Share and be Shared

One fascinating thing about internet politics is how many different people, not just from different countries and cultures but even from opposing political camps, suddenly find themselves fighting side by side. Libertarians, socialists, anarchists: in this arena there is more to bind than separate them. And one of the ties that bind is a need for the protection of privacy.New media and information technologies have brought modern societies new communicational dimensions and business opportunities. But they have also brought undreamt-of tools for surveillance and control. George Orwell’s ‘Big Brother‘ is often invoked to describe this predicament, but reality tends to be more complex than sci-fi. Our ‘data-bodies’, for example, are abused on a daily basis and our behaviour is subtly manipulated through interventions in the information sphere. But such control originates as much from corporate as political agencies and remains, to a large extent, invisible.

Popular statements like ‘I have nothing to hide, I don’t mind being surveilled’ reflect how uninformed, even apathetic people can be. For some, giving away some personal data in exchange for a few bonus points in a supermarket seems like a fair deal. At the opposite end of the spectrum, there are groups and organisations fighting not only these - privacy’s ‘tip of the iceberg’ crises - but also its worst case scenarios: the Echelons of this world. Organising themselves on regional, national and global levels, these ‘cyberrights’ advocates turn to a range of overlapping artistic, technological and political strategies.

To ask which of these is most effective may be to miss the point. While political strategies focus on educating the public, providing information and counter-information, they are unspectacular. Artistic strategies, on the other hand, seek publicity and can, in more playful ways, raise awareness. Perhaps most dangerous to those ‘behind the scenes’ are the technical strategies, as their various guarantees of security and encryption get in the way of our dependence on (and thus social contract with) ISPs, system administrators and executive organs - precisely those institutions that are integral to contemporary surveillance.

One group generating such serious, technology-based solutions are hackers. Mistrustful of state control, they are working on technological improvements to security and as such represent a big obstacle to the growth of unlimited power at governmental levels. Predictably, the state is fighting back with extreme legislation which universally criminalises hackers’ work. Reframed as ‘cyberterrorism’, it can be understood as a major political crime that threatens state security and justifies serious sentences.

This much is starting to become common knowledge in net politics. So what do the politician, the artist and the technologist do about it? At the recent Hacker conference HAL2001, I posed this question to Andy Müller-Maguhn, Rena Tangens and John Gilmore, three people who - to me - loosely represent these strategies. Müller-Maguhn through his challenge to the Cybercrime Convention, Rena Tangens through projects like the German Big Brother Awards, and John Gilmore through his efforts in strong cryptography.

THE POLITICIAN Andy Müller-Maguhn

ON THE CYBERCRIME CONVENTION

Cornelia Sollfrank: What exactly is the Cybercrime Convention?

Andy Müller-Maguhn: The Cybercrime Convention is a collection of laws which will prohibit direct attacks on computers. But, by extension, they will also criminalise the possession and dissemination of tools for attacks. By law, it will forbid a hacker to write a program to test system weaknesses automatically. Such tools are essential for system administrators to check their systems’ stability.

The Cybercrime Convention goes even further by listing criminal offences in which computers and the internet form only one part of the distribution process. Here, I’m talking about child pornography, or political material which is illegal in one of the participating countries (since the legal situation differs in many countries, this can get quite broad).

The Convention’s conceptual plan for preliminary proceedings is to oblige the accused to hand over the encryption key for his computer data to the police if they think they may find evidence there. If he doesn’t, he will be sentenced – not for what he was originally accused, but for refusing access to evidence.

But these are just a few examples from a now 80 page-long document. Another interesting aspect is the law enforcement treaty, which says that criminal offences are punishable by another country than that in which the accused lives, even if his activity is not illegal in his own country.

CS: Which countries have participated in the preparation of the Cybercrime Convention?

M-M: The Cybercrime Convention is a Council of Europe document. This is an intergovernmental organisation of representatives from 43 member states – not to be confused with the European Union. Besides the 15 European states, Russia and the states of former Yugoslavia are also involved and work on regulations covering social and political problems which, in a next step, can be implemented as national law. One really problematic aspect of the Cybercrime Convention is that the politicians who need to sign it are mostly not very well-informed. They’ve learned about viruses and DoS (Denial of Service) attacks from the media, but haven’t got the slightest clue about how these things work technically. Which is also the reason why they are unable to develop reasonable counter-strategies. Their signing a document which itself is the product of a highly untransparent process will supposedly solve all our security problems. I doubt it. Bluntly put, one could say that the Cybercrime Convention better serves to justify surveillance measures than guarantee computer security.

CS: You consider the politicians who are supposed to sign the convention incompetent. At the same time, you describe a move towards a police state. Who, then, is exerting prime influence here? Who follows which interests?

M-M: Banning tools for attacks in electronic networks is a highly dubious act. It may make sense to forbid conventional weapons (although even there it is questionable whether weapons bans protect us from bank robberies), but in terms of computer networks it’s a completely different story. Here, tools for attacks are the same as tools for security.

CS: I’m still wondering whose interests the Convention will promote.

M-M: In large parts, the Cybercrime Convention reads like the Digital Millennium Copyright Act (DMCA) or the authorisations of the National Infrastructure Protection Centre (NIPC) which means US-American ideas on how to guarantee computer security – not securing systems at a technical level, but by government surveillance. The NIPC, which was founded to protect the national information highways from ‘cyberterrorism’ demonstrates this tendency too. It’s not about helping the operators of networked computer systems by handing out security tools – the right way in my opinion – but about boosting surveillance capabilities in order to be able to react to attacks. This won’t work: it guarantees a police state, not computer security.

CS: The Cybercrime Convention is being signed after the summer break, in mid-September. Are there any plans to take action against the signing?

M-M: Here at HAL we’ve been dealing with the history and nature of the document, together with my British colleague Gus Hosein from the Global Internet Liberty Campaign (GILC), who is much more familiar with it than me. In a small workshop, we discussed strategies appropriate to this, for hackers highly alarming, legislation. We didn’t reach a consensus – nor on how best to address and educate our national politicians and offer an interface to politics. One advantage hackers have is that we do not only know how things work at a technical level, but also deal with this knowledge in an open way. We don’t try to provide security by secrecy, but by merciless revelation. This is the only way to analyse the actual problems and develop reasonable solutions.

Andy Müller-Maguhn <andy AT ccc.de>

THE ARTIST Rena Tangens

ON THE BIG BROTHER AWARDS

Cornelia Sollfrank: I have clear associations with Big Brother. But what is the Big Brother Award?

Rena Tangens: the Big Brother Award is a negative honour. Corporations, organisations and individuals can receive it when they’ve been particularly ‘bad’ during the preceding year and done harm to the private sphere of citizens and consumers. This can happen in different ways, for example through abuse of existing data, the extension or alteration of surveillance or the creation of a structure which opens up new opportunities for abuse. The idea for the award originates in Great Britain, where it was launched by Simon Davies from Privacy International. Despite the Big Brother metaphor’s ‘fame’, we have problems using it. It comes from George Orwell’s 1984 (‘Big Brother is watching you’) and is the metaphor for an all-powerful police state. For us, Big Brother is not just about dangers which originate in a totalitarian regime, but also about those which come from corporations and are often more subtle.

CS: What are the criteria for the award?

RT: We wanted to honour both provable, existing abuse and the potential abuse associated with the development of new technologies. The award isn’t just about denouncing; we really want to have an impact and effect changes. This might happen at different levels, but one of our major concerns is the adoption of legislation for new technologies. Other criteria are the relevance (and dissemination) of a practice, i.e. how easily it can be mediated and imitated.

CS: With respect to technology, is there a preferred field you are dealing with?

RT: No, the categorisation follows content rather than media. There are awards for politics, public services and administration, business and finance, communication, a life-time award for those who misbehave perpetually and incorrigibly; then there is a ‘scene’ award for techies and insiders, and a regional award.

CS: Why did you choose something as formal as an award?

RT: First of all, we want to raise public awareness about the fact that privacy concerns everyone. Then, in order to educate successfully, you have to choose the right means. The award gets a lot of media attention and, by using examples, the nominations and jury explanation can function to illustrate existing dangers.

CS: In Germany we have a relatively good law for data protection. How do the activities you drag out into the open relate to the law? Are they all illegal?

RT: We aren’t here to make sure the laws aren’t broken; that’s the job of the data protection officials. But there is something like a grey area. For example, we can certainly nominate projects which stay within the letter of the law, but which we still find unacceptable. Germany’s data protection laws are good for the time being, but we have to think about what the law should look like in 3-4 years – it has to be updated continually, with the technology.Let’s use a concrete example: in the area of business and finance we honoured the loyalty card system, ‘Payback‘. Payback has 12 million members and is the biggest system in Germany with partners like supermarkets, cinemas, gas stations, department stores, drug stores, book stores, internet providers and an auction house. Merging the data from all different databases allows it to create comprehensive consumer profiles. To participate you have to sign three different things: ‘My details are correct’, ‘I agree with the conditions for participation’, ‘I agree that my details will be used for the purpose of advertisement, market research and marketing.’ By signing these you absolve the company from having to follow data protection law.

CS: What is your personal approach? Where do you see the need for action in the complex and opaque information sphere?

RT: As an artist, I’ve been dealing with computers and networks since 1985. At that time, computers were opening up a new world: we worked on the assumption that the construction of this new world was not yet finished and we could influence its development. Even if you’re not a property developer or construction manager it’s possible to make a mark, to have impact. So we created a platform for all our activities, which is FoeBuD e.V.Our work took different approaches. We built networks which were free and belonged to the people who used them; we collaborated on software to run those networks – Zerberus – and we provided encryption. It was important to keep as much freedom as possible for the users so that they’d not be ruled by techies. This is what the software Zerberus sought to assure. From Zerberus on, the next logical step was PGP (Pretty Good Privacy), because an encryption system on a server was not enough: we required point to point encryption. So we made the German translation for PGP – the accompanying handbook grew and grew with lots of extra information on legislation, data encryption for hard disks, etc.

CS: How do you finance your work, i.e. who funds the Big Brother award?

RT: The first award was supported completely through the resources of our own organisation: mailing, website, public relations, research and documentation. Since then, we’ve applied for public funding from different institutions. Additionally, what we try to communicate is that, at this juncture, it is the task of democracy to preserve privacy. ‘Informational self-determination’ is an essential requirement for the continued existence of democracy.

Rena Tangens <rena AT bionic.zerberus.de>

THE TECHNOLOGIST John Gilmore

ON LINUX SECURITY AND THE EFF

Cornelia Sollfrank: I found a quote of yours which seems to offer a key to the way you handle issues around online civil rights, security, privacy and encryption. It says: ‘I want a guarantee – with physics and mathematics, not just laws – that we can give ourselves things like real privacy of personal communications.’ My interpretation of this would be, that your strategy is mainly based on technological – not so much political – solutions.

John Gilmore: I think governmental and legal policy should be created on the basis of what technology can and cannot do. Where technology can provide privacy, or can provide wide public access, or whatever, you should be able to rely on technology to do so. Where technology can’t, that’s where you have to rely on laws.

CS: What concrete projects do you have to achieve this?

JG: I am leading and funding the creation of an IP security software for Linux. For those who choose to run it, this automatically provides privacy of communication across the internet. We have a team of four or five programmers, a manager and a tech writer. They are all paid by me and all the software is given away on the net.

CS: How will this software work? What does it do?

JG: The IPSEC software encrypts each packet that flows across your internet connection if it’s going to a place that also supports the IPSEC protocol. It is compatible with IPSEC implementations from other major vendors, such as Cisco. Our software is now in its tenth release. In earlier versions, you had to manually set up both ends of each encrypting connection, but in this version we have begun an ‘opportunistic’ protocol, in which each end can merely be configured once, and then future communication attempts from compatible sites will automatically encrypt the packets. Note that IPSEC doesn’t keep your data secure or private on your computer itself; it merely prevents wiretapping or modification as the data crosses the internet.

CS: Is there any other project you want to mention?

JG: Sure, I am on the board of the Electronic Frontier Foundation and my major campaign there is working on the conflict between freedom and intellectual property protection. We are defending 2600 Magazine, Professor Ed Felton, and working on the case of Dmitry Sklyarov, all of whom are threatened under a peculiarly bad law which was passed several years ago, called DMCA, Digital Millennium Copyright Act.

CS: The EFF is a US-American organisation, focusing on American matters. We do not have a comparable organisation in or for Europe.

JG: That’s true. Many people at this conference are talking about creating something like an EFF for Europe.

CS: How did EFF start?

JG: It was founded by Mitch Kapor, one of the founders of Lotus, John Perry Barlow and some other people. Mitch was getting frustrated at learning how the government was dealing with technology and how they were chasing after teenagers who were using BBS (Bulletin Board Systems), and really hadn’t done much if anything wrong. EFF is a non-profit organisation which has existed for 11 years now and has a budget of about 1-2 million dollars a year.

CS: Do you have partners?

JG: We always work together with other groups. In the United States we work with the American Civil Liberties Union, with the Electronic Privacy Information Centre, the Centre for Democracy and Technology. Internationally, there is a whole global alliance of liberty groups called GILC, Global Internet Liberty Campaign. It’s made up of probably 40 or 50 organisations all over the world. We coordinate policies and make joint statements about global problems, internet policy, etc.

CS: I see a conflict between national laws and global activity in this area. Do you think the GILC is covering this problematic sufficiently? Or is there something missing in such an organisational structure?

JG: Most of these organisations are only run by volunteers. They have neither the time nor money to oppose initiatives by major governments or companies that are harmful to the public. So what’s really missing, particularly in Europe, is an organisation that knows enough about raising money to pay people to work on these issues full time. It’s a unique situation here in Europe: you have all these national governments, which traditionally make their own rules, and now there is a new government trying to impose a new layer of influence and control. Clearly, everybody who wants to influence legislation in Europe should try to influence it at the level of the EU as they won’t have to do the work in 15 individual countries. The EU offers great opportunities for corruption. So far, there is not much of an organised effort to oppose it.

CS: You once said, privacy is a means...

JG: a means to an end, right. And the end is to be left alone. To be who you wanna be.

John Gilmore <gnu AT eff.org>

Artist Cornelia Sollfrank <corneliaATsnafu.de> [http://www.obn.org/sollfrank] lives in Hamburg, Germany, and deals with the relationship between art and politics, gender-specific uses of technology and the changing image of the artist in the information age. She was a member of the artist groups ‘frauen-und-technik’ and ‘-Innen’, and initiated the cyberfemininist organisation ‘old boys network’ [http://www.obn.org]

Andy Müller-Maguhn is a hacker, journalist and consultant, based in Berlin. He is spokesman of German hackers association the Chaos Computer Club (CCC [http://www.ccc.de]) and an elected board member of ICANN (Internet Corporation for Assigned Names and Numbers [http://www.icann.org]. See Mute 20)

Rena Tangens is an artist based in Bielefeld, Germany. She co-founded the gallery ‘art d’ameublement’ with padeluun and is one of the initiators of FoeBuD e.V. [http://www.foebud.org], a non-profit association supporting public data traffic, ‘democracy-compatible’ technological design and the German Big Brother awards

John Gilmore [http://www.toad.com/gnu] describes himself as a technologist who learned about business and became successful. In the guise of entrepreneur, hacker, programmer, cypherpunk and libertarian, he has since focused on civil liberties. More on Linux FreeS/WAN at [http://www.freeswan.org]

European Council [http://www.coe.int]Global Internet Library Campaign [http://www.gilc.org]National Infrastructure Protection Committee [http://www.nipc.gov]

Big Brother Awards Germany [http://www.bigbrotherawards.de]FoeBuD e.V [http://www.foebud.org]

For free software, overviews and details of Linux FreeS/WAN [http://www.freeswan.org]