free expression by the photographer. This amounts to an opinion with far wider consequences than the original judgment against 360-degree panoramas.

She also argues that 360-degree panoramas in particular — “spatial photography” in her parlance — cannot fall under the street photography rubric because in panoramas location is important, by her reckoning.

A key element of street photography is that the picture depicts an individual. If you show exactly where a photo was taken, the individual is possibly one element in the interpretation of images, but not its essential part. A photo where the presentation of a location is more important than the presentation of the individual as a rule does not fall within the definition of street photography.

We are also told that it is the photographer who is responsible for determining whether a photograph qualifies as street photography and thus can escape the removal of faces:

Clearly, whether a photo is street photography or not should be determined on a case by case basis. This is the primary task of the photographers themselves [...] and of course the editors and curators.

The photographer does not escape liability however, should he/she make this determination incorrectly:

Liability for the lawful processing of individual images as street photography is with the photographer. [...] Otherwise, there may be an inadmissible interference with personal rights, and this will be protected before the competent courts.

Finally, we are told why specifically all non-newsworthy panoramas must have faces removed. It is because panoramas make it clear where and when they were taken that individuals who find themselves in them must have greater privacy protection:

The essence of space photography (when not a depiction of an event) is a pictorial depiction of the environment surrounding the camera. The location of the photo is thus an intrinsic part of the spatial image. Also, because of the special technique used to produce spatial photographs, individuals cannot be the central motif — the finished product can even be disturbed by them. [...] According to the commissioner, an individual whose recognizable image becomes an integral part of spatial images does not only enjoy the protection of personal rights, but also enjoys personal data protection. Spatial photography not only reveals his/her identity, but also reveals his/her personal data, for example a very precise location and possibly also a time when he/she was at this location. [... Before publishing a spatial image, a photographer needs to] obtain the individual’s prior consent, or in the absence of this consent, make the individual unrecognizable.

The argument that only panoramas can expose an individuals’ personal data is quite odd: Any photograph taken in front of a landmark automatically does the same for location. All digital photos contain EXIF timestamps that photo publishing sites automatically share. Mobile phone camera applications automatically add GPS-derived location- and time stamps when uploading to Twitter, Facebook or FourSquare. Will these kinds of photographs now also require the removal of faces? And besides, can street photography not also come with location and time data attached?

What next? Burger tells me that there will likely be a legal challenge to the decree, so that it will face a number of tests in progressively higher courts of law — and with any luck, in the European arena, which is usually good about slapping down ill-considered constraints on free expression. And on November 24, the Slovenian Association of Photographers and Journalists will tackle the issue in a public debate that is slated to feature both Burger and the information commissioner.

2011/12/2 Update: After the debate, the commissioner has now come out with a definitive decision. Burger writes (paraphrased somewhat):

The information commissioner of Slovenia has declared that 360-degree panoramas contain personal data. As a database it is under her jurisdiction. Such photography may not be published online unless faces are blurred.

 

Published 360-degree panoramas with unblurred faces are legal only if the publisher has a written permit of all the people in the panorama. The source images from which the panorama was stitched need to be unrecoverably deleted, e.g. destroyed.

 

What about other images published online? That is not data collection, but it doesn’t mean that the publisher is without responsibility. To be “safe”, the publisher (photographer, videographer) needs to get (ex-post) the permission of every individual documented in the image.

The decree is valid for all images taken on the territory of Republic of Slovenia and is retroactive (with no time limit in the past).

Fake participation fatigue

Posted on by

Two items make a trend, right?

1. When the UK government hosted an international conference on cyber-security last week, commingling foreign ministers from all over with industry representatives and, daringly, Wikipedia’s Jimmy Wales, it was the backdrop that struck me as incongruous:

Perhaps the organizers were under the impression that getting the #LondonCyber Twitter hashtag to trend would be a sufficient proxy for civil society participation in an otherwise closed talking shop. No doubt they anticipated the criticism, and some tech-savvy mandarin came up with the “Let them tweet hashtags” solution.

And never mind the audacity of David Cameron fishing for tweets so publicly just months after the London riots had him running to sacrifice social media at the altar of public security.

2. WhiteHouse.gov, in its zeal to embrace participatory media, now allows people to start petitions, promising an official response upon sufficient signatures. The problem is that these petitions do not lead to policy change, but to rote copy-paste responses that rehash the administration’s line (exhibit one and two).

That the following would happen is inevitable:

In case it disappears from the website, here is the petition text:

We demand a vapid, condescending, meaningless, politically safe response to this petition.
Since these petitions are ignored apart from an occasional patronizing and inane political statement amounting to nothing more than a condescending pat on the head, we the signers would enjoy having the illusion of success. Since no other outcome to this process seems possible, we demand that the White House immediately assign a junior staffer to compose a tame and vapid response to this petition, and never attempt to take any meaningful action on this or any other issue. We would also like a cookie.

Last I checked, over 10,000 had signed, with a goal of 25,000 looking well within reach.

Yes, people can and do set policy — via democratic elections and referenda. One day, the ability to vote online in binding elections or referenda will become commonplace. Until then, administrations who imply that participatory media lets citizens participate in anything more meaningful than government PR campaigns do so at the risk of being ridiculed. (h/t Felix)

Europe arrives? Berlin’s Humboldt Institute for Internet and Society launches

Posted on by

Currently, the leading academic institutions researching “Internet and Society” are Anglo-Saxon affairs, notably at Harvard, Stanford, Yale, Toronto and Oxford. This has prompted the question: Where is mainland Europe’s counterweight in this fast-growing and important area of study?

Perhaps language is a barrier to the wider exposure of continental research, or maybe a clash of academic cultures is impeding cross-fertilization. Public universities in Europe might also be facing funding challenges that conspire against the fast founding of topical new research centers. Smaller places do exist, such as in Turin, and universities might have a faculty or lab that innovates in its niche. Whatever the reason, these efforts have not yet managed to steer the global debate regarding Internet and society, or match the impact of results-oriented projects such as the OpenNet Initiative.

The lack of European institutions with the caliber of a Berkman Center has been keenly felt, however, and so several initiatives are in the works. In Lund, plans are afoot to set up the Lund University Internet Institute (LUII). And in Berlin, Humboldt University’s Google-funded Alexander von Humboldt Institut für Internet und Gesellschaft (HIIG) has just launched, with a symposium to mark the occasion.

I attended this First Berlin Symposium on Internet and Society (#BSIS11) on Oct 26-28. Below are some notes on the event and some wider thoughts on its context.

In a sign of how en vogue the topic is, that week there were at least two more conferences in the same vein — the corporate-sponsored Silicon Valley Human Rights Conference (#rightscon) in San Francisco, and the Swedish government-funded conference on Internet and democratic change (#net4change) in Stockholm. One speaker, Rebecca MacKinnon, even managed to headline two of them, in San Francisco and Berlin.

The audiences at these conferences varied. In San Francisco we saw civil society and corporations getting together for an “outcome-oriented” event aimed at using ICT to do good. Stockholm had NGOs, entrepreneurs and net activists comparing experiences in the trenches and building networks. Both conferences had strong representations from the Arab world.

In Berlin, in contrast, the audience was resolutely academic, first-world, and with a preponderance of competence in the social sciences and law. The focus, too, was not on outcomes or actions but on discussing research questions that the fledgling institute might pursue. These are not criticisms, but they do point to a big divergence in motivation: Participants in Stockholm and San Francisco approached the issues from a user perspective, and tended to place themselves in opposition to the perceived paternalism of state actors. The default stance to regulatory initiatives among this group is mistrust. They tend to see regulation as a necessary evil.

Meanwhile, in Berlin, regulation — whether national or even international — was far more openly mooted as a desirable means to protect society from the ill effects of Internet-mediated change.

This contrast of approaches was most visible in the two keynote speeches. Rebecca MacKinnon was clearly an emissary of the regulation skeptics, and her talk was a well-argued and illustrated cautionary tale of unintended consequences and slippery slopes. She drew a direct comparison between Chinese corporate self-censorship and the West’s regulatory tack towards intermediary liability, with its attendant chilling effects.

Phillip Mueller‘s keynote on open statecraft, by contrast, was a far more academic and abstract treatment by a public policy professor. Machiavelli and Martin Luther were invoked (the latter as a proto-blogger), governance and social production models were contrasted, and differences were tweaked between one-to-many, many-to-many and few-to-few media.

The overall effect was that of a public policy professional sizing up the Internet. MacKinnon, on the other hand, came across as a digital native sizing up public policy. It’s a subtle distinction, and both perspectives are valuable, but as an Internet user, I find myself hoping HIIG’s ethos doesn’t default solely to Mueller’s approach.

Privacy: How might a digital native’s approach to research questions differ? I think it could affect some of the underlying assumptions. An example: In the workshop on “Internet Legislation and Regulation through the Eyes of Constitution” [sic] there was some talk about how constitutional rights such as privacy or free expression must continue to be robustly protected as the Internet comes to permeate society. This is true, though privacy and free expression often stand in opposition to one another, and so a balance of rights needs to be found that corresponds to a society’s needs and expectations — that’s the job of judges and legislators.

What’s evident is that over time, the march of technology will naturally favor some rights at the expense of others; in a world of cheap camera phones, Facebook and Twitter, our private sphere shrinks and smudges into various shades of semi-privacy, in part because our friends and colleagues have ever more powerful tools to freely express themselves about us.

A conventional policy reaction to this technology-mediated erosion of privacy might be to legislate ever stronger protection in a valiant attempt to freeze privacy norms at pre-Internet levels. A digital native’s policy reaction would be to embrace this shifting natural balance, and focus instead on enabling emerging norms for privacy management. Privacy is a mutable social norm, and it always has been, waxing and waning over the centuries. The new norms need to accommodate this dynamism.

The Berkman Center’s Executive Director Urs Gasser, in his contribution to the workshop, made room for the digitally native response. He pointed out that policy responses to the Internet could range from enacting wholly new legislation, to the subsumption of old legislation into a new more relevant legal framework, to doing nothing at all. He warned against legislating too soon: Knee-jerk legislation produced the US Patriot Act, after all. And finally, he betrayed an engineer’s sensibility, suggesting that the online effects of legislation should be measurable, enabling feedback loops that would allow the legal system to learn.

Public Domain: In the workshop “The Digital Public Domain Between Regulation And Innovation” there was a similar recognition that traditional methods of rewarding creativity through intellectual property protection are being made obsolete by technological innovation. To digital natives, the concept of “buying” digital content is an increasingly anachronistic metaphor, and yet regulatory activity has focused almost exclusively on perpetuating the notion of property, and hence stealing, into the digital age. Meanwhile, technology strongly favors the duplication of digital content with impunity.

A digitally native policy approach, in contrast, appreciates that social practices are shifting just as much in the creation of content as in its consumption. The old lone-author notion of content creation that traditional IP law has catered to is now just one extreme in a spectrum of increasingly collaborative and reiterative creative processes. This new reality has triggered a Cambrian explosion of more apt content use schemes: Licensing models such as the Creative Commons and GNU GPL, voluntary micropayment reward schemes such as Flattr and Readability, and flat-rate consumption schemes such as Spotify and Netflix.

All of these innovations are blurring the boundaries of the public domain, and constitute a de facto assault on IP orthodoxy. What they also share is a bottom-up, evolutionary genesis, born of disparate social movements and entrepreneurial initiatives, as opposed to a more deliberate, top-down approach championed by University of Haifa Dean Niva Elkin-Koren, who was present at the workshop. Her wish was that “we need to start from the purpose of the public domain and then derive norms.”

I certainly approve of this sentiment, though I suspect such a project would crucially lack broader support among copyright incumbents. In the meantime, the best we can do is have these emerging use schemes reshape the public domain in an ad hoc way, with the net effect so far being positive. Elkin-Koren has a point, however, which she has long argued: The evolution of this process does not guarantee a positive outcome.

So, even among digital natives, the tactics may differ while the strategies align. Fortunately, these two approaches are not mutually exclusive. And perhaps the specter of a Darwinian evolution of content use norms will push the incumbents towards a system that more holistically looks at how to maximize creativity with a minimum of constraints — something which ACTA demonstrably fails to do.

With all the great people at the workshops and on the sidelines, HIIG looks set to bring a strong European voice to the “Internet and Society” debate. And with MacKinnon, Gasser and Elkin-Koren contributing to the launch symposium, here’s hoping that voice also embraces the digitally native view.

Resources update: Cybernorms, Digital Democracy

Posted on by

Under Blogs > Development, democratization, crisis management

ICT4D Jester • ICT4D contrarian Kentaro Toyama’s blog, where he “questions, critiques, and sometimes lampoons the endeavor called ICT4D.” @kentarotoyama

Diary of a Crisis Mapper • Crisis mapper Anahi Ayala Iacucci writes about ICT4D, mobile technology and, more broadly, on the “political meaning of information”. @anahi_ayala

Under Institutions > The Internet and society

Cybernorms Research Group • Initiative by the Sociology of Law department at Sweden’s Lund University to explore “the norm-creating processes” that appear in the wake of evolving information technology. Looks set to become the Lund University Internet Institute (LUII). @cybernorms

Under Institutions > Democratization

Digital Democracy • Non-profit helps “marginalized communities to use technology to build their futures”. Promotes civic engagement through “digital technologies and programs that promote education, communication and participation.” @DigiDem

Resources update: Digital Due Process, Sahana Software Foundation, Measurement Lab

Posted on by

Under Institutions > Net freedom, civil rights, privacy

Digital Due Process • A “coalition of privacy advocates, major companies and think tanks” aiming to modernize surveillance laws for the Internet, specifically the US Electronic Communications Privacy Act (ECPA).

Under Blogs > Development, democratization, crisis management

Communication Crisis • A blog investigating “the ways in which people and organisations in political crisis situations are affected by limitations in communication and the ways and modes in which people bypass these limitations.”

Under Tools > Tools

Sahana Software Foundation • “Dedicated to the mission of saving lives by providing information management solutions that enable organizations and communities to better prepare for and respond to disasters.” @SahanaFOSS

Submarine Cable Map • Shows physical infrastructure of submarine cables. By TeleGeography telecoms market research firm.

Under Tools > Data

Measurement Lab (MLAB) • Research platform and network diagnostic tool to determine if ISPs are performing application-specific traffic shaping such as throttling email, HTTP, SSH, Flash or BitTorrent. By Open Technology Initiative (OTI), Google.

Under Tools > Online journals, book series, essay series, manuals, reference texts

Freedom on the Net 2011 • Published: April 18, 2011. “Examines internet freedom in 37 countries around the globe.” By Freedom House.

Resources update: Institut für Internet & Gesellschaft, ICANN, IGF, IGP…

Posted on by

Under Institutions > The Internet and society:

Institut für Internet & Gesellschaft at Humboldt University in Berlin • New Google-funded initiative collects “leading academics to engage in innovative research focusing on questions of Internet innovation, Internet policy, information and media law and global constitutionalism.” @WebForschung

The Institute is organizing the 1st Berlin Symposium on Internet and Society in Berlin on Oct 25-28, 2011.

Under Institutions > Internet governance:

Internet Corporation for Assigned Names and Numbers (ICANN) • “A not-for-profit public-benefit corporation with participants from all over the world” that administers the Internet’s domain name system. @ICANN

Internet Governance Forum (IGF) • A “multi-stakeholder” forum mandated by the UN Secretary-General to discuss Internet governance policy. Meets annually, also comprised of regional and national IGFs.

Internet Governance Project (IGP) • An “alliance of academics that puts expertise into practical action in the fields of global governance, Internet policy, and information and communication technology.” Publishes research and analysis on Internet governance, and is active in ICANN and the UN’s Internet Governance Forum (IGF) @IGPAlert

Under Institutions > Accountability, transparency, openness:

Open Government Partnership • A “multilateral initiative that aims to secure concrete commitments from governments to promote transparency, empower citizens, fight corruption, and harness new technologies to strengthen governance.” Overseen by a steering committee of governments and civil society organizations. Launched September 20, 2011 at Google NYC. @opengovpart

The Wikileaks blame game — who released what, exactly?

Posted on by

The story of how the unredacted version of the US diplomatic cables ended up in the wild really is a disgraceful farce — a tragedy of errors, with plenty of blame to go round. Nigel Parry has a great round-up and Micah Sifry also weighs in.

There’s one thing I am not inclined to blame Assange for, however: It’s been misreported just about everywhere that Assange and Wikileaks released the fully unredacted cables themselves, as per their tweet:

WIKILEAKS RELEASE: Full Cablegate2 database file (torrent) http://file.wikileaks.org/torrent/cable_db_full.7z.torrent

The above downloads a SQL file. They also made a 60GB HTML version available, in addition to the SQL database version above. I downloaded both files, and searched them for previously redacted cables which I had read when they were released. In these BitTorrent files, however, those cables are still redacted. It’s only the remaining, previously unreleased files which are left unredacted.

The online resources showing this partially redacted version of the cables are cablesearch.org and cablegatesearch.net. (Both these links go to the same cable from 2006 where a Chinese official asks the US to censor Google Earth imagery in China (without success). In both cases, the name of the official is redacted.)

The completely unredacted version of the cables is the file hosted by Cryptome, and it is this version which the cables.mrkva.eu online search tool queries. (Here is the same cable about Google Earth as before. It reveals the name of the official.)

So it appears that Wikileaks is not directly responsible for “unredacting” the previously redacted material that is now floating around. The source of that lies elsewhere. Is this a distinction without a difference? I’m not sure; Wikileaks did after all tweet a link to the cables.mrkva.eu search tool. Perhaps in the current chaos Wikileaks is not even sure what it is releasing.

So who bears the preponderance of the blame, then? Right now I’m leaning towards The Guardian’s David Leigh for his apparent technological ineptitude in not knowing that encrypted files don’t come with temporary passwords — perhaps he watched too many James Bond films, where messages self-destruct on camera. By Parry’s account, Leigh couldn’t even unzip a file on his own. It’s not surprising then that he’d put the password to the unredacted original trove of cables in his book, published in February 2011. It’s colossal cluelessness, and I hope he’s sleeping badly for all the vulnerable people he’s put at risk.

Julian Assange is also to blame, primarily for being so cavalier with the information, entrusting it to people who are not capable of keeping it safe (or perhaps not being clear enough to Leigh about the nature of the file in question). As a result, intelligence agencies have likely had access to the unredacted cables for some time now.

The damage this has done is real. I would not want to be the Chinese person in this 2010 cable, a nephew of a Politburo Standing Committee member, who told US diplomats that cyber attacks against Google in China were being coordinated by his government. That cable was previously redacted, but now shows his name.

Nor would I want to be the Chinese person in this 2008 cable, published by Wikileaks a few days ago in its unredacted form, where he tells US diplomats:

Xxx himself is a leader of an underground church in Shanghai. He recently returned from a secret meeting of leaders of underground churches from Beijing, Shanghai, Tianjin, Wuhan, and Nanjing. Participants in the meeting reported that there has been an increase of governmental scrutiny and pressure because of the Olympics.

Getting his real name is now as easy as clicking on the link above. If these people, and others like them, find themselves harassed or arrested as a result of this débâcle, then I’m afraid that on balance, the Wikileaks experiment in radical transparency has made the world a worse place — and all through the sheer ineptitude of all parties concerned.

Wikileaks own leak ushers in the era of radical transparency

Posted on by

As the story emerges about how Wikileaks’ US diplomatic cables came to be available in an unredacted, unencrypted form this week, potentially harming the safety of many informants and other vulnerable people, one obvious lesson is again in evidence:

People are the weakest link in any encryption system.

The potential for human error is constant and unswerving, and so the odds were always that eventually, somehow, somebody would screw up — even somebody as security obsessed as Julian Assange was not exempt. It’s a common cliché to posit that “information wants to be free”; perhaps it is more accurate to say that for information, being encrypted is an unstable state — either the password is soon forgotten or taken to the grave and the information disappears from the universe, or else some blunder eventually allows it to escape to the world at large. For information, in the long run, it’s more “Live free or die”; there is no stable intermediate state. Conspiracies are short-lived at best because humans are fallible; those Knights Templar successfully defending the Holy Grail across the millennia exist only in bad fantasy fiction.

The 500MB BitTorrent file that contains all the cables unzips to around 60GB of HTML files — my computer’s been at it for over 8 hours and counting. I can’t not rifle through this trove now that it is in the wild, of course. Previously, I was frustrated that I couldn’t just do text searches on all the content for my own ad hoc investigative reporting, although I understood and approved of the reason why. Now that this information is in the open, we can’t just let those with nefarious motives read them — we all need to read up, so that there is some hope for a silver lining. (If I find anything relevant to Dliberation’s remit, I’ll blog it of course.)

It looks like we will after all have to adjust to living in a global society where radical transparency is an expected outcome, whether from customer database leaks or whistleblower actions. For a while, as The Guardian and others released redacted versions of the cables, we thought Pandora’s box could be opened just a sliver. We were wrong.

Resources update: Open Rights Group

Posted on by

Under Institutions > Net freedom, civil rights, privacy

Open Rights Group (ORG) • “The UK’s leading voice defending freedom of expression, privacy, innovation, consumer rights and creativity on the net.” Also looks after the EU. @OpenRightsGroup

Bits of Freedom • Dutch digital rights organization, “focusing on privacy and communications freedom in the digital age.” @bitsoffreedom

Flash mob rule

Posted on by

Much has already been said about the looting spree that afflicted London and other British cities last week, so I’ll stick to just one observation:

These incidents were traditional flash mobs in every sense but for their destructive intent. All flash mobs — be it a “spontaneous” pillow fight in central Stockholm or a frozen Grand Central Station in New York — share the same dynamic: Social (or semi-social) media are used to gather a group at a pre-defined semi-secret location to engage in a common synchronized activity.

In the case of the London incidents, the looters discovered that this dynamic can be co-opted to overwhelm local law enforcement through sheer numbers at a certain place and for a certain time, thus facilitating looting.

Law enforcement has always been a little skittish about flash mob projects, precisely because there was that “what if” scenario looming — what if the group act was anti-social in its intent, instead of social? Now we know it works very well. And so do the looters.