29th July 2014
news

Lockdown

What role will computers play in the war over human freedom?
Cory Doctorow | Novelist, activist, co-editor of Boing Boing.

sarahfrost06

General-purpose computers are astounding. Even the most apparently straight-forward home computers are so astounding that our society still struggles to come to grips with them, what they're for, how to accommodate them, and how to cope with them. This is most apparent when it comes to the complex relationship between technology (especially the int...

General-purpose computers are astounding. Even the most apparently straight-forward home computers are so astounding that our society still struggles to come to grips with them, what they're for, how to accommodate them, and how to cope with them. This is most apparent when it comes to the complex relationship between technology (especially the internet) and law, but is also an issue of increasing in the spheres of politics, privacy and surveillance.

In the beginning, we had packaged software and we had sneakernet. We had floppy disks in ziplock bags, in cardboard boxes, hung on pegs in shops, and sold like candy bars and magazines. They were eminently susceptible to duplication, were duplicated quickly, and widely, and this was to the great chagrin of people who made and sold software. Enter Digital Rights Management in its most primitive forms. They introduced physical indicia which the software checked for – deliberate damage, dongles, hidden sectors – and challenge-response protocols that required possession of large, unwieldy manuals that were difficult to copy.

These failed for two reasons. First, they were commercially unpopular, because they reduced the usefulness of the software to the legitimate purchasers. Honest buyers resented the non-functionality of their backups, they hated the loss of scarce ports to the authentication dongles, and they chafed at the inconvenience of having to lug around large manuals when they wanted to run their software. Second, these didn't stop pirates, who found it trivial to patch the software and bypass authentication. People who took the software without paying for it were untouched.

Typically, the way this happened is that a programmer, with possession of technology and expertise of equivalent sophistication to the software vendor itself, would reverse-engineer the software and circulate cracked versions. While this sounds highly specialised, it really wasn't. Figuring out what recalcitrant programmes were doing and routing around media defects were core skills for computer programmers, especially in the era of fragile floppy disks and the rough-and-ready early days of software development. Anti-copying strategies only became more fraught as networks spread; once we had bulletin boards, online services, USENET newsgroups and mailing lists, the expertise of people who figured out how to defeat these authentication systems could be packaged up in software as little crack files. As network capacity increased, the cracked disk images or executables themselves could be spread on their own.

By 1996, it became clear to everyone in the halls of power that there was something important about to happen. We were about to have an information economy – whatever the hell that was. They assumed it meant an economy where we bought and sold information. Information technology improves efficiency, so imagine the markets that an information economy would have! You could buy a book for a day, you could sell the right to watch the movie for a Euro, and then you could rent out the pause button for a penny per second. You could sell movies for one price in one country, at another price in another, and so on. The fantasies of those days were like a boring science fiction adaptation of the Old Testament Book of Numbers, a tedious enumeration of every permutation of things people do with information – and what might be charged for each.

Unfortunately for them, none of this would be possible unless they could control how people use their computers and the files we transfer to them. After all, it was easy to talk about selling someone a tune to download to their MP3 player, but not so easy to talk about the right to move music from the player to another device. But how the hell could you stop that once you'd given them the file? In order to do so, you needed to figure out how to stop computers from running certain programmes and inspecting certain files and processes. For example, you could encrypt the file, and then require the user to run a programme that only unlocked the file under certain circumstances.

But, as they say on the internet, now you have two problems.

You must now also stop the user from saving the file while it's unencrypted – which must happen eventually –  and you must stop the user from figuring out where the unlocking program stores its keys, enabling them to permanently decrypt the media and ditch the stupid player app entirely.

Now you have three problems: you must stop the users who figure out how to decrypt from sharing it with other users. Now you've got four problems, because you must stop the users who figure out how to extract secrets from unlocking programs from telling other users how to do it too. And now you've got five problems, because you must stop users who figure out how to extract these secrets from telling other users what the secrets were!

That's a lot of problems. But by 1996, we had a solution. We had the WIPO Copyright Treaty, passed by the United Nations World Intellectual Property Organization. This created laws that made it illegal to extract secrets from unlocking programmes, and it created laws that made it illegal to extract media (such as songs and movies) from the unlocking programmes while they were running. It created laws that made it illegal to tell people how to extract secrets from unlocking programs, and it created laws that made it illegal to host copyrighted works or the secrets. It also established a handy streamlined process that let you remove stuff from the internet without having to screw around with lawyers, and judges, and all of that.

And with that, illegal copying ended forever, the information economy blossomed into a beautiful flower that brought prosperity to the whole wide world; as they say on the aircraft carriers, “Mission Accomplished”.

That's not how the story ends, of course, because pretty much anyone who understood computers and networks understood that these laws would create more problems than they could possibly solve. After all, these laws made it illegal to look inside your own computer when it was running certain programmes. They made it illegal to tell people what you found when you looked inside your computer, and they made it easy to censor material on the internet without having to prove that anything wrong had happened. In short, they made unrealistic demands on reality and reality did not oblige them.

Copying only got easier following the passage of these laws – copying will only ever get easier. Right now is as hard as copying will get. Reality asserts itself. These regulations may have broad general appeal but they are disastrous in their implementation. Each regulation begets a new one, aimed at shoring up its own failures.

It's tempting to stop the story here and conclude that the problem is that lawmakers are either clueless or evil, or possibly evilly clueless. But it's not that regulators don't understand information technology: because it should be possible to be a non-expert and still make a good law. MPs and Congressmen and so on are elected to represent districts and people, not disciplines and issues. We don't have a Member of Parliament for biochemistry, and we don't have a Senator from the great state of urban planning. And yet those people – who are experts in policy and politics, not technical disciplines – still manage to pass good rules that make sense. That's because government relies on heuristics: rules of thumb about how to balance expert input from different sides of an issue.

Unfortunately, information technology confounds these heuristics in one important way. The important tests of whether or not a regulation is fit for a purpose are first whether it will work, and second whether or not it will, in the course of doing its work, have effects on everything else. If I wanted Congress, Parliament, or the E.U. to regulate a wheel, it's unlikely I'd succeed. If I turned up, pointed out that bank robbers always make their escape on wheeled vehicles, and asked, “Can't we do something about this?”, the answer would be “No”. This is because we don't know how to make a wheel that is still generally useful for legitimate wheel applications, but useless to bad guys. We can all see that the general benefits of wheels are so profound that we'd be foolish to risk changing them in a foolish errand to stop bank robberies. Even if there were an epidemic of bank robberies – even if society were on the verge of collapse thanks to bank robberies – no-one would think that wheels were the right place to start solving our problems.

However, if I were to show up in that same body to say that I had absolute proof that hands-free phones were making cars dangerous, and I requested a law prohibiting hands-free phones in cars, the regulator might say “Yeah, I'd take your point, we'd do that."

We might disagree about whether or not this is a good idea, or whether or not my evidence made sense, but very few of us would say that once you take the hands-free phones out of the car, they stop being cars.

We understand that cars remain cars even if we remove features from them. Cars are special-purpose, at least in comparison to wheels, and all that the addition of a hands-free phone does is add one more feature to an already-specialized technology. There's a heuristic for this: special-purpose technologies are complex, and you can remove features from them without doing fundamental, disfiguring violence to their underlying utility.

This rule of thumb serves regulators well, by and large, but it is rendered null and void by the general-purpose computer and the general-purpose network – the PC and the Internet. If you think of computer software as a feature, a computer with spreadsheets running on it has a spreadsheet feature, and one that's running World of Warcraft has an MMORPG feature. The heuristic would lead you to think that a computer unable to run spreadsheets or games would be no more of an attack on computing than a ban on car-phones would be an attack on cars.

And, if you think of protocols and websites as features of the network, then trying to fix the internet so that it doesn't run BitTorrent or fix the internet so that thepiratebay.org no longer resolves doesn’t seem all that different from changing the sound of busy signals or or taking that pizzeria on the corner off the phone network. Certainly, it doesn’t sound like what it actually is: an attack on the fundamental principles of internetworking.

The rule of thumb works for cars, for houses, and for every other substantial area of technological regulation. Not realising that it fails for the internet does not make you evil, and it does not make you an ignoramus. It just makes you part of that vast majority of the world, for whom ideas like Turing completeness and end-to-end are meaningless.

So, our regulators go off, they pass these laws, and they become part of the reality of our technological world. There are, suddenly, numbers that we aren't allowed to write down on the internet, programmes we're not allowed to publish, and all it takes to make legitimate material disappear from the internet is the mere accusation of copyright infringement. It doesn't stop people from violating copyright, but it bears a kind of superficial resemblance to copyright enforcement – it satisfies the security syllogism: “something must be done, I am doing something, something has been done." As a result, any failures that arise can be blamed on the idea that the regulation doesn't go far enough, rather than the idea that it was flawed from the outset.

Today we have marketing departments that say things such as “we don't need computers, we need appliances. Make me a computer that doesn't run every programme, just a programme that does this specialised task, like streaming audio, or routing packets, or playing Xbox games, and make sure it doesn't run programmes that I haven't authorised that might undermine our profits.”

On the surface, this seems like a reasonable idea: a programme that does one specialised task. After all, we can put an electric motor in a blender, and we can install a motor in a dishwasher, and we don't worry if it's still possible to run a dishwashing programme in a blender. But that's not what we do when we turn a computer into an appliance. We're not making a computer that runs only the “appliance" app; we're taking a computer that can run every programme, then using a combination of rootkits, spyware, and code-signing to prevent the user from knowing which processes are running, from installing her own software, and from terminating processes that she doesn't want. In other words, an appliance is not a stripped-down computer – it is a fully functional computer with spyware on it out of the box.

We don't know how to build a general-purpose computer that is capable of running any programme except for some programme that we don't like, is prohibited by law, or which loses us money. The closest approximation that we have to this is a computer with spyware: a computer on which remote parties set policies without the computer user's knowledge, or over the objection of the computer's owner. Digital rights management always converges on malware.

In one famous incident – a gift to people who share this hypothesis – Sony loaded covert rootkit installers on 6 million audio CDs, which secretly executed programmes that watched for attempts to read the sound files on CDs and terminated them. It also hid the rootkit's existence by causing the computer operating system's kernel to lie about which processes were running, and which files were present on the drive. But that's not the only example. Nintendo's 3DS opportunistically updates its firmware, and does an integrity check to make sure that you haven't altered the old firmware in any way. If it detects signs of tampering, it turns itself into a brick.

Human rights activists have raised alarms over U-EFI, the new PC bootloader, which restricts your computer so it only runs “signed" operating systems, noting that repressive governments will likely withhold signatures from operating systems unless they allow for covert surveillance operations.

Similarly, attempts to make a network that can't be used for copyright infringement always converge with the surveillance measures that we know from repressive governments. Consider SOPA, the U.S. Stop Online Piracy Act, which attempted to ban innocuous tools such as DNSSec – a security suite that authenticates domain name information –  because they might be used to defeat DNS blocking measures. It attempted to block Tor, an online anonymity tool sponsored by the U.S. Naval Research Laboratory and used by dissidents in oppressive regimes, because it can be used to circumvent IP blocking measures.

In fact, the Motion Picture Association of America, a SOPA proponent, circulated a memo citing research that SOPA might work because it uses the same measures as are used in Syria, China, and Uzbekistan. It argued that because these measures are effective in those countries, they would work in America too!

It would be easy to see the defeat – or apparently indefinite postponement of SOPA – as a victory for the freedom of PCs and networks. But these copyright wars are just the beta version of a long-coming war on computation. The reality is that copyright legislation got as far as it did precisely because it's not taken seriously by politicians. This is why, on one hand, Canada has had Parliament after Parliament introduce one awful copyright bill after another, but on the other hand, Parliament after Parliament has failed to actually vote on each bill. It's why SOPA, a bill composed of pure stupid and pieced together molecule-by-molecule into a kind of “Stupidite 250” normally only found in the heart of newborn stars, had its rushed-through SOPA hearings adjourned midway through the Christmas break: so that lawmakers could get into a vicious national debate over an important issue, unemployment insurance.

But this is a mistake, because the world we live in today is made of computers. We don't have cars anymore; we have computers we ride in. We don't have airplanes anymore; we have flying Solaris boxes attached to bucketfuls of industrial control systems. A 3D printer is not a device, it's a peripheral, and it only works connected to a computer. A radio is no longer a crystal; it's a general-purpose computer, running software.

Consider radio. Radio regulation until today was based on the idea that the properties of a radio are fixed at the time of manufacture, and can't be easily altered. You can't just flip a switch on your baby monitor and interfere with other signals. But powerful software-defined radios (SDRs) can change from baby monitor to emergency services dispatcher or air traffic controller, just by loading and executing different software. This is why the Federal Communications Commission (FCC) considered what would happen when we put SDRs in the field, and asked for comment on whether it should mandate that all software-defined radios should be embedded in “trusted computing" machines. Ultimately, the question is whether every PC should be locked, so that their programmes could be strictly regulated by central authorities.

Even this is a shadow of what is to come. 2011 saw both the debut of open source shape files for converting AR-15 rifles to full-automatic. And crowd-funded open-sourced hardware for genetic sequencing. And while 3D printing will give rise to plenty of trivial complaints, there will be judges in the American South and mullahs in Iran who will lose their minds over people in their jurisdictions printing out sex toys. The trajectory of 3D printing will raise real grievances, from solid-state meth labs to ceramic knives.

It doesn't take a science fiction writer to understand why regulators might be nervous about the user-modifiable firmware on self-driving cars, or limiting interoperability for aviation controllers, or the kind of thing you could do with bio-scale assemblers and sequencers. Imagine what will happen the day that Monsanto determines that it's really important to make sure that computers can't execute programmes which cause specialised peripherals to output custom organisms which literally eat their lunch.

Regardless of whether you think these are real problems or hysterical fears, they are, nevertheless, the political currency of lobbies and interest groups far more influential than Hollywood and big content. Every one of them will arrive at the same place: “Can't you just make us a general-purpose computer that runs all the programmes, except the ones that scare and anger us? Can't you just make us an internet that transmits any message over any protocol between any two points, unless it upsets us?"

There will be programmes that run on general-purpose computers, and peripherals, that will freak even me out. So I can believe that people who advocate for limiting general-purpose computers will find a receptive audience. But just as we saw with the copyright wars, banning certain instructions, protocols or messages will be wholly ineffective as a means of prevention and remedy. As we saw in the copyright wars, all attempts at controlling PCs will converge on rootkits, and all attempts at controlling the internet will converge on surveillance and censorship. This stuff matters because we've spent the last decade sending our best players out to fight what we thought was the final boss at the end of the game, but it turns out it's just been an end-level guardian. The stakes are only going to get higher.

As a member of the Walkman generation, I have made peace with the fact that I will require a hearing aid long before I die. It won't be a hearing aid, though; it will really be a computer. So when I get into a car – a computer that I put my body into – with my hearing aid – a computer I put inside my body – I want to know that these technologies are not designed to keep secrets from me, or to prevent me from terminating processes on them that work against my interests.

Last year, the Lower Merion School District, in a middle-class, affluent suburb of Philadelphia, found itself in a great deal of trouble. It was caught distributing, to its students, rootkitted laptops that allowed remote covert surveillance through the computer's camera and network connection. They photographed students thousands of times, at home and at school, awake and asleep, dressed and naked. Meanwhile, the latest generation of lawful intercept technology can covertly operate cameras, microphones, and GPS tranceivers on PCs, tablets, and mobile devices.

Freedom in the future will require us to have the capacity to monitor our devices and set meaningful policies for them; to examine and terminate the software processes that runs on them; and to maintain them as honest servants to our will – not as traitors and spies working for criminals, thugs, and control freaks.

This article is based on a keynote speech to the Chaos Computer Congress in Berlin.

Register now for unlimited access to iai news.

You have reached your article limit.

Register for free

Join iai+ now to enjoy unlimited access

iai news

Get full access to our fortnightly ideas magazine, with features and interviews from the world's leading thinkers.

Have your say

iai tv

Watch more than 500 talks and debates across four channels of programming.

Hear it first

HowTheLightGetsIn

Be the first to discover the programme for HowTheLightGetsIn, the world's biggest philosophy festival, and enjoy exclusive iai+ insider offers.

Unique events

iai academy

Join our digital courses taught by renowned scholars from the humanities and natural sciences.

Related articles

Join the conversation

to post comments or join now (only takes a moment). Don't have an account? Sign in with Facebook, Twitter or Google to get started:

The World & The Future on iai tv
Most viewed
Articles
Debates
Talks
  • Bold Text
    Example: [b]Bold[/b]
  • Italic Text
    Example: [i]Italics[/i]
  • Underlined Text
    Example: [u]Underlined[/u]
  • Struck-out Text
    Example: [s]Struck-out[/s]
  • Colored text
    Example: [color=blue]blue text[/color]
  • Alignment
    Example: [align=right]right aligned[/align]
  • Code Block
    Unformatted code block
    Example: [code]Code block[/code]
  • Email link
    Create link to an email address
    Example: [email]you@yoursite.com[/email]
  • Email link
    Create link to an email address
    Example: [email=you@yoursite.com]Email[/email]
  • Unordered list
    Unordered list
    Example: [ulist][*]unordered item 1[/ulist]
  • Image
    Show an image in your post
    Example: [img]http://www.website.com/image.jpg[/img]
  • Website link
    Link to another website or URL
    Example: [url]http://www.website.com/[/url]
  • Website link
    Link to another website or URL
    Example: [url=http://www.website.com/]Website[/url]
Sign up to iai+ to get free unlimited access to all articles on iai.news and all videos on iai.tv, as well as advance notice of the events.
You can watch up to an hour of video per month and 20 mins of any one video without signing up.
You have read 4 articles on iai.news. To read more than 6 per month you need to join iai+. Joining iai+ is free and gives you free unlimited access to iai.tv and iai.news.
You have read your maximum monthly limit of articles. Join iai+ to view an unlimited number of articles on iai.news and videos on iai.tv. Joining iai+ is free and only takes a minute.
Why register with the iai?
  • All you can watch
    Unlimited access to hundreds of hours of debates and talks from the world's leading minds, all for free.
  • Have your say
    Join the iai community and engage in conversation and debate around the issues that matter.
  • Hear it first
    Be the first to hear about our video releases, articles and tickets to our festival HowTheLightGetsIn.