I'm not old. I was born in 1989. I started programming around 1999. The Internet sure did exist back then, but I was 10, and my parents weren't keen on having me just go exploring. Besides, it was dial-up—you couldn't go search real quick; especially if someone was on the phone. Using the Internet was an _event_, and an exciting one at that, listening to those dial tones, logging in using that old Prodigy dialog. Back then you had Dogpile and Ask Jeeves. Most sites I'd visit by name; usually that was GameFAQs or CNET download.com, because those are the sites my friend told me about when he introduced me to the Internet.

I'm entirely self-taught. I didn't know any programmers. I didn't have contact with any. I told my parents that I wanted to learn how to program and they skeptically brought me to Barnes and Noble where we picked out Learn to Program with Visual Basic 6 by John Smiley (gasp yes I started as a Windows programmer). It came with a VB6 CD that for a while I was convinced could only run the book examples, because I had no idea what I was doing. I struggled. I tinkered. Hacker culture was on the complete opposite end of where I was, but by the time I discovered it years later, I felt like I finally found myself—I finally discovered who I was. The struggle made me a hacker.

It's easy to half-ass it today. It's easy to simply say "eh I can Google it" and forego committing knowledge. But it also makes it easy to gain knowledge, for those who do care to do so. It makes trivia easy. It makes discovery easy. It also exposes people to subcultures quickly and demands conformance to stereotypes and norms before one can discover _themselves_. Who would I be today without having to struggle for myself rather than someone else _telling_ me who I am, and what I do?

This is more than just technical knowledge. This is the difference between dropping a child off in the wild or dropping them off at the local scouts. And at least scouts will discover themselves together. With the Internet, you absorb a body of existing knowledge; you _rediscover others_, not yourself. You often read blogs containing opinions of others, not books or manuals.

That's not to say that you can't learn on your own. Many still do. Many focus on manuals and books and source code rather than social media. It's sure hard, though, when everything is integrated as such. Social media can be beneficial—you do want communication and collaboration. I sure as hell want to communicate with others. Opinions of others are deeply important too. Some of the best things I've read are on blogs, not in books. But I've already found my niche. I've found myself. I wasn't tainted or manipulated—I learned in a world of proprietary software where developing license systems was fun and emerged a free software activist. Because I was forced to look inward, not post on Stack Overflow or HN or Reddit expecting a hand-guided tour or `dd` of thoughts (okay, you're not getting that on HN).

Not everyone needs to be a passionate hacker or developer. Really, the world needs both. And based on what I've seen being pumped out of schools and universities, the self-taught are generally better off either way. The vast resources available to modern programmers make many tasks easier and cheaper, though it also increases maintenance costs if all the programmer is doing is using code snippets or concepts without actually grokking them. But this is what most of the world runs off of.

Let yourself struggle. Go offline. Sit down with a print book and get out a pen and take notes in the margin, write out your ideas. Getting syntax errors in your editor or REPL? Figure it out! Or maybe consult the manual, or the book you're reading. Don't search for the solution. When I learned Algebra in middle school, I had little interest, and forgot all of it. Years later, I needed it as a foundation for other things. I discovered the rules for myself on pen and paper. Not only do I remember it now (or can rediscover on a whim), but I understand _why_ it works the way it does. I've had those epiphanies. It's easy to miss the forest for the trees when you don't gain that essential intuition to help yourself out. And the forest is vast and beautiful.

[hn]: https://news.ycombinator.com/item?id=14339293

It begins with arbitrary code execution (CVE-2016-4655)^[4655] by exploiting a memory corruption vulnerability in WebKit, which downloads a payload unknown to the user. That payload is able to bypass KASLR and determine the kernel memory location (CVE-2016-4656)^[4656], then allowing it to exploit a memory corruption vulnerability in the kernel itself (CVE-2016-4657)^[4657]; this "jailbreaks" the device and is a complete compromise of the system.

This payload is [Pegasus][paper], a complex surveillance tool sold to governments, often used for espionage. In this case, Monsoor received a suspicious text message and wisely [tipped off Citizen Lab][cl] rather than opening the presented link. Had he done so, he would have unknowingly downloaded this spyware that could very well have put his life in extreme danger: it has the capability to track his location; record his calls and texts; record communications through software like WhatsApp and Skype; download his contact information; grab passwords and encryption keys from his keyring; and much more.

This malware was written by [NSO Group][], which is so poorly known that their [Wikipedia page didn't even exist until today][nso-wikipedia]. The software company is based in Israel, founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio. They were purchased in 2014 by [Francisco Partners][], a private equity firm in the United States, for $110 million. They exist to sell exploits to governments.

Anyone familiar with security research is aware of [responsible disclosure][]: it is a model whereby researchers who discover a vulnerability release their research publicly only _after_ they notify the authors of the software, and a patch mitigating the vulnerability has been released. This is what Citizen Lab did—Apple [fixed the vulnerability][apple] in iOS 9.3.5.[^rms-apple] This is not what NSO Group does: Instead, they horde their exploits[^0day] and sell them to governments as weapons for surveillance or espionage. In this case, the United Arab Emirates (or so it seems). This is not only unethical, but to sell to a government that is known for this type of abuse is inexcusable and negligent—the people behind NSO Group are absolute scum.[^scum] They are empowering a foreign government known for their civil and human rights abuses. I have trouble finding words.

There is much more that can be said on this topic with respect to security, civil and human rights, and various other topics. But I don't want to distract from the topic at hand. Let this sink in. Read the [Citizen Lab][cl] report and the [paper by Lookout Security][paper]. Today I leave my soapbox be.

[cl]: https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ [Ahmed Mansoor]: https://en.wikipedia.org/wiki/Ahmed_Mansoor [paper]: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf

^[4655] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4655

^[4656] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4656

^[4657] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4657 [NSO Group]: https://en.wikipedia.org/wiki/NSO_Group [nso-wikipedia]: https://en.wikipedia.org/w/index.php?title=NSO_Group&action=history [Francisco Partners]: https://en.wikipedia.org/wiki/Francisco_Partners [responsible disclosure]: https://en.wikipedia.org/wiki/Responsible_disclosure [apple]: https://support.apple.com/en-us/HT207107

[^rms-apple]: I [can't recommend that you use Apple devices](https://stallman.org/apple.html), but if you do, you should upgrade immediately; you are vulnerable to exploitation by simply visiting a malicious webpage.

[^0day]: Called 0-days, because they haven't been disclosed and there has been no time to prepare or release a fix.

[^scum]: For other scum, see the organization behind [FinFisher][]; and the group [Hacking Team][].

[FinFisher]: https://en.wikipedia.org/wiki/FinFisher [Hacking Team]: https://en.wikipedia.org/wiki/Hacking_Team

Common sense says no. In another case this week—[Facebook v. Power Ventures][fvp]—the same court (though a different panel of judges) stepped back from the original decision and stated that computer _users_ can indeed provide authorization. This authorization holds even if the service's Terms of Service say otherwise. Yet: the computer owner (in this case, Facebook) can revoke authorization, which takes precedence over any authorization provided by a user of that system. So with a seemingly magical incantation, a benign situation can be made into a federal crime, just like that.

These situations highlight dangerous confusion over the interpretation of an already dangerously vague law. The CFAA is the law that was used to prosecute Aaron Swartz for federal "crimes"—with a punishment of up to thirty-five years in prison—for liberating documents hosted on JSTOR. Because of this [draconian threat][eff-punish], [Aaron committed suicide][aaron] on January 11th, 2013.

The CFAA already has blood on its hands; it needs to be reined _in_, not be given further broad powers. So don't take news of the decisions in US v. Nosal and Facebook v. Power Ventures as canceling one-another out; things may appear the same for now, but serious problems still need to be resolved.

[cfaa]: https://www.eff.org/issues/cfaa [cfaa-passwd]: https://www.eff.org/deeplinks/2016/07/ever-use-someone-elses-password-go-jail-says-ninth-circuit [cfaa-back]: https://www.eff.org/deeplinks/2016/07/ninth-circuit-panel-backs-away-dangerous-password-sharing-decision-creates-even [uvn]: https://www.eff.org/cases/u-s-v-nosal [fvp]: https://www.eff.org/cases/facebook-v-power-ventures [eff-punish]: https://www.eff.org/deeplinks/2013/02/rebooting-computer-crime-part-3-punishment-should-fit-crime [aaron]: https://www.eff.org/deeplinks/2013/01/farewell-aaron-swartz

DRM is a scheme by which tyrants use [antifeatures]] to lock down what users are able to do with their systems, often cryptographically. For example, your media player might tell you how many times you can listen to a song, or watch a video, or read a book; it might [delete books^[1984] that you thought you owned; it might require that you are [always online][always-on] when playing a game, and then stop working when you disconnect, or when they decide to stop supporting the game. If you try to circumvent these locks, then you might be [called a pirate][pirate] and be thrown in prision under the ["anti-circumvention" privisons of the Digital Millenium Copyright Act (DMCA)][dmca]. These are all things [that have been long predicated][right-to-read], and are only expected to get worse with time.

That is, unless we take a stand and fight back.

I had the pleasure of participating in the [largest ever protest against the W3C][w3c-protest] and their attempts to introduce DRM as a _web standard_ via the [Encrypted Media Extensions (EME)][eme] proposal.[^photos] This event was organized beautifully by Zak Rogoff of the [Free Software Foundation][fsf] and began just outside the Strata Center doors where the W3C was _actively meeting_, and then continued to stop outside the Google and Microsoft offices, both just blocks away. We were [joined outside Microsoft][eff-protest] by Danny O'Brien, the EFF's International Director, who stepped out of the W3C meeting to address the protesters.

Afterward, most of us [traveled to the MIT Media Lab][media-lab] where Richard Stallman—who joined us in the protest—sat on a panel along with Danny O'Brien, Joi Ito of the MIT Media Lab, and Harry Halpin of the W3C. The W3C was invited to participate in a discussion on EME, but they never showed. As a demonstration of the severity of these issues, [Harry Halpin vowed to resign from the W3C][hh-resign] if the EME proposal ever became a W3C Recommendation.

I can say without hesitation that the protest and following discussion were some of the most powerful and memorable events of my life—there is no feeling like being a part of a group that shares such a fundamental passion (and distaste!) for something important.

And it _is_ very important.

[DRM is pervasive][dbd]—the Web is just one corner where it rears its ugly head. The [International Day Against DRM][day-drm] gives you and others an excellent opportunity to hold your own protests, demonstrations, and events to raise these issues to others—and to do so as part of an _international group_; to send a strong, world-wide message: a message that it is _not_ acceptable to act as tyrants and treat users as slaves and puppets through use of digital handcuffs and [draconian punishments for circumventing them][dmca].

[^photos]: The EFF has some [great photots][eff-protest]; I'm the one in the hoodie between the giant GNU head and Zak Rogoff.

[day-drm]: https://www.defectivebydesign.org/dayagainstdrm [drm]: https://www.defectivebydesign.org/what_is_drm_digital_restrictions_management [antifeatures]: https://www.fsf.org/bulletin/2007/fall/antifeatures/ [lp2016]: https://libreplanet.org/2016/ [w3c-protest]: https://www.defectivebydesign.org/from-the-web-to-the-streets-protesting-drm [eme]: https://w3c.github.io/encrypted-media/ [eff-protest]: https://w3c.github.io/encrypted-media/ [w3c]: https://www.w3.org/ [fsf]: https://fsf.org/ [media-lab]: https://motherboard.vice.com/read/we-marched-with-richard-stallman-at-a-drm-protest-last-night-w3-consortium-MIT-joi-ito [hh-resign]: https://www.defectivebydesign.org/blog/w3c_staff_member_pledges_resignation_if_drm_added_web_standards [dmca]: https://www.eff.org/issues/dmca [dbd]: https://www.defectivebydesign.org/

^[1984] https://www.defectivebydesign.org/amazon-kindle-swindle [always-on]: https://en.wikipedia.org/wiki/Always-on_DRM [right-to-read]: https://www.gnu.org/philosophy/right-to-read.en.html [pirate]: https://www.eff.org/deeplinks/2015/02/go-prison-sharing-files-thats-what-hollywood-wants-secret-tpp-deal

Before we can discuss this subject, we need to clarify some terminology: We have a [free/libre][free-sw] operating system called [GNU][gnu]. Usually, it's used with the kernel Linux, and is together called the [GNU/Linux (or GNU+Linux) operating system][gnulinux]. But that's not always the case. For example, GNU can be run with its own kernel, [The GNU Hurd][hurd] (GNU/Hurd). It might be run on a system with a BSD kernel (e.g. GNU/kFreeBSD). But now, we have a situation where we're taking GNU/Linux, removing Linux, and adding in its place a Windows kernel. This combination is referred to as GNU/kWindows (GNU with the Windows kernel added).[^kwindows]

GNU values users' freedoms. Windows [does exactly the opposite][woe].

When users talk about the operating system "Linux", what they are referring to is the [GNU operating system][gnu] with the kernel Linux added. If you are using the GNU operating system in some form, then many of the programs you are familiar with on the command line are GNU programs: `bash`, `(g)awk`, `grep`, `ls`, `cat`, `bc`, `tr`, `gcc`, `emacs`, and so on. But GNU is a fully free/libre Unix replacement, [not just a collection of GNU programs][gnu]. Linux is the kernel that supports what the operating system is trying to do; it provides what are called system calls to direct the kernel to perform certain actions, like fork new processes or allocate memory. This is an important distinction—not only is calling all of this software "Linux" incorrect, but it discredits the project that created a fully free/libre Unix replacement—[GNU][gnu].

This naming issue is so widespread that [most users would not recognize what GNU is][gnu-noheard], even if they are _using_ a [GNU/Linux][gnulinux] operating system. I recently read an article that referred to GNU Bash as "Linux's Bash"; this is simply a slap in the face to all the hackers that have for the past 26 years been writing what is one of today's most widely used shells on Unix-like systems (including on [Apple's][apple] proprietary Mac OSX), and all the other GNU hackers.

Microsoft and Canonical have apparently been working together to write a subsystem that translates Linux system calls into something Windows will understand—a compatibility layer. So, software compiled to run on a system with the kernel Linux will work on Windows through system call translation. Many articles are calling this "Linux on Windows". This is a fallacy: the kernel Linux is not at all involved! What we are witnessing is the [_GNU_ operating system][gnu] running with a Windows kernel _instead_ of Linux.

This is undoubtedly a technical advantage for Microsoft—Windows users want to do their computing in a superior environment that they might be familiar with on [GNU/Linux][gnulinux] or other Unix-like operating systems, like [Apple's][apple] freedom-denying Mac OSX. But thinking about it like this is missing an essential concept:

When users talk about "Linux" as the name of the operating system, they avoid talking about [GNU][gnu]. And by avoiding mention of GNU, they are also avoiding discussion of the core principles upon which GNU is founded—the belief that all users deserve [software granting _four essential freedoms_][free-sw]: the freedom to use the program for any purpose; the freedom to study the program and modify it to suit your needs (or have someone do it on your behalf); the freedom to share the program with others; and the freedom to share your changes with others. We call software that respects these four freedoms [_free/libre software_][free-sw].

Free software is absolutely essential: it ensures that _users_, who are the most vulnerable, are in control of their computing—not software developers or corporations. Any program that denies users any one of their [four freedoms][free-sw] is _non-free_ (or _proprietary_)—that is, freedom-denying software. This means that any non-free software, no matter its features or performance, will [_always_ be inferior to free software][oss] that performs a similar task.

Not everyone likes talking about freedom or the [free software philosophy][free-sw]. This disagreement resulted in the ["open source" development methodology][oss], which exists to sell the benefits of free software to businesses without discussing the essential ideological considerations. Under the "open source" philosophy, if a non-free program provides better features or performance, then surely it must be "better", because they have outperformed the "open source" development methodology; non-free software isn't always considered to be a bad thing.

So why would users want to use GNU/kWindows? Well, probably for the same reason that they want GNU tools on Mac OSX: they want to use software they want to use, but they also want the technical benefits of GNU that they like. What we have here is the ["open source" philosophy][oss]—because if the user truly valued her freedom, she would use a [fully free operating system like GNU/Linux][gnulinux-distros]. If a user is _already_ using Windows (that is, before considering GNU/kWindows), then she does gain some freedom by installing GNU: she has more software on her system that respects her freedoms, and she is better off because of that.

But what if you're using GNU/Linux today? In that case, it is a major downgrade to switch to a GNU/kWindows system; by doing so, you are [surrendering your freedom to Microsoft][woe]. It does not matter how many shiny features Microsoft might introduce into its [freedom-denying surveillance system][woe]; an [operating system that respects your freedoms][gnulinux-distros] will _always_ be a superior choice. We would do our best to dissuade users from switching to a GNU/kWindows system for the technical benefits that GNU provides.

So we have a couple different issues—some factual, some philosophical:

Firstly, please don't refer to GNU/kWindows as "Linux on Windows", or any variant thereof; doing so simply propagates misinformation that not only confounds the situation, but discredits the thousands of hackers working on the [GNU operating system][gnu]. It would also be best if you avoid calling it "Ubuntu on Windows"; it isn't a factually incorrect statement—you are running Ubuntu's distribution of GNU—but it still avoids mentioning the [GNU Project][gnu]. If you want to give Ubuntu credit for working with Microsoft, please call it "Ubuntu GNU/kWindows" instead of "Ubuntu". By mentioning GNU, users will ask questions about the project, and might look it up on their own. They will read about [the free software philosophy][free-sw], and will hopefully begin to understand these issues—issues that they might not have even been aware of to begin with.

Secondly, when you see someone using a GNU/kWindows system, politely ask them why. Tell them that there is a _better_ operating system out there—the [GNU/Linux operating system][gnu]—that not only provides those technical features, but also provides the feature of _freedom_! Tell them what [free software][free-sw] is, and try to relate it to them so that they understand why it is important, and even practical.

It's good to see more people benefiting from GNU; but we can't be happy when it is being sold as a means to draw users into an otherwise [proprietary surveillance system][woe], without so much as a mention of our name, or [what it is that we stand for][gnu].

[^kwindows]: This name comes from [Richard Stallman][rms], founder of the [GNU Project][gnu].

[gnu]: https://gnu.org/gnu/gnu.html [free-sw]: https://gnu.org/philosophy/free-sw.html [woe]: https://www.gnu.org/proprietary/malware-microsoft.en.html [hurd]: https://gnu.org/software/hurd/ [oss]: http://www.gnu.org/philosophy/open-source-misses-the-point.html [gnulinux]: https://www.gnu.org/gnu/linux-and-gnu.html [gnulinux-distros]: https://www.gnu.org/distros/free-distros.html [apple]: https://stallman.org/apple.html [rms]: https://www.fsf.org/about/staff-and-board [gnu-noheard]: https://gnu.org/gnu/gnu-users-never-heard-of-gnu.html

Sure enough, we have our first peak: [the software that Facebook has you install for the Occulus Rift is spyware][fb-spy], reporting on what unrelated software you use on your system, your location (including GPS data and nearby Wifi networks), the type of device you're using, unique device identifiers, your movements while using the VR headset, and more.

This is absurd. Do not play into Facebook's games through temptation of cool new technology; reject their terms and see if there's other ways you can use the headset without their proprietary spyware. If not, perhaps you should ask for a refund, and tell them why.

[rms-fb]: https://stallman.org/facebook.html#privacy [fb-vr]: http://www.theguardian.com/technology/2014/jul/22/facebook-oculus-rift-acquisition-virtual-reality [fb-spy]: http://uploadvr.com/facebook-oculus-privacy/

[Warrant canaries][canary] are used to circumvent gag orders by stating that requests have not been received, under the [legal theory][court] that, while courts can compel persons not to speak, they can't compel them to lie. [Reddit's canary has died][reddit-report]—the canary is absent from their most recent 2015 transparency report, where it was [present in the 2014 report][reddit-report-2014].

Does this mean that you should stop using Reddit? No; canaries are an important transparency method. If you are worried about your privacy, you shouldn't disclose the information to a third party to begin with. Note that this includes metadata that are gathered about you when you, for example, browse subreddits while logged in. You can help mitigate that by [browsing anonymously using Tor][donot], being sure never to log in during the same session.

The website [Canary Watch][cw] is a website that tracks warrant canaries.

I'm awaiting further analysis after the weekend.

[schneier]: https://www.schneier.com/blog/archives/2016/04/reddits_warrant.html [nsl]: https://en.wikipedia.org/wiki/National_Security_Letter [canary]: https://en.wikipedia.org/wiki/Warrant_canary [cw]: https://www.canarywatch.org/ [court]: https://gigaom.com/2014/10/10/are-warrant-canaries-legal-twitter-wants-to-save-techs-warning-signal-of-government-spying/ [reddit-report]: https://web.archive.org/web/20160331210850/https://www.reddit.com/wiki/transparency/2015 [reddit-report-2014]: https://web.archive.org/web/20160331204815/https://www.reddit.com/wiki/transparency/2014 [donot]: https://www.whonix.org/wiki/DoNot

> Imagine a world where surveillance is the default and users must opt-in to > privacy. Imagine that your every action is logged and analyzed to learn > how you behave, what your interests are, and what you might do next. > Imagine that, even on your fully free operating system, proprietary > software is automatically downloaded and run not only without your > consent, but often without your knowledge. In this world, even free > software cannot be easily modified, shared, or replaced. In many cases, > you might not even be in control of your own computing -- your actions and > your data might be in control by a remote entity, and only they decide > what you are and are not allowed to do. > > This may sound dystopian, but this is the world you're living in right > now. The Web today is an increasingly hostile, freedom-denying place that > propagates to nearly every aspect of the average users' lives -- from > their PCs to their phones, to their TVs and beyond. But before we can > stand up and demand back our freedoms, we must understand what we're being > robbed of, how it's being done, and what can (or can't) be done to stop > it.

There are a number of other [great sessions][lp2016] this year from a [number of speakers][lp2016s], many well-known. We also have an opening keynote from Edward Snowden!

All [FSF associate members get free entry][fsfmember]. If you can't join us, the conference will be streamed live. You can also see [videos of past talks][lpvideos] on the FSF's self-hosted [GNU MediaGoblin][goblin] instance.

Special thanks to the FSF for covering a large portion of my travel expenses; I otherwise might not have been able to attend. Thank you to all who donated to the conference scholarship fund.

[lp2016]: https://www.libreplanet.org/2016/program/ [lp2016s]: https://www.libreplanet.org/2016/program/speakers.html [fsfmember]: https://crm.fsf.org/join [lpvideos]: https://media.libreplanet.org/ [goblin]: http://mediagoblin.org/

Back in May of of 2015, I [announced GitLab's liberation of their Enterprise Edition JavaScript][ggfs] and made some comments about GitLab's course and approach to software freedom. In liberating GitLab EE's JavaScript, all code served to the browser by GitLab.com's GitLab instance was [Free (as in freedom)][free-sw], except for one major offender: Google Analytics.

Since Google Analytics was not necessary for the site to function, users could simply block the script and continue to use GitLab.com [ethically][free-sw]. However, encouraging users to visit a project on GitLab.com while knowing that it loads Google Analytics is a problem both for users' freedoms, and for their privacy.

GitLab is more than service and front-end to host Git repositories; it has a number of other useful features as well. Using those features, however, would mean that GitLab.com is no longer just a mirror for a project—it would be endorsed by the project's author, requiring that users visit the project on GitLab.com in order to collaborate. For example, if an author were to use the GitLab issue tracker on GitLab.com, then she would be actively inviting users to the website by telling them to report issues and feature requests there.

We cannot realistically expect that anything more than a minority of visitors will know how to block Google Analytics (or even understand that it is a problem). Therefore, if concerned authors wanted to use those features of GitLab, they had to use another hosted instance of GitLab, or host their own. But the better option was to encourage GitLab.com to remove Google Analytics entirely, so that _all_ JavaScript code served to the users is [Free][free-sw].

GitLab has chosen to actively [work with the Free Software movement][ggfs]—enough so that they are now considered an [acceptable host for GNU projects][gitlab-gnu-criteria] according to [GNU's ethical repository criteria][gnu-repo-criteria]. And they have chosen to do so again—headed by Sytse Sijbrandij (GitLab Inc. CEO), Google Analytics has been removed from the GitLab.com instance and replaced with [Piwik][piwik].

## More Than Just Freedom This change is more than a commitment to users' freedoms—it's also a commitment to users' privacy that cannot be understated. By downloading and running Google Analytics, users are being infected with some of the most [sophisticated examples of modern spyware][ga-wikipedia]: vast amounts of [personal and behavioral data][ga-google] are sent to Google for them to use and share as they wish. Google Analytics also tracks users across [many different websites][ga-popularity], allowing them to discover your interests and behaviors in ways that users themselves may not even know.

GitLab.com has committed to using [Piwik][piwik] on their GitLab instance, which [protects users' privacy][piwik-privacy] in a number of very important ways: it allows users to opt out of tracking, anonymizes IP addresses, retains logs for limited time periods, respects [DoNotTrack][eff-dnt], and more. Further, all logs _will be kept on GitLab.com's own servers_, and is therefore governed solely by [GitLab.com's Privacy Policy][gitlab-privacy]; this means that other services will not be able to use these data to analyze users' behavior on other websites, and advertisers and others will know less about them.

Users should not have to try to [anonymize themselves][eff-ssd] in order to maintain their privacy—privacy should be a default, and a respected one at that. GitLab has taken a strong step in the right direction; I hope that others will take notice and do the same.

Are you interested in helping other websites liberate their JavaScript? Consider [joining the FSF's campaign][freejs], and [please liberate your own][whyfreejs]!

[gitlab-merge]: https://gitlab.com/gitlab-com/www-gitlab-com/merge_requests/1094 [eff-dnt]: https://www.eff.org/dnt-policy [eff-ssd]: http://ssd.eff.org/ [freejs]: https://fsf.org/campaigns/freejs [free-sw]: https://www.gnu.org/philosophy/free-sw.html [ga-google]: https://www.google.com/analytics/standard/features/ [ga-popularity]: http://w3techs.com/technologies/overview/traffic_analysis/all [ga-wikipedia]: https://en.wikipedia.org/wiki/Google_Analytics [ggfs]: https://about.gitlab.com/2015/05/20/gitlab-gitorious-free-software/ [gitlab-featurse]: https://about.gitlab.com/features/ [gitlab-gnu-criteria]: https://lists.gnu.org/archive/html/repo-criteria-discuss/2015-11/msg00012.html [gitlab-privacy]: https://about.gitlab.com/privacy/ [gnu-repo-criteria]: https://www.gnu.org/software/repo-criteria.html [mtg]: http://mikegerwitz.com/ [piwik]: https://piwik.org/ [piwik-privacy]: https://piwik.org/privacy/ [whyfreejs]: https://www.gnu.org/software/easejs/whyfreejs.html

[GNU Social](https://gnu.org/software/social/) is a federated social network—you can host your own instances and they all communicate with one-another. You can find mine at the top of this page under "Notices", or at [https://social.mikegerwitz.com/](https://social.mikegerwitz.com/). I will be using this site to post much more frequent miscellaneous notices.

This is a huge violation of user privacy and trust. Further, it shows that an ISP (and probably others) feel that they have the authority to dictate what is served to the user on a free (as in speech) Internet. Why should we believe that they won't start injecting other types of scripts that spy on the user or introduce advertising? What if a malicious actor compromises Comcast's servers and serves exploits to users?

It is no surprise that Comcast is capable of doing this—they know the IP address of the customer, so they are able to intercept traffic and alter it in transit. But the fact that they _can_ do this demonstrates something far more important: _that they have spent the money on the infrastructure to do so_!

Comcast isn't the only ISP to have betrayed users by injecting data. One year ago, it was discovered that [Verizon was injecting "perma-cookies" into requests to track users][verizon]. This is only one example of the insidious abuses that unchecked ISPs can take.

So what can you do to protect yourself?

What Comcast is doing is called a [man-in-the-middle (MITM) attack][mitm]: Comcast sits in the middle of you and your connection to the website that you are visiting, proxying your request. Before relaying the website's response to you, it modifies it.

In order to do this, Comcast needs to be able to read your communications, and must be able to modify them: the request must be read in order to determine how the JavaScript should be injected and what request it should be injected into; and it must be modified to perform the injection. It cannot (given a properly configured web server) do so if your connection is encrypted. In the case of web traffic, `https` URLs with the little lock icon in your web browser generally indicates that your communications are encrypted, making MITM attacks unlikely.

(We're assuming that Comcast won't ask you to install a root CA so that they can decrypt your traffic! But that would certainly be noticed, if they did so on a large enough scale.)

Not all websites use SSL. Another method is to use encrypted proxies, VPNs, or services like like [Tor][tor]. This way, Comcast will not be able to read or modify the communications.

See also: [HackerNews discussion][hn]; [original Reddit discussion][reddit].

[js]: https://gist.github.com/Jarred-Sumner/90362639f96807b8315b [verizon]: https://www.eff.org/deeplinks/2014/11/verizon-x-uidh [mitm]: https://en.wikipedia.org/wiki/Man-in-the-middle_attack [hn]: https://news.ycombinator.com/item?id=10592775 [reddit]: https://www.reddit.com/r/HuntsvilleAlabama/comments/35v4sn/comcast_is_injecting_bad_javascript_to_your/ [tor]: https://tor.org/

In early March of this year, it was announced that GitLab would acquire Gitorious^[0] and shut down `gitorious.org` by 1 June, 2015. Reactions from the community^[1] were mixed, and understandably so: while GitLab itself is a formidable alternative to wholly proprietary services, its acquisition of Gitorious strikes a chord with the free software community that gathered around Gitorious in the name of software freedom^[2].

<!-- more -->

After hearing that announcement, as a free software hacker and activist myself^[11], I was naturally uneasy. Discussions of alternatives to Gitorious and GitLab ensued on the `libreplanet-discuss`^[12] mailing list. Sytse Sijbrandij (GitLab B.V. CEO) happened to be present on that list; I approached him very sternly^[13] with a number of concerns, just as I would with anyone that I feel does not understand certain aspects of the free software philosophy^[2]. To my surprise, this was not the case at all.

Sytse has spent a lot of time accepting and considering community input for both the Gitorious acquisition and GitLab itself. He has also worked with me to address some of the issues that I had raised. And while these issues won't address everyone's concerns, they do strengthen GitLab's commitment to software freedom^[2], and are commendable.

I wish to share some of these details here; but to do so, I first have to provide some background to explain what the issues are, and why they are important.

## Free Software Ideology Gitorious^[3] was (and still is) one of the most popular Git repository hosts, and largely dominated until the introduction of GitHub. But even as users flocked to GitHub's proprietary services^[28], users who value freedom continued to support Gitorious, both on `gitorious.org` and by installing their own instances on their own servers. Since Gitorious is free software^[2], users are free to study, modify, and share it with others. But software freedom does not apply to Services as a Software Substitute (SaaSS)^[4] or remote services—you cannot apply the four freedoms^[2] to something that you do not yourself possess—so why do users still insist on using `gitorious.org` despite this?

The matter boils down to supporting a philosophy: The GNU General Public License (GPL)^[6] is a license that turns copyright on its head: rather than using copyright to restrict what users can do with a program, the GPL instead ensures users' freedoms^[8] to study, modify, and share it. But that isn't itself enough: to ensure that the software always remains free (as in freedom), the GPL ensures that all derivatives are also licensed under similar terms. This is known as copyleft^[9], and it is vital to the free software movement.

Gitorious is licensed under the GNU Affero General Public License Version 3 (AGPLv3)^[5]—this takes the GPL^[6] and adds an additional requirement: if a modified version of the program is run on a sever, users communicating with the program on that server must have access to the modified program's source code. This ensures that modifications to the program are available to all users^[7]; they would otherwise be hidden in private behind the server, with others unable to incorporate, study, or share them. The AGPLv3 is an ideal license for Gitorious, since most of its users will only ever interact with it over a network.

GitLab is also free software: its Expat license^[10] (commonly referred to ambiguously as the "MIT license") permits all of the same freedoms that are granted under the the GNU GPL. But it does so in a way that is highly permissive: it permits relicensing under any terms, free or not. In other words, one can fork GitLab and derive a proprietary version from it, making changes that deny users their freedoms^[2] and cannot be incorporated back into the original work.

This is the issue that the free software community surrounding Gitorious has a problem with: any changes contributed to GitLab could in turn benefit a proprietary derivative. This situation isn't unique to GitLab: it applies to all non-copyleft ("permissive") free software licenses^[26]. And this issue is realized by GitLab itself in the form of its GitLab Enterprise Edition (GitLab EE): a proprietary derivative that adds additional features atop of GitLab's free Community Edition (CE). For this reason, many free software advocates are uncomfortable contributing to GitLab, and feel that they should instead support other projects; this, in turn, means not supporting GitLab by using and drawing attention to their hosting services.

The copyleft vs. permissive licensing debate is one of the free software movement's most heated. I do not wish to get into such a debate here. One thing is clear: GitLab Community Edition (GitLab CE) is free software. Richard Stallman (RMS) responded directly to the thread on `libreplanet-discuss`^[20], stating plainly:

> We have a simple way of looking at these two versions. The free > version is free software, so it is ethical. The nonfree version is > nonfree software, so it is not ethical.

Does GitLab CE deserve attention from the free software community? I believe so. Importantly, there is another strong consideration: displacing proprietary services like GitHub and Bitbucket, which host a large number of projects and users. GitLab has a strong foothold, which is an excellent place for a free software project to be in.

If we are to work together as a community, we need to respect GitLab's free licensing choices just as we expect GitLab to respect ours. Providing respect does not mean that you are conceding: I will never personally use a non-copyleft license for my software; I'm firmly rooted in my dedication to the free software philosophy^[2], and I'm sure that many other readers are too. But using a non-copyleft license, although many of us consider it to be a weaker alternative, is not wrong^[23].

## Free JavaScript As I mentioned above, software freedom and network services are separate issues^[4]—the four freedoms do not apply to interacting with `gitlab.com` purely over a network connection, for example, because you are not running its software on your computer. However, there is an overlap: JavaScript code downloaded to be executed in your web browser.

Non-free JavaScript^[15] is a particularly nasty concern: it is software that is downloaded automatically from a server—often without prompting you—and then immediately executed. Software is now being executed on your machine, and your four freedoms^[2] are once again at risk. This, then, is the primary concern^[16] for any users visiting `gitlab.com`: not only would this affect users that use `gitlab.com` as a host, but it would also affect any user that visits the website. That would be a problem, since hosting your project there would be inviting users to run proprietary JavaScript.

As I was considering migrating my projects to GitLab, this was the first concern I brought up to Sytse^[14]. This problem arises because `gitlab.com` uses a GitLab EE instance: if it had used only its Community Edition (GitLab CE)—which is free software—then all served JavaScript would have been free. But any scripts served by GitLab EE that are not identical to those served by GitLab CE are proprietary, and therefore unethical. This same concern applies to GitHub, Bitbucket, and other proprietary hosts that serve JavaScript.

Sytse surprised me by stating that he would be willing to freely license all JavaScript in GitLab EE^[17], and by offering to give anyone access to the GitLab EE source code who wants to help out. I took him up on that offer. Initially, I had submitted a patch to merge all GitLab EE JavaScript into GitLab CE, but Sytse came up with another, superior suggestion, that ultimately provided even greater reach.

I'm pleased to announce that Sytse and I were able to agree on a license change (with absolutely no friction or hesitation on his part) that liberates all JavaScript served to the client from GitLab EE instances. There are two concerns that I had wanted to address: JavaScript code directly written for the client, and any code that produced JavaScript as output. In the former case, this includes JavaScript derived from other sources: for example, GitLab uses CoffeeScript, which compiles into JavaScript. The latter case is important: if there is any code that generates fragments of JavaScript—e.g. dynamically at runtime—then that code must also be free, or users would not be able to modify and share the resulting JavaScript that is actually being run on the client. Sytse accepted my change verbatim, while adding his own sentence after mine to disambiguate. At the time of writing this post, GitLab EE's source code isn't yet publicly visible, so here is the relevant snippet from its `LICENSE` file:

> The above copyright notices applies only to the part of this Software that > is not distributed as part of GitLab Community Edition (CE), and that is > not a file that produces client-side JavaScript, in whole or in part. Any > part of this Software distributed as part of GitLab CE or that is a file > that produces client-side JavaScript, in whole or in part, is copyrighted > under the MIT Expat license.

## Further Discussion My discussions with Sytse did not end there: there are other topics that have not been able to be addressed before my writing of this post that would do well to demonstrate commitment toward software freedom^[2].

The license change liberating client-side JavaScript was an excellent move. To expand upon it, I wish to submit a patch that would make GitLab LibreJS compliant^[21]; this provides even greater guarantees, since it would allow for users to continue to block other non-free JavaScript that may be served by the GitLab instance, but not produced by it. For example: a website/host that uses GitLab may embed proprietary JavaScript, or modify it without releasing the source code. Another common issue is the user of analytics software; `gitlab.com` uses Google Analytics.

If you would like to help with LibreJS compliance, please contact me^[11].

I was brought into another discussion between Sytse and RMS that is unrelated to the GitLab software itself, but still a positive demonstration of a commitment to software freedom^[2]—the replacement of Disqus on the `gitlab.com` blog with a free alternative. Sytse ended up making a suggestion, saying he'd be "happy to switch to" Juvia^[22] if I'd help with the migration. I'm looking forward to this, as it is an important discussion area (that I honestly didn't know existed until Sytse told me about it, because I don't permit proprietary JavaScript!). He was even kind enough to compile a PDF of comments for one of our discussions, since he was cognizant ahead of time that I would not want to use Disqus. (Indeed, I will be unable to read and participate in the comments to this guest post unless I take the time to freely read and reply without running Disqus' proprietary JavaScript.)

Considering the genuine interest and concern expressed by Sytse in working with myself and the free software community, I can only expect that GitLab will continue to accept and apply community input.

It is not possible to address the copyleft issue without a change in license, which GitLab is not interested in doing. So the best way to re-assure the community is through action. To quote Sytse^[18]:

> I think the only way to prove we're serious about open source is in our > actions, licenses or statements don't help.

There are fundamental disagreements that will not be able to be resolved between GitLab and the free software community—like their "open core" business model^[19]. But after working with Sytse and seeing his interactions with myself, RMS, and many others in the free software community, I find his actions to be very encouraging.

Are you interested in helping other websites liberate their JavaScript? Consider joining the FSF's campaign^[27], and please liberate your own^[16]!

This post is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License^[25].

^[0] https://about.gitlab.com/2015/03/03/gitlab-acquires-gitorious/

^[1] https://news.ycombinator.com/item?id=9138419

^[2] https://www.gnu.org/philosophy/free-sw.html

^[3] https://gitorious.org/

^[4] https://www.gnu.org/philosophy/who-does-that-server-really-serve.html

^[5] https://www.gnu.org/licenses/agpl.html

^[6] https://www.gnu.org/licenses/gpl.html

^[7] https://www.gnu.org/licenses/why-affero-gpl.html

^[8] https://www.gnu.org/licenses/quick-guide-gplv3.html

^[9] https://www.gnu.org/philosophy/pragmatic.html

^[10] https://www.gnu.org/licenses/license-list.html#Expat

^[11] http://mikegerwitz.com/

^[12] https://lists.gnu.org/mailman/listinfo/libreplanet-discuss

^[13] https://lists.gnu.org/archive/html/libreplanet-discuss/2015-03/msg00075.html

^[14] https://lists.gnu.org/archive/html/libreplanet-discuss/2015-04/msg00019.html

^[15] https://www.gnu.org/philosophy/javascript-trap.html

^[16] https://www.gnu.org/software/easejs/whyfreejs.html

^[17] https://lists.gnu.org/archive/html/libreplanet-discuss/2015-04/msg00020.html

^[18] https://news.ycombinator.com/item?id=9141801

^[19] https://lists.gnu.org/archive/html/libreplanet-discuss/2015-03/msg00076.html

^[20] https://lists.gnu.org/archive/html/libreplanet-discuss/2015-03/msg00095.html

^[21] https://www.gnu.org/software/librejs/free-your-javascript.html

^[22] https://github.com/phusion/juvia

^[23] https://www.fsf.org/blogs/rms/selling-exceptions

^[24] https://gnu.org/software/easejs

^[25] http://creativecommons.org/licenses/by-sa/3.0/

^[26] https://www.gnu.org/licenses/license-list.html

^[27] https://fsf.org/campaigns/freejs

^[28] http://mikegerwitz.com/about/githubbub [orig-post]: https://about.gitlab.com/2015/05/20/gitlab-gitorious-free-software/

JavaScript programs require the same freedoms as any other software^[0]. While SlideShare does (sometimes/always?) provide a transcript in plain text—which is viewable without JavaScript—this is void of the important and sometimes semantic formatting/images that presenters put much time into; you know: the actual presentation bits. (I'm a fan of plain-text presentations, but they each have their own design elements).

There are ways around this. SlideShare's interactive UI appears to simply be an image viewer, so it is possible to display all sides using a fairly simple hack:

“`javascript Array.prototype.slice.call( document.getElementsByClassName( 'slide' ) ) .forEach( function( slide ) { slide.classList.add( 'show' );

var img = slide.getElementsByClassName( 'slide_image' )^[0]; img.src = img.dataset.full; } ); “`

But ideally, I'd like to download the presentation PDF. SlideShare does offer a download link, but not only does it not work with JavaScript disabled, but it requires that the user create an account. This is no good, as it can be used to track users or discover identities by analyzing viewing habits. This would allow de-anonymizing users, even if they have taken measures to remain anonymous^[1].

(By the way: at the time that I wrote this post, the EFF's Surveillance Self-Defense Guide^[1] is LibreJS compatible^[2] and the JavaScript code that it runs is mostly free.)

I encourage presenters (and authors in general) to release the slides in an unencumbered document format^[3], like PDF, HTML, OpenDocument, or plain text. Those formats should be hosted on their own website, or websites that allow downloading those files without having to execute proprietary JavaScript, and without having to log in. If those authors must use SlideShare for whatever reason, then they should clearly provide a link to that free document format somewhere that users can access without having to execute SlideShare's proprietary JavaScript, such as on the first slide. (The description is iffy, since it is truncated and requires JavaScript to expand.)

^[0] https://www.gnu.org/software/easejs/whyfreejs.html

^[1] https://ssd.eff.org/

^[2] https://www.gnu.org/software/librejs/

^[3] http://www.fsf.org/campaigns/opendocument/reject

Digital Restrictions Management^[4] imposes artificial restrictions on users, telling them what they can and cannot do; it is a system that does not make sense^[5] and is harmful to society. Now, just about a week after the International Day Against DRM^[6], Mozilla decides to cave into the pressure in an attempt to stay relevant^[7] to modern web users, instead of sticking to their core philosophy about “openness, innovation, and opportunity”^[8].

John Sullivan requested in the [FSF's announcement] that the community contact Mozilla CTO Andreas Gal in opposition of the decision. This is my message to him:

Date: Wed, 14 May 2014 22:57:02 -0400 From: Mike Gerwitz <mikegerwitz@gnu.org> To: agal@mozilla.com Subject: Firefox EME

Andreas,

I am writing to you as a free software hacker, activist, and user; notably, I have been using Firefox for over ten years. It has been pivotal, as I do not need to tell you, in creating a free (as in freedom), standard, and accessible internet for millions of users. Imagine my bewildered disappointment, then, to learn that Firefox has chosen to cave into the pressure to support Digital Restrictions Management through the implementation of EME^[0].

Mitchell Baker made a feeble attempt at rationalizing this decision^[0] as follows:

[...] Mozilla alone cannot change the industry on DRM at this point. In the past Firefox has changed the industry, and we intend to do so again. Today, however, we cannot cause the change we want regarding DRM. The other major browser vendors =E2=80=94 Google, Microsoft and Apple =E2=80= =94 have already implemented the new system. In addition, the old system will be retired shortly. As a result, the new implementation of DRM will soon become the only way browsers can provide access to DRM-controlled content.

She goes on to explain how “video is an important aspect of online life” and that Firefox would be “deeply flawed as a consumer product” if it did not implement Digital Restrictions Management. This is precisely the FUD that the “content owners” she describes, and corporations like Adobe, have been pushing: Mozilla understands that the solution is not to implement DRM, but to fight to encourage content to be published without being DRM-encumbered. Unfortunately, they will now have little motivation to do so, with every major browser endorsing EME.

She defers to a post by Andreas Gal for more implementation details^[1], in which he mentions that the proprietary CDM virus (which will be happily provided by Adobe) will be protected by a sandbox to prevent certain spying activities like fingerprinting. While this is better than nothing, it's a clear attempt by Mozilla to help make a terrible situation a little bit better.

He goes on to say:

There is also a silver lining to the W3C EME specification becoming ubiquitous. With direct support for DRM we are eliminating a major use case of plugins on the Web, and in the near future this should allow us to retire plugins altogether.=20

Let us not try to veil the problem and make things look more rosy than they actually are: this is not a silver lining; it is not appropriate to have a standardized way of manipulating and taking advantage of users.

It is true that Firefox was in an unfortunate position: many users would indeed grow frustrated that they cannot watch their favorite TV shows and movies using Firefox. But Firefox could have served, when the EME API was used, static content that provided a brief explanation and a link for more information on the problem. They could have educated users and encourage an even stronger outcry.

Instead, we are working with the corrupt W3C to implement a seamlessly shackled web. Mozilla wants to propose alternative solutions to DRM/EME, but by implementing it, their position is weakened.

This is a difficult and uncomfortable step for us given our vision of a completely open Web, but it also gives us the opportunity to actually shape the DRM space and be an advocate for our users and their rights in this debate. ^[1]

Such advocacy has been done and can continue to be done by Mozilla without the implementation of EME; once implemented, the standard will be virtually solidified—what is the incentive for W3C et. al. to find alternatives to a system that is already "better than" the existing Flash and Silverlight situation?

On behalf of the free software community, I strongly encourage your reconsideration on the matter. Mozilla is valued by the free software community for its attention to freedoms. Stand with us and fight. You're in a powerful position to do so.

^[0]: https://blog.mozilla.org/blog/2014/05/14/drm-and-the-challenge-of-serv= ing-users/ ^[1]: https://hacks.mozilla.org/2014/05/reconciling-mozillas-mission-and-w3c= -eme/

The following day, I submitted the FSF announcement to HackerNews^[9] (surprised that it was not there already) in an attempt to bring further coverage to the matter and hopefully spur on some discussion. And discuss they did: it was on the front page for the entire day and, at the time of writing, boasts 261 comments, many of them confused and angry. I sent the HN link to Andreas in a follow-up as well.

^[0] http://www.fsf.org/news/fsf-condemns-partnership-between-mozilla-and-adobe-to-support-digital-restrictions-management

^[1] https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html

^[2] https://www.eff.org/deeplinks/2013/03/defend-open-web-keep-drm-out-w3c-standards

^[3] http://mikegerwitz.com/

^[4] http://www.defectivebydesign.org/what_is_drm_digital_restrictions_management

^[5] https://plus.google.com/+IanHickson/posts/iPmatxBYuj2

^[6] http://www.defectivebydesign.org/dayagainstdrm

^[7] https://blog.mozilla.org/blog/2014/05/14/drm-and-the-challenge-of-serving-users/

^[8] http://www.mozilla.org/en-US/about/manifesto/

^[9] https://news.ycombinator.com/item?id=7749108

I found Antonio's perspective to be enlightening, so I asked for his permission to share it here.

I imagine a world where all the Free Software is GPLed. The amount and usefulness of Free Software grows incesantly because free projects can reuse the code of previous free projects. Proprietary software is expensive because every company has to write most of its "products" from scratch. Most people use Free Software, and proprietary software is mainly used for specialized tasks for which no free replacement exists yet.

Now I imagine a world where all the Free Software is really "open source" (BSD license). Free Software is restricted to the operating system and basic aplications because the license does not guarantee reciprocity. Proprietary software is cheap to produce because it is built using the code of free projects, but it is expensive for the user (in money and freedom) because there is no real competition from Free Software. Most people use proprietary software, as Free Software is too basic for most tasks.

I think "open source" organizations (specially BSD) are wilfully destroying the long-term benefits for society of the GPL, and they are doing it for short-term benefits like popularity and greed:

"As these companies devise strategies for dealing with GPLv3, so must the FreeBSD community - strategies that capitalize on this opportunity to increase adoption of FreeBSD." "Fundraising Update [...] This has increased the number of people actively approaching companies to make large contributions."

https://www.freebsdfoundation.org/press/2007Aug-newsletter.shtml

Human beings have an innate sense of justice. In absence of reciprocity one wants to be paid, but I think that reciprocity is much better for society in the long term.^[3]

Antonio compels us to think toward the future: while developers releasing their code under permissive licenses like the Modified BSD License^[4] are still making a generous contribution to the free software community today, it may eventually lead to negative consequences by empowering non-free software tomorrow.

^[0] https://www.gnu.org/software/ocrad/ocrad.html

^[1] https://www.gnu.org/philosophy/free-sw.html

^[2] http://mikegerwitz.com/

^[3] Comment by Antonio Diaz; the only modifications made were for formatting.

^[4] https://www.gnu.org/licenses/license-list.html#ModifiedBSD

But I am still a free software activist.

The goal of the FreeBSD Project is to provide a stable and fast general purpose operating system that may be used for any purpose without strings attached.^[2]

Making a program proprietary is an exercise of power. Copyright law today grants software developers that power, so they and only they choose the rules to impose on everyone else—a relatively small number of people make the basic software decisions for all users, typically by denying their freedom. When users lack the freedoms that define free software, they can't tell what the software is doing, can't check for back doors, can't monitor possible viruses and worms, can't find out what personal information is being reported (or stop the reports, even if they do find out). If it breaks, they can't fix it; they have to wait for the developer to exercise its power to do so. If it simply isn't quite what they need, they are stuck with it. They can't help each other improve it.^[4]

Copyleft is a general method for making a program (or other work) free, and requiring all modified and extended versions of the program to be free as well.^[7]

This is more demonstrative of the “open source” philosophy than that of “Free Software”^[12] (yes, notice the bias in my capitalization of these terms).

Copyleft is important^[7] because it ensures that all users will forever have the four fundamental freedoms associated with Free Software^[6]. The GPL incorporates copyleft; BSD licenses do not. Consider why this is a problem: Imagine some software Foo licensed under the Modified BSD license^[10]. Foo is free software; it is licensed under a free software license (Modified BSD).^[5] Now consider that someone makes a fork—a derivative—of Foo, which we will call “Foobar”. Since the Modified BSD license is not copyleft^[10], the author of Foobar decides that he or she does not wish to release its source code; this is perfectly compliant with the Modified BSD license, as it does not require that source code be distributed with a binary (it only requires—via its second clause^[10]—that the copyright notice, list of conditions and disclaimer be provided).

The author has just taken Foo and made it proprietary.

The FreeBSD community is okay with this; the free software community is not^[4]. There is a distinction between these two parties: When critics of copyleft state that they believe the GPL is “less free” than more permissive licenses such as the BSD licenses, they are taking into consideration the freedoms of developers and distributors; the GPL, on the other hand, explicirly restricts these parties' rights in order to protect the users because those parties are precisely those that seek to restrict the users' freedoms; we cannot provide such freedoms to developers and distributors without sacrificing the rights of the vulnerable users who generally do not have the skills to protect themselves from being taken advantage of.^[13] Free software advocates have exclusive, unwaivering loyalty to users.

As an example of the friction between the two communities, consider a concept that has been termed “tivoization”^[14]:

Tivoization means certain “appliances” (which have computers inside) contain GPL-covered software that you can't effectively change, because the appliance shuts down if it detects modified software. The usual motive for tivoization is that the software has features the manufacturer knows people will want to change, and aims to stop people from changing them. The manufacturers of these computers take advantage of the freedom that free software provides, but they don't let you do likewise.^[14]

When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures.^[11]

While we find the use of DRM by media companies in their attempts to reach into user owned devices to control content deeply disturbing, our belief in the essential freedoms of section 3 forbids us from ever accepting any licence which contains end use restrictions. The existence of DRM abuse is no excuse for curtailing freedoms.^[17]

The BSD camp has similar objections^[19]:

Appliance vendors in particular have the most to lose if the large body of software currently licensed under GPLv2 today migrates to the new license. They will no longer have the freedom to use GPLv3 software and restrict modification of the software installed on their hardware. High support costs ("I modified the web server on my Widget 2000 and it stopped running...") and being unable to guarantee adherence to specifications in order to gain licensing (e.g. FCC spectrum use, Cable TV and media DRM requirements) are only two of a growing list of issues for these users.^[19] --Justin Gibbs, VP of The FreeBSD Foundation

As I mentioned at the beginning of this article: this is a view that I will respect for the project. I disagree with it, but FreeBSD is still free software and we would do well not to discriminate against it simply because someone else may decide to bastardize it and betray their users by making it proprietary or providing shackles^[16]. However, provided the licensing option for your own software, you should choose the GPL.

Colophon: The title of this article is a play on RMS' “Copyright vs. Communty”^[20], which is a title to a speech he frequently provides worldwide. His speech covers how copyright works against the interests of the community; here, BSD advocates aruge that copyleft^[7] works against the interests of their community and their users; I figured that I would snag this title as a free software advocate before someone else opposing copyleft did.)

^[0] http://unix.stackexchange.com/a/49970

^[1] http://mikegerwitz.com/

^[2] http://www.freebsd.org/doc/faq/introduction.html#FreeBSD-goals

^[3] http://en.wikipedia.org/wiki/Richard_Stallman

^[4] http://www.gnu.org/philosophy/freedom-or-power.html

^[5] http://www.gnu.org/licenses/license-list.html#ModifiedBSD

^[6] http://www.gnu.org/philosophy/free-sw.html

^[7] http://www.gnu.org/copyleft/

^[8] http://en.wikipedia.org/wiki/Copyleft#Viral_licensing

^[9] http://www.gnu.org/philosophy/misinterpreting-copyright.html

^[10] http://en.wikipedia.org/wiki/BSD_licenses

^[11] http://www.gnu.org/licenses/gpl.html

^[12] http://www.gnu.org/philosophy/open-source-misses-the-point.html

^[13] Technically, the GPL exercises restrictions only on distributors; a developer can integrate GPL'd code into their proprietary software so long as they do not distribute it (as defined in the GPL).^[11] However, developers often have to cater to distributors, since software will generally be distributed; if it is not, then it is not relevant to this discussion.

^[14] http://www.gnu.org/licenses/rms-why-gplv3.html

^[15] http://www.fsf.org/blogs/community/antifeatures

^[16] http://www.defectivebydesign.org/what_is_drm_digital_restrictions_management

^[17] http://lwn.net/Articles/200422/

^[18] http://en.wikipedia.org/wiki/Linux_kernel

^[19] http://www.freebsdfoundation.org/press/2007Aug-newsletter.shtml

^[20] http://www.gnu.org/philosophy/copyright-versus-community.html

Aggregating daily battery temperature readings to city level revealed a strong correlation with historic outdoor air temperature. With a mathematical transformation, the average battery temperature across a group of phones gives the outdoor air temperature.^[0]

This is an interesting find. The article further states that “[...] we have one data point where the Android data is actually more reliable than the traditional source.”

Such data can be very useful in providing decentralized data, so long as issues of privacy^[1] are addressed. Doing so is not terribly difficult, but would have a number of factors. In particular, the user would need the means to submit data anonymously, which could be done via software/networks such as Tor^[2]. GPS location data is certainly a privacy issue when it is tied to your mobile device, but fortunately, it's unneeded: you can trust your users to let you know where they reside by either (a) opting into using location services or (b) allowing them to specify a location or approximate location of their choosing (approximations would be important since a user may not wish to change their location manually while they travel, say, to and from work). If enough devices submit data, then legitimate data would drown out those who are trying to purposefully pollute the database. Such an example can be seen with Bitcoin, in which networks will reach a consensus on correct blockchains^[3] so long as “a majority of computing power is controlled by nodes that are not cooperating to attack the network”. Of course, users would be able to pollute the network by sending false data as it is, and the data is already tarnished from various factors such as body heat.^[0]

Of course, I do assume that mobile devices will contain temperature sensors in the future; some already do^[4] (but I cannot encourage their use, as they use proprietary software^[5]). However, this is still a clever hack (I suppose that term is redundant). In my searching while writing this article, I did notice prior examples of ambient temperature readings using Android software^[6] (proprietary^[5]), but the software does not aggregate data for purposes of determining weather patterns.

Finally, please do not download OpenSignal's app; it too is proprietary^[5]; this discussion was purely from a conceptual standpoint and does not endorse any software.

^[0] http://opensignal.com/reports/battery-temperature-weather/

^[1] http://mikegerwitz.com/

^[2] https://www.torproject.org/

^[3] http://en.wikipedia.org/wiki/Protocol_of_Bitcoin

^[4] http://stackoverflow.com/a/11628921

^[5] http://www.gnu.org/philosophy/free-sw.html

^[6] https://play.google.com/store/apps/details?id=androidesko.android.electronicthermometer&hl=en

Bing Ads will be an integral part of this new Windows 8.1 Smart Search experience. Now, with a single campaign setup, advertisers can connect with consumers across Bing, Yahoo! and the new Windows Search with highly relevant ads for their search queries. In addition, Bing Ads will include Web previews of websites and the latest features like site links, location and call extensions, making it easier for consumers to complete tasks and for advertisers to drive qualified leads.^[1]

And to make matters even worse, Microsoft is exploiting this information to allow advertisers to target you. Ironic.^[5]

Do not use Windows 8^[6] (or any other proprietary software, for that matter).

^[0] http://www.computerworld.com/s/article/9241524/Steven_J._Vaughan_Nichols_Microsoft_Bing_bang_bungles_local_search

^[1] http://community.bingads.microsoft.com/ads/en/bingads/b/blog/archive/2013/07/02/new-search-ad-experiences-within-windows-8-1.aspx

^[2] http://mikegerwitz.com/

^[3] http://mikegerwitz.com/

^[4] http://www.fsf.org/blogs/rms/ubuntu-spyware-what-to-do

^[5] http://www.scroogled.com/email/

^[6] https://www.fsf.org/windows8

Encourage your friends, colleagues and acquaintances to use services like Diaspora^[1] that are respectful of your data instead. Better yet: explain to those individuals the problems of social media services and ask that they respectfully leave you out of it.

^[0] http://www.groovypost.com/news/facebook-shadow-accounts-non-users/

^[1] https://joindiaspora.com/

Ars has reported on London trashcans^[0] rigged to collect the MAC addresses^[1] of mobile devices that pass by. Since we do not often see mobile devices carrying themselves around, we may as well rephrase this as “collect the MAC addresses of people that pass by”.

During a one-week period in June, just 12 cans, or about 10 percent of the company's fleet, tracked more than 4 million devices and allowed company marketers to map the “footfall” of their owners within a 4-minute walking distance to various stores.^[0]

In IEEE 802 networks such as Ethernet, token ring, and IEEE 802.11, and in FDDI, each frame includes a destination Media Access Control address (MAC address). In non-promiscuous mode, when a NIC receives a frame, it normally drops it unless the frame is addressed to that NIC's MAC address or is a broadcast or multicast frame.^[2]

Let's say you disconnect from mysecretap. Since the access point (AP) is not broadcasting itself, how does your device know when it is available again? It must attempt to ping it and see if it gets a response. With this ping is your MAC address. Since many devices conveniently like to connect automatically to known access points when they become available, it is likely that your device is pinging rather frequently.

But what if you do not use hidden access points? Well, it is likely that the same issue still stands—what if the access point that you connected to was once listed but then becomes hidden? (Maybe the administrator of the access point allowed broadcasts for a period of time to allow people to connect easily, but then hid it at a later time.) Your device would need to account for that, and therefore, to be helpful, likely broadcasts pings for any access point you have connected to recently (where “recently” would depend on your device).

Now, back to the NSA^[5]-wannabe-trashcans: At this point, all an observer must do is lay in wait for those broadcasts and record the MAC addresses. By placing these devices at various locations, you could easily track the movements of individuals, including their speed, destinations, durations of their visits, visit frequencies, favorite areas, dwellings, travel patterns, etc. Since devices may broadcast a whole slew of recent access points that it connected to, you could also see areas that the owner may have been to (oh, I see that you connected to the free wifi in that strip joint). You could be evil^[6].

Turn off wireless on your device when you are not using it—especially when you are traveling. Ensure that your device does not continue pinging access points when wireless is disabled^[3].

Better yet, fight back. Consider exploring how to spoof your MAC address, perhaps randomly generating one every so often. Consider the possibilities of activist groups that may pollute these spy databases by gathering a list of unique MAC addresses of passerbys for the purpose of rebroadcasting them at random intervals—which you could even do using long-range antennas targeted at these devices.^[7] If done properly to mimic models of common travel patterns, the data that these spy devices gather would become unreliable.^[8]

Surveillance by any entity—be it governments^[5], corporations, individuals or otherwise—is not acceptable.

^[0] http://arstechnica.com/security/2013/08/no-this-isnt-a-scene-from-minority-report-this-trash-can-is-stalking-you/

^[1] http://en.wikipedia.org/wiki/MAC_address

^[2] http://en.wikipedia.org/wiki/Promiscuous_mode

^[3] http://arstechnica.com/gadgets/2013/08/review-android-4-3-future-proofs-the-platform-with-multitude-of-minor-changes/3/#p15

^[4] http://arstechnica.com/security/2013/08/diy-stalker-boxes-spy-on-wi-fi-users-cheaply-and-with-maximum-creep-value/

^[5] http://mikegerwitz.com/

^[6] http://renewlondon.com

^[7] Disclaimer: Please research your local laws.

^[8] Of course, it is important that such an activity in itself does not violate a person's privacy, and so such collection must be done in a manner that cannot in itself identify the person's travel patterns (e.g. by not storing information on what access point the data was collected from).

Edward Snowden^[1]—the whistleblower responsible for exposing various NSA dragnet spying programs^[0], among other documents—has been stuck in the Moscow airport^[2] for quite some time while trying to figure out how he will travel to countries offering him asylum, which may involve traveling through territories that may cooperate with the United States' extradition requests. Snowden issued a statement today to Human Rights groups at Moscow's Sheremetyevo airport^[3], within which he mentioned:

I announce today my formal acceptance of all offers of support or asylum I have been extended and all others that may be offered in the future. With, for example, the grant of asylum provided by Venezuela’s President Maduro, my asylee status is now formal, and no state has a basis by which to limit or interfere with my right to enjoy that asylum. [...] I ask for your assistance in requesting guarantees of safe passage from the relevant nations in securing my travel to Latin America, as well as requesting asylum in Russia until such time as these states accede to law and my legal travel is permitted. I will be submitting my request to Russia today, and hope it will be accepted favorably.^[3]

My focus on these issues will seldom be on Snowden himself—I would prefer to focus primarily on what he sacrificed his life to bring to light. But it is precisely this sacrifice that makes it important to ensure that Snowden does not fall out of the picture (though it does not appear that he will any time soon). The Guardian also seems to have adopted the strategy of slowly providing more information on the leaks over time—such as the recent revelation that Microsoft cooperated with the NSA's Prisim program to provide access to unencrypted contents of Outlook.com, Hotmail, Skype and SkyDrive services^[8]; I will have more on that later.

I end this with a photograph taken yesterday of Richard Stallman with Julian Assange holding up a picture of Snowden^[9] that brings a smile to my face.

^[0] http://mikegerwitz.com/

^[1] https://en.wikipedia.org/wiki/Edward_Snowden (Now with his own Wikipedia page)

^[2] http://www.guardian.co.uk/world/2013/jul/01/edward-snowden-escape-moscow-airport

^[3] http://wikileaks.org/Statement-by-Edward-Snowden-to.html

^[4] http://www.guardian.co.uk/world/2013/jul/02/edward-snowden-nsa-withdraws-asylum-russia-putin

^[5] http://www.guardian.co.uk/world/2013/jul/01/putin-snowden-remain-russia-offer

^[6] http://m.guardiannews.com/world/2013/jul/12/edward-snowden-accuses-us-illegal-campaign

^[7] http://www.guardian.co.uk/world/2013/jul/05/european-states-snowden-morales-plane-nsa

^[8] http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data

^[9] http://twitpic.com/d279tx

This is not a decision I take lightly; it has received much thought over the course of recent years. For some time, I accepted the view of Richard Stallman and the Free Software Foundation^[1] on opinion pieces in that, since they express personal opinions, it is not unreasonable to require that they be distributed verbatim. Indeed, it would seem wise not to allow someone to change your words, especially on something that you are passionate about.

However, I have come to adopt another perspective. What is the motivation behind releasing content under a license that permits modification (that is, the creation of derivative works)? Often, the primary reason is to allow others to improve upon the content or to modify it to suit their particular needs. To prevent others from locking down those changes—preventing others from having the same rights as they did—many will often release their works under licenses that require that all derivatives be released under the same terms. In the case of Creative Commons, this is called “ShareAlike”^[2], which is motivated by GNU's copyright hack called copyleft^[3] (popularized by the GNU General Public License^[4]).

For free software^[5] advocates, the question of whether or not to permit modification is generally not even raised—it is a necessity. Software serves a functional purpose: Prohibiting modification could prevent users from altering the software in ways that they may find useful and could be used to exert control over the users. Software does stuff. Software can control what the user can and cannot do.

Creative works are often considered in a different light. Like software, they are indeed useful—they can be tools to learn, to entertain, etc. However, does prohibiting modification do any harm? In the case of documentation for free software^[6], yes—documentation is very important and can make the difference between highly useful software and impenetrable software. Free documentation ensures that, as the software grows, the documentation can grow with it. Since the documentation for many projects is often scarce or poorly written (great computer hackers are not necessarily great language hackers), the freedom to modify the documentation is a necessity.

Then what of texts that have nothing to do with a free software project? Texts that serve as an educational resource of any kind would benefit from being free just as a free software project would—experts could contribute, teachers could alter it to suit their particular teaching style or their classroom setting, etc. But what of texts that exist purely as opinion pieces?

I'm not sure there's such a thing as a “pure” opinion piece, unless it is utter garbage.

An author would do well to substantiate their opinion with appropriate references (though often times, this is not the case). With those references (or lack thereof) comes the need to connect them to the content—the author must explain his or her opinion. This explanation is educational, even if the reader does not agree with the opinion. Perhaps the reader wishes to use the opinion piece as a resource, but notices that it is lacking in some respect. Should they not be able to improve it, perhaps to even further the author's point? Or, perhaps the opinion piece could be extended to the contrary—to prove additional references to either make it neutral or even work against the author's original opinion. Even though this may not be what the author wants, this is still a useful derivation of the original work.

As an example, consider this very post. This is clearly an opinion piece—I have made the choice to release my content under a Creative Commons license and I am substantiating my opinion in the hope that others may gain insight and possibly even choose the same path for their own creative works. What if someone wished to present this article to a group of individuals—maybe in the workplace—but found my “garbage” comment to be unnecessarily harsh? What personal harm would I incur if they were to remove that statement? However, what if they wished to go further by replacing all references to “free software” with references to “open source”—a term which I reject^[7]? Well, this could potentially affect my image, depending on the group's philosophy. What now?

There are a few important points to note from this. Firstly, the license mandates that:

If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and (iv) , consistent with Ssection [sic] 3(b), in the case of an Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author").^[8]

The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all contributing authors of the Adaptation or Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors.^[8]

The next point is another simple one: Under United States copyright law, the fair use doctrine^[9] permits limited use of a copyrighted work without prior consent from the author; it is this doctrine that allows, for example, authors and journalists to quote portions of other works to report on or back up their arguments. This means that, even if the license did not permit, an author could still incorporate portions of my work to support their own arguments or agenda, regardless of whether or not I may agree with it. This segues into the final point.

Who am I to dictate others opinions^[10]? It would not be right of me to limit one's freedom simply because they violate my own personal opinions or beliefs. Therefore, if this is one condition under which I would decide to restrict my creative works, then that reason should be immediately dismissed. This means that—within the context of my previous example—if someone wanted to alter all the references to “free software” in my work to adapt it to their own personal style, then they should be permitted to do so. Such a work is no longer my own: They must clearly state that it has been altered from the original. Hopefully readers take notice of that. My works are always published on my own personal website where the originals can be found; with today's search engines, such a task is trivial. If someone neglects to do so—and I do understand that many will neglect to do so—then they have not made an informed opinion on the material.

Another minor point would be that, for the majority of my works, it is unlikely that anyone will be making any sort of alteration.

As such, I find that I have little ground to stand on should I attempt to rationalize a more restrictive license. Any remaining arguments, such as “what if they sell your content or modify it only slightly and are given more credit for the work than they deserve?” are already covered by the free software philosophy can may be easily adopted here.

^[0] http://creativecommons.org/licenses/by-sa/3.0/

^[1] http://www.gnu.org/licenses/license-list.html#OpinionLicenses

^[2] http://creativecommons.org/licenses/

^[3] https://www.gnu.org/copyleft/copyleft.html

^[4] https://www.gnu.org/copyleft/gpl.html

^[5] https://www.gnu.org/philosophy/free-sw.html

^[6] https://www.gnu.org/philosophy/free-doc.html

^[7] http://www.gnu.org/philosophy/open-source-misses-the-point.html

^[8] http://creativecommons.org/licenses/by-sa/3.0/legalcode

^[9] http://en.wikipedia.org/wiki/Fair_use

^[10] http://www.gnu.org/philosophy/programs-must-not-limit-freedom.html

Many individuals and organizations^[0] have long warned of digital privacy issues^[1], but there has been one agency in particular that has been the subject of much scrutiny—the National Security Agency (NSA)^[2], which is a United States government agency^[3] that has a long history of controversial spying tactics^[4] on its country's own citizens. It is a chilling topic—one that can easily make any person sound like they've latched onto an Orwellian conspiracy.

Wednesday, June 5th, 2013—the Guardian newspaper publishes a leaked document^[5][6][7] ordering Verizon to

[...] produce to the National Security Agency (NSA) upon service of this Order, and continue production on an ongoing daily basis thereafter for the duration of this Order, [...] an electronic copy of the following tangible things: all call detail records or “telephony metadata” created by Verizon for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls.^[6] [emphasis added]

This report caused a massive uproar, but came as no surprise^[11] to many security researchers and privacy advocates. Early last year, Wired released an article stating that the NSA “Is Building the Country's Biggest Spy Center”^[14]. Privacy concerns were raised in November of last year by the Petraeus scandal^[14]. In March of this year, Google released figures showing that the NSA is secretly spying on some of its customers^[15]. Two months later, outrage^[17] after the Associated Press discovers that the Justice Department collected the calling records of many of its reporters and editors^[18]. Additionally, the EFF already had cases against the NSA's actions^[2]—Jewel v. NSA^[12] and Hepting v. AT&T^[13] both focus on unconstitutional dragnet surveillance of innocent citizens' data and communications. These cases will be explored in further detail throughout this article.

But the chaos didn't end there.

Thursday, June 6th, 2013—just one day after the Guardian reported on the leaked Verizon order, the newspaper reports on a leaked slideshow describing PRISM^[19], a top-secret program that “claims direct access to servers of firms including Google, Apple and Facebook. According to the leaked document, the NSA supposedly has the ability to collect material including e-mail, chat, video and voice communications, photos, stored data and more.^[19]. Responses from most companies was immediate. In a blog post entitled “What that...?”^[20], Larry Page—Google's CEO—put very plainly that Google does not participate in such a program and denied any knowledge of PRISM:

First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday. Second, we provide user data to governments only in accordance with the law.^[20] --Larry Page, Google CEO

I want to respond personally to the outrageous press reports about PRISM: Facebook is not and has never been part of any program to give the US or any other government direct access to our servers. We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received. And if we did, we would fight it aggressively. We hadn't even heard of PRISM before yesterday. [...] We strongly encourage all governments to be much more transparent about all programs aimed at keeping the public safe. It's the only way to protect everyone's civil liberties and create the safe and free society we all want over the long term.^[21] --Mark Zuckerberg, Facebook CEO

Friday, June 7th, 2013—Two days after the initial Verizon report^[5] and one day after the publishing of portions of the PRISM documents^[19], the White House responded to the Guardian reports with President Obama defending his administration^[16]. Unfortunately, given the history of the NSA surveillance programs^[4]—especially since the Bush administration after the 9/11 attacks—it may be difficult to believe that his words are the whole truth. As such, we will use portions of his transcript^[16] to guide the remainder of this discussion.

Jackie Calmes: Mr. President, could you please react to the reports of secret government surveillance of phones and Internet? And can you also assure Americans that the government — your government doesn’t have some massive secret database of all their personal online information and activity?

Obama: [...] Now, the programs that have been discussed over the last couple days in the press are secret in the sense that they’re classified, but they’re not secret in the sense that when it comes to telephone calls, every member of Congress has been briefed on this program.

With respect to all these programs, the relevant intelligence committees are fully briefed on these programs. These are programs that have been authorized by broad, bipartisan majorities repeatedly since 2006. And so I think at the outset, it's important to understand that your duly elected representatives have been consistently informed on exactly what we’re doing.^[16]

There are some important notes regarding the phrasing of the President's statement. Firstly, it is important to note that the President is confirming the existence of the programs that “have been discussed over the last couple days in the press”—that is, the Verizon FISA Court order^[5] and the PRISM^[19] leak. However, it is also important to take a step back and note that the President did not state outright that the reports tell the whole—or even the correct—story. So what do we know?

Although this program has been properly classified, the leak of one order, without any context, has created a misleading impression of how it operates. [...] The program does not allow the Government to listen in on anyone's phone calls. The information acquired does not include the content of any communications or the identity of any subscriber. The only type of information acquired under the Court's order is telephony metadata, such as telephone numbers dialed and length of calls.^[23]

IT IS HEREBY ORDERED that [Verizon] shall produce to the [NSA] [...], and continue production on an ongoing daily basis [...] for the duration of this Order, [...] all call detail records or “telephony metadata” [...]. Telephony metadata includes comprehensive communications routing information, including but not limited to [...] originating and terminating telephone number, [...] International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, [...] trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication [...], or the name, address, or financial information of a subscriber or customer.^[6] --FISA Court order

Obama: When it comes to telephone calls, nobody is listening to your telephone calls. That’s not what this program’s about. As was indicated, what the intelligence community is doing is looking at phone numbers and durations of calls. They are not looking at people’s names, and they’re not looking at content. But by sifting through this so-called metadata, they may identify potential leads with respect to folks who might engage in terrorism. If these folks — if the intelligence community then actually wants to listen to a phone call, they’ve got to go back to a federal judge, just like they would in a criminal investigation. So I want to be very clear. Some of the hype that we’ve been hearing over the last day or so — nobody’s listening to the content of people’s phone calls.^[16]

Another argument worthy of strong consideration is posed by Daniel J. Solove—what if the government is wrong about your intentions^[25]? How can you go about correcting incorrect data if its very existence is hidden from the public?

What if the government leaks the information to the public? What if the government mistakenly determines that based on your pattern of activities, you're likely to engage in a criminal act? What if it denies you the right to fly? What if the government thinks your financial transactions look odd—even if you've done nothing wrong—and freezes your accounts? What if the government doesn't protect your information with adequate security, and an identity thief obtains it and uses it to defraud you?^[25]

Of course, we are now assuming that that the NSA is (a) operating in accordance with the Court order with respect to the privacy of communications content and (b) that the President's statement is not intentionally omitting projects that do warrantlessly wiretap innocent Americans' communications. Historically, the NSA has not given us reason to entertain either of these thoughts.

January 31, 2006—Hepting v. AT&T^[13]; the EFF files a case suing AT&T on behalf of its customers for “violating privacy law by collaborating with the NSA in the massive, illegal program to wiretap and data-min Americans' communications”. This case included “undisputed evidence“ from former AT&T technician Mark Klein showing that AT&T routed a copy of all Internet traffic to an NSA-controlled room in San Francisco^[27]:

Through the “splitter cabinet,” the content of all of the electronic voice and data communications going across the Peering Links [...] was transferred from the WorldNet Internet room's fiber optical circuits into the [NSA-controlled] SG3 Secure Room [...] including such equipment as Sun servers and Juniper (M40e and M160) “backbone” routers. The list also included a Narus STA 6400, which is a “Semantic Traffic Analyzer.”^[27]

Unfortunately, Hepting was dealt a fatal blow in July 2008 when both the government and AT&T were awarded retroactive immunity^[28] by the FISA Amendments Act (FAA)^[29]. This startling turn was signed by President Bush in response to the EFF's court victories in the case and “allows the Attourney General to require the dismissal of the lawsuits over the telecoms' participation in the warrantless surveillance program”.^[13] The case was dismissed in June 2009 and dozens of other lawsuits.

Fortunately, the battle is not over. The EFF then filed Jewel v. NSA^[12] which directly targets the “NSA and other government agencies on behalf of AT&T customers to stop the illegal unconstitutional and ongoing dragnet surveillance of their communications and communications records”. This case was too based on the testimony of Klein^[27]. Additionally, the EFF had declarations of William Binney, Thomas Drake and Kirk Wiebe—three NSA whistleblowers^[30]. Most interesting (and damning) for the purposes of our discussion is the Summary of Voluminous Evidence^[31].

I have served on the Intelligence Committee for over a decade and I wish to deliver a warning this afternoon. When the American people find out how their government has secretly interpreted [the business records provision of FISA], they are going to be stunned and they are going to be angry.^[32] --Senator Ron Wyden

According to the summary of evidence^[31], the NSA stated:

To perform both its offensive and defensive mission, NSA must “live on the network.” [The program would be] a powerful and permanent presence on a global telecommunications infrastructure where protected American communications and targeted adversary communications will coexist.

[U]nder existing laws like FISA, you have to have the name of somebody, have to already suspect that someone's a terrorist before you can get a warrant. [...] it doesn't allow you as a government to use judgment based on probability to say: “[...] there's a high probability that some of those calls are terrorist communications. But we don't know the names of the people making those calls.” You want to get at those phone calls, those e-mails, but under FISA you can't do that.^[33] --Jon Yoo

Let us return to the statements from both Clapper^[23] and Obama stating that “nobody is listening to the content of your phone calls”.^[16] We can certainly hope that this is the case, but we shall continue to draw from evidence in the Jewel v. NSA case^[12] to see what the NSA has done in the past.

It was the biggest legal mess I've ever encountered.^[35] --Jack Goldsmith, Justice Department's Office of Legal Consel

Obama: If these folks — if the intelligence community then actually wants to listen to a phone call, they've got to go back to a federal judge, just like they would in a criminal investigation.^[16]

Ultimately, it is believed that Attorney General Comey's initial certifications of the program were “based on a misimpression of those activities” due to a botched legal analysis by Jon Yoo that was described as “at a minimum [...] factually flawed”. Yoo was the only OLC official to read into the program since its inception in October 2001 until his leaving in May 2003.^[31] When Comey refused to reauthorize the program, Bush did so himself, resulting in threats of resignation from Comey and “about two dozen Bush appointees”. However, “[d]espite the illegality of the Program, no officials resigned.”^[31].

In 2009, the New York Times published a series of articles regarding the program, exposing a “serious issue involving the NSA” concerning “significant misconduct”^[38]. This included a “`flagrant' overcollection of domestic email”.^[31]

Because each court order could single out hundreds or even thousands of phone numbers or e-mail addresses, the number of individual communications that were improperly collected could number in the millions, officials said.^[31]

The program Senators Feinstein and Chambliss publicly referred to today is one that I have been concerned about for years. I am barred by Senate rules from commenting on some of the details at this time. However, I believe that when law-abiding Americans call their friends, who they call, when they call, and where they call from is private information. Collecting this data about every single phone call that every American makes every day would be a massive invasion of Americans’ privacy.^[39] --Senator Ron Wyden

The revelations not only confirmed what EFF has long alleged, they went even further and honestly, we’re still reeling. EFF will, of course, be continuing its efforts to get this egregious situation addressed by the courts.

[...] EFF and others had long alleged that, despite the rhetoric surrounding the Patriot Act and the FISA Amendments Act, the government was still vacuuming up the records of the purely domestic communications of millions of Americans. And yesterday, of course, with the Verizon order, we got solid proof.. And it appears that the reach of this vacuum goes much further, into the records of our Internet service providers as well.^[41] --Electronic Frontier Foundation

This brings us back to PRISM.^[19] Numerous sources reported that the White House confirmed^[42] its existence. Indeed, if you consider the President's original words— “the programs that have been discussed over the last couple days in the press are secret in the sense that they’re classified”^[16]—this does seem to be a verification of the project's existence. However, confusion ensued when companies like Google and Facebook denied involvement^[43], despite what the leaked information seems to state^[19]. Yonatan Zunger—chief architect at Google—reiterated the words of Larry Page^[44]:

I can also tell you that the suggestion that PRISM involved anything happening directly inside our datacenters surprised me a great deal; owing to the nature of my work at Google over the past decade, it would have been challenging -- not impossible, but definitely a major surprise -- if something like this could have been done without my ever hearing of it. And I can categorically state that nothing resembling the mass surveillance of individuals by governments within our systems has ever crossed my plate.^[44] --Yonatan Zunger, Chief Architect, Google

Questions then arose as to what exactly “PRISM” is. Marc Ambinder with The Week reported that PRISM is nothing more than one of many different “data collection tools”^[45] that may be used by the NSA. One day later, Marc posted another article entitled “Solving the mystery of PRISM”^[46]

Each data processing tool, collection platform, mission and source for raw intelligence is given a specific numeric signals activity/address designator, or a SIGAD. [...] PRISM is US-984XN. Each SIGAD is basically a collection site, physical or virtual; [...] PRISM is a kick-ass GUI that allows an analyst to look at, collate, monitor, and cross-check different data types provided to the NSA from internet companies located inside the United States.^[46]

Others hypothesized that, due to the denial of involvement from various companies^[44], PRISM may operate by intercepting communications. The Guardian countered by releasing another slide from the leaked presentation^[47], stating outright that “[b]oth of these theories appear to be contradicted by internal NSA documents”.

It clearly distinguishes Prism, which involves data collection from servers, as distinct from four different programs involving data collection from "fiber cables and infrastructure as data flows past".^[47]

This sounds a great deal like Klein's description of the SG3 Secure Room at AT&T^[27] (though I do not intend to imply that they are the same thing—that is not clear, nor does Klien state that he ever noted the word “PRISM” on any documents). The Guardian goes on to state that “[a] far fuller picture of the exact operation of Prism [...] is expected to emerge in the coming weeks and months”. (Is that foreshadowing or an educated guess?)

[Google, Micorsoft, Yahoo, Facebook, AOL, Apple and Paltalk] were legally required to share the data under the Foreign Intelligence Surveillance Act. [...] But instead of adding a back door to their servers, the companies were essentially asked to erect a locked mailbox and give the government the key, people briefed on the negotiations said. Facebook, for instance, built such a system for requesting and sharing the information, they said.^[49]

Let us return to the President's statements.

Obama: And I welcome this debate. And I think it's healthy for our democracy. I think it's a sign of maturity, because probably five years ago, six years ago, we might not have been having this debate.^[16]

Jackie Calmes: Do you welcome the leak, sir? Do you welcome the leak if you welcome the debate?

Obama: I don't—I don't welcome leaks, because there's a reason why these programs are classified. [...] But that's also why we've set up congressional oversight. These are the folks you all vote for as your representative in Congress, and they’re being fully briefed on these programs.

Unfortunately, Obama seems to have missed another critical fact. We—the people—vote for representatives that, well, “represent” the issues that we care about. Those who are strongly opposed to gun legislation will vote for those representatives that share those feelings and will fight to oppose such legislation. Similarly, a pro-life supporter will probably not vote for a candidate in favor of abortion. But what if there is a candidate that shares one opinion but not another—say, opposes gun regulation but supports abortion, when you as a voter are a pro-life gun-owner against gun legislation? Then you will likely vote for the issues that you feel most strongly about (or what you feel is a fair balance between all the other issues you follow). The problem here, Mr. President, is that we—the people—are not made aware of these issues because they are classified. How many people may not have voted for you, Mr. President, had they known that you would support dragnet surveillance of innocent Americans?

Three weeks ago, Snowden made final preparations [...] [a]t the NSA office in Hawaii where he was working, [copying] the last set of documents he intended to disclose.^[50]

It is this statement from Snowden that, if accurate, suggests that Obama not only supports Bush's initial dragnet operation^[31], but has further expanded it.

At this point, since the news is still quite young at the time that this article was written, the world must wait to see what action the government will attempt to take against Snowden. Reuters had already reported the previous day that the government is likely to open a criminal probe into the NSA leaks^[51].

James Clapper, the director of U.S. national intelligence, condemned the leaks and asserted that the news articles about PRISM contained “numerous inaccuracies.”^[51]

There is a great deal to think about. Even though the evidence against the NSA dates far back^[4], the recent revelations invoke emotions that are difficult to describe. With countless individuals working to sift through the information, the Obama administration under attack and nobody knowing if the Guardian is sitting on even more information, the entire world will continue to watch impatiently...and act.

While all this is going on, it would be useful to reiterate certain privacy and security topics that have already been covered at large. Firstly, consider checking out the EFF's Surveillance Self-Defense^[53] website, which contains information on a number of topics including anonymity and how to respond to court orders. Consider using Tor for anonymity^[54] online (but recognize that it is not a full solution in itself). Consider keeping your data to yourself^[55] rather than storing it on “cloud” services—Richard Stallman explains how Software as a Service (SaaS) differs in dangers from proprietary software^[56]. Consider using only free software^[57] to limit further sacrifices in personal freedom and to limit the information that corporations and third parties collect from you while using your computer and other devices. Finally, if you have information that you want to leak to the press (whether or not you are an NSA employee^[58]), you may be able to consider tools such as The New Yorker's Strongbox^[60]; it uses software created by Aaron Swartz^[61] shortly before his untimely death early this year.

Finally, aid senators like Rand Paul in developing legislation to curb the powers of the government^[62]. We must also do our best to fight for the rights of brave whistleblowers like Snowden. To end with the words of the EFF, “we need a new church committee and we need it now”^[41].

^[0] http://mikegerwitz.com/ Re: Who Does Skype Let Spy; a response to Schneier's article.

^[1] https://www.schneier.com/essay-418.html The Internet Is a Surveillance State

^[2] https://www.eff.org/nsa-spying The EFF on NSA Spying

^[3] https://www.eff.org/agency/national-security-agency The National Security Agency

^[4] https://www.eff.org/nsa-spying/timeline Timeline of NSA Spying

^[5] http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order NSA collecting phone records of millions of Verizon customers daily

^[6] http://s3.documentcloud.org/documents/709012/verizon.pdf PDF of the FISA Court order to Verizon.

^[7] http://s3.documentcloud.org/documents/709012/verizon.txt Ibid; plain text version.

^[8] https://www.eff.org/deeplinks/2013/06/confirmed-nsa-spying-millions-americans Confirmed: NSA Spying on Millions of Americans

^[9] https://www.eff.org/deeplinks/2011/10/ten-years-later-look-three-scariest-provisions-usa-patriot-act Three Scariest Provisions of thet USA Patriot Act

^[10] http://mikegerwitz.com/ Federal Judge Declares National Security Letters Unconstitutional

^[11] http://www.theatlantic.com/politics/archive/2013/06/what-we-dont-know-about-spying-on-citizens-scarier-than-what-we-know/276607/ Bruce Schneier comments on NSA leak.

^[12] https://www.eff.org/cases/jewel Jewel v. NSA

^[13] https://www.eff.org/cases/hepting Hepting v. AT&T

^[14] http://mikegerwitz.com/ Privacy In Light of the Petraeus Scandal

^[15] http://mikegerwitz.com/ Google Says the FBI Is Secretly Spying on Some of Its Customers

^[16] http://blogs.wsj.com/washwire/2013/06/07/transcript-what-obama-said-on-nsa-controversy/ Obama on the NSA controversy.

^[17] https://www.eff.org/deeplinks/2013/05/congressional-outrage-over-ap-phone-records Congressional outrate of AP phone records.

^[18] https://www.eff.org/deeplinks/2013/05/doj-subpoena-ap-journalists-shows-need-protect-calling-records

^[19] http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data

^[20] http://googleblog.blogspot.com/2013/06/what.html Larry Page denies PRISM involvement.

^[21] https://www.facebook.com/zuck/posts/10100828955847631 Mark Zuckerberg denies PRISM involvement.

^[22] http://www.guardian.co.uk/world/2013/jun/07/google-facebook-prism-surveillance-program

^[23] http://www.dni.gov/index.php/newsroom/press-releases/191-press-releases-2013/868-dni-statement-on-recent-unauthorized-disclosures-of-classified-information James Clapper—Directory of National Intelligence—declassifies information pertaining to the “business records” provision of FISA.

^[24] https://www.eff.org/deeplinks/2013/06/why-metadata-matters The EFF describes why telephony metadata can have a significant impact on our privacy.

^[25] http://mashable.com/2013/06/08/china-hack-nsa/ What if crackers get a hold of the NSA's databases?

^[26] http://rt.com/usa/us-chinese-report-defense-888/ The Chinese crack into Pentagon systems.

^[27] https://www.eff.org/file/28823 Public unredacted Mark Klein declaration; Hepting v. AT&T^[13]

^[28] https://www.eff.org/pages/case-against-retroactive-amnesty-telecoms The Case Against Retroactive Amnesty for Telecoms.

^[29] http://www.govtrack.us/congress/bills/110/hr6304/text FISA Amendments Act (FAA).

^[30] https://www.eff.org/press/releases/three-nsa-whistleblowers-back-effs-lawsuit-over-governments-massive-spying-program Three NSA whistleblowers back the EFF in Jewel v. NSA^[12].

^[31] https://www.eff.org/node/72021 Summary of Voluminous Evidence, Jewel v. NSA^[12].

^[32] Ibid.^[31] 157 Cong. Rec. S3372--3402, S3386 (May 26, 2011) [Vol. VI, Ex. 111, p. 4286] (Statement of Sen. Ron Wyden, On Patriot Act Reauthorization)

^[33] Ibid.^[31] PBS Frontline, Spying on the Homefront, Interview with John C. Yoo at 4 (Jan. 10, 2007) [Vol. I, Ex. 10, p. 394]

^[34] Ibid.^[31] Press Briefing by Att’y Gen. Alberto Gonzalez and Gen. Michael Hayden, Principal Dep. Dir. for Nat’l Intelligence (Dec. 19, 2005)

^[35] Ibid.^[31] Preserving the Rule of Law in the Fight Against Terror: Hearing before the S. Comm. on the Judiciary, 110th Cong. 7 (Oct. 2, 2007) [Vol. III, Ex. 42, p. 1307] (testimony of Jack Goldsmith)

^[36] Ibid.^[31] Press Briefing by Att’y Gen. Alberto Gonzalez and Gen. Michael Hayden, Principal Dep. Dir. for Nat’l Intelligence (Dec. 19, 2005)

^[37] Ibid.^[31] Remarks by Gen. Michael Hayden, Address to the National Press Club, Washington, D.C. (Jan. 23, 2006) [Vol. IV, Ex. 73, p. 1809]

^[38] http://www.nytimes.com/2009/04/16/us/16nsa.html?pagewanted=all Officials Say U.S. Wiretaps Exceeded Law

^[39] http://www.wyden.senate.gov/news/press-releases/wyden-statement-on-alleged-large-scale-collection-of-phone-records Ron Wyden comments on the collection of Verizon phone records

^[40] https://www.eff.org/deeplinks/2013/06/government-asks-more-time-eff-surveillance-cases In Light of NSA Revelations, Government Asks for More Time in EFF Surveillance Cases

^[41] https://www.eff.org/deeplinks/2013/06/response-nsa-we-need-new-church-commission-and-we-need-it-now In Response to the NSA, We Need A New Church Committee and We Need It Now

^[42] http://www.theweek.co.uk/us/53475/white-house-admits-it-has-access-facebook-google White House admits it has “access” to Facebook, Google

^[43] http://www.guardian.co.uk/world/2013/jun/07/google-facebook-prism-surveillance-program Facebook and Google insist they did not know of Prism surveillance program

^[44] https://plus.google.com/+YonatanZunger/posts/huwQsphBron Yonatan Zunger—Chief Architect at Google—expresses his distaste of PRISM

^[45] http://theweek.com/article/index/245311/sources-nsa-sucks-in-data-from-50-companies Sources: NSA sucks in data from 50 companies.

^[46] http://theweek.com/article/index/245360/solving-the-mystery-of-prism Solving the mystery of PRISM

^[47] http://www.guardian.co.uk/world/2013/jun/08/nsa-prism-server-collection-facebook-google NSA's Prism surveillance program: how it works and what it can do.

^[48] http://www.guardian.co.uk/world/2013/jun/08/obama-response-nsa-surveillance-democrats Obama deflects criticism over NSA surveillance as Democrats sound alarm.

^[49] http://www.nytimes.com/2013/06/08/technology/tech-companies-bristling-concede-to-government-surveillance-efforts.html?ref=global-home&_r=2&pagewanted=all&; Tech Companies Concede to Surveillance Program

^[50] http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance Edward Snowden: the whistleblower behind the NSA surveillance revelations.

^[51] http://www.reuters.com/article/2013/06/08/us-usa-security-leaks-idUSBRE95700C20130608 Government likely to open criminal probe into NSA leaks: officials.

^[52] http://www.forbes.com/sites/andygreenberg/2013/06/09/icelandic-legislator-im-ready-to-help-nsa-whistleblower-seek-asylum/ Icelandic Legislator: I'm Ready To Help NSA Whistleblower Edward Snowden Seek Asylum

^[53] https://ssd.eff.org/ EFF Surveillance Self-Defense.

^[54] https://www.torproject.org/ The Tor project offers anonymity online.

^[55] http://www.guardian.co.uk/technology/2008/sep/29/cloud.computing.richard.stallman Cloud computing is a trap, warns GNU founder Richard Stallman

^[56] http://www.gnu.org/philosophy/who-does-that-server-really-serve.html Who does that server really serve?

^[57] http://www.gnu.org/philosophy/free-sw.html What is free software?

^[58] http://www.whistleblowers.org/index.php?option=com_content&task=view&id=984&Itemid=173 National Security Employees Know Your Rights

^[59] http://www.theatlanticwire.com/politics/2011/05/obamas-war-whistle-blowers/38106/ Obama's War on Whistle-Blowers

^[60] http://www.newyorker.com/strongbox/ The New Yorker Strongbox

^[61] http://www.newyorker.com/online/blogs/newsdesk/2013/05/strongbox-and-aaron-swartz.html Strongbox and Aaron Swartz

^[62] http://abcnews.go.com/blogs/politics/2013/06/rand-paul-bill-would-curb-nsa-on-phone-records/ Rand Paul Bill Would Curb NSA on Phone Records

Since all this content is static, there is no discussion system. I am still debating whether or not I will add this in the future. Until that time, feel free to contact me via e-mail.

The legislation passed 288-127, despite a veto threat from Pres. Barack Obama, who expressed serious concerns about the danger CISPA poses to civil liberties.^[0]

Move information on CISPA^[2] is available on the EFF's website.

^[0] https://www.eff.org/deeplinks/2013/04/us-house-representatives-shamefully-passes-cispa-internet-freedom-advocates

^[1] https://www.eff.org/deeplinks/2012/04/voices-against-cispa

^[2] https://www.eff.org/cybersecurity-bill-faq

The Award for the Advancement of Free Software is given annually to an individual who has made a great contribution to the progress and development of free software, through activities that accord with the spirit of free software.^[1]

^[0] http://fsf.org

^[1] https://www.fsf.org/news/2012-free-software-award-winners-announced-2

^[2] http://openmrs.org/

Hollywood is at it again. Its latest ploy to take over the Web? Use its influence at the World Wide Web Consortium (W3C) to weave Digital Restrictions Management (DRM)^[4] into HTML5 -- in other words, into the very fabric of the Web.

[...]

Help us reach 50,000 signers by May 3rd, 2013, the International Day Against DRM^[3]. We will deliver the signatures to the W3C (they are right down the street from us!) and make your voice heard.^[1]

To summarize the issue as stated by the EFF:

W3C is there to create comprehensible, publicly-implementable standards that will guarantee interoperability, not to facilitate an explosion of new mutually-incompatible software and of sites and services that can only be accessed by particular devices or applications. But EME is a proposal to bring exactly that dysfunctional dynamic into HTML5, even risking a return to the "bad old days, before the Web"^[5] of deliberately limited interoperability.

it would be a terrible mistake for the Web community to leave the door open for Hollywood's gangrenous anti-technology culture to infect W3C standards.^[1]

So please—sign the petition now^[2]!

^[0] http://mikegerwitz.com/

^[1] https://www.eff.org/deeplinks/2013/03/defend-open-web-keep-drm-out-w3c-standards

^[2] http://www.defectivebydesign.org/no-drm-in-html5

^[3] http://www.defectivebydesign.org/dayagainstdrm

^[4] http://www.defectivebydesign.org/what_is_drm

^[5] http://www.anybrowser.org/campaign/index.html

In today's ruling, the court held that the gag order provisions of the statute violate the First Amendment and that the review procedures violate separation of powers. Because those provisions were not separable from the rest of the statute, the court declared the entire statute unconstitutional.^[1]

U.S. District Judge Susan Illston ordered the government to stop issuing so-called NSLs across the board, in a stunning defeat for the Obama administration’s surveillance practices. She also ordered the government to cease enforcing the gag provision in any other cases. However, she stayed her order for 90 days to give the government a chance to appeal to the Ninth Circuit Court of Appeals.^[0]

^[0] http://www.wired.com/threatlevel/2013/03/nsl-found-unconstitutional/

^[1] https://www.eff.org/press/releases/national-security-letters-are-unconstitutional-federal-judge-rules

^[2] https://www.eff.org/issues/national-security-letters

^[3] http://mikegerwitz.com/

[Tim Berners-Lee] did not, however, present himself as an opponent of digital locks. During a post-talk Q&A, he defended proposals to add support for “digital rights management” usage restrictions to HTML5 as necessary to get more content on the open Web: "If we don't put the hooks for the use of DRM in, people will just go back to using Flash," he claimed.^[4]

These are but a small handful of examples of the many mistakes and injustices of Digital Restrictions Management^[5]. These restrictions take additional effort—that is, development time, which also means more money—to build into software; computers, by their very nature, do exactly as they are told, meaning that they can only work against you if someone else tells it to (unless you tell your computer to make your life miserable...if you're into that sort of thing). As such, we refer to these restrictions as “anti-features”^[23].

Corporations claim that DRM is necessary to fight copyright infringement online and keep consumers safe from viruses. But there's no evidence that DRM helps fight either of those. Instead DRM helps big business stifle innovation and competition by making it easy to quash “unauthorized” uses of media and technology.^[5]

It is clear that user domains (eg eBook trading, sub-rights trading, streaming music, etc.) each require sets of Rights Primitives that those domains wish do useful things with.^[16]

The social value of the Web is that it enables human communication, commerce, and opportunities to share knowledge. One of W3C's primary goals is to make these benefits available to all people, whatever their hardware, software, network infrastructure, native language, culture, geographical location, or physical or mental ability.^[19]

Richard Stallman has already announced that the FSF will “campaign against W3C support for DRM”^[20]; let's hope that many others will join in on this campaign, hope that organizations like the EFF will continue to fight for our rights, and further hope that users will reject DRM-laden products^[22] outright. DRM cannot exist in free software^[25] and it cannot exist on a network that facilitates free information.

^[0] http://www.defectivebydesign.org/what_is_drm (Disclaimer: I am an associate member of the Free Software Foundation^[2] and, as such, this reference is intentionally bias; feel free to see the Wikipedia article on DRM^[3] for more general information.)

^[1] http://www.defectivebydesign.org/

^[2] http://fsf.org

^[3] https://en.wikipedia.org/wiki/Digital_rights_management

^[4] http://boingboing.net/2013/03/10/tim-berners-lee-the-web-needs.html

^[5] https://www.eff.org/issues/drm

^[6] http://www.amazon.com/gp/help/customer/display.html?nodeId=200549320

^[7] http://www.defectivebydesign.org/blog/1248

^[8] http://boingboing.net/2012/10/22/kindle-user-claims-amazon-dele.html

^[9] http://arstechnica.com/apple/2011/02/ibooks-to-jailbreakers-no-yuo/ (I go into more detail on jailbreaking and its current legality as of the time of writing in a previous article of mine^[10].)

^[10] http://mikegerwitz.com/

^[11] http://mikegerwitz.com/

^[12] https://www.eff.org/deeplinks/2013/03/tale-simcity-users-struggle-against-onerous-drm

^[13] http://venturebeat.com/2012/10/12/together-html5-and-drm-can-take-out-native-apps/

^[14] http://mikegerwitz.com/

^[15] http://www.guardian.co.uk/technology/blog/2013/mar/12/tim-berners-lee-drm-cory-doctorow

^[16] http://www.w3.org/2000/12/drm-ws/

^[17] https://www.fsf.org/bulletin/e-books-must-increase-our-freedom-not-decrease-it

^[18] http://www.w3.org/People/Berners-Lee/

^[19] http://www.w3.org/Consortium/mission#principles

^[20] http://lists.libreplanet.org/archive/html/libreplanet-discuss/2013-03/msg00007.html

^[21] https://www.eff.org/deeplinks/2012/11/2012-dmca-rulemaking-what-we-got-what-we-didnt-and-how-to-improve

^[22] http://www.defectivebydesign.org/guide

^[23] https://www.fsf.org/bulletin/2007/fall/antifeatures/

^[24] https://www.gnu.org/philosophy/right-to-read.html

^[25] https://www.gnu.org/philosophy/can-you-trust.html

^[26] https://www.gnu.org/philosophy/who-does-that-server-really-serve.html

The White House agrees with the 114,000+ of you who believe that consumers should be able to unlock their cell phones without risking criminal or other penalties. In fact, we believe the same principle should also apply to tablets, which are increasingly similar to smart phones. And if you have paid for your mobile device, and aren't bound by a service agreement or other obligation, you should be able to use it on another network. It's common sense, crucial for protecting consumer choice, and important for ensuring we continue to have the vibrant, competitive wireless market that delivers innovative products and solid service to meet consumers' needs.^[0]

However, although this response is getting a lot of attention (I was surprised to see my local news station report on it), this is not yet cause for celebration; it is my hope that the White House will now follow through with this statement and act upon it appropriately.

(The EFF has also posted their own comments on the White House's response^[4].)

This is just one issue in a string of problems that is the DMCA^[5].

^[0] https://petitions.whitehouse.gov/petition/make-unlocking-cell-phones-legal/1g9KhZG7

^[1] https://news.ycombinator.com/item?id=5319577

^[2] http://mikegerwitz.com/

^[3] https://www.eff.org/is-it-illegal-to-unlock-a-phone

^[4] https://www.eff.org/deeplinks/2013/03/white-house-supports-unlocking-phones-real-problem-runs-deeper

^[5] https://www.eff.org/wp/unintended-consequences-under-dmca

Almost all the recent attacks have used Google Docs URLs, and in some cases the phishing emails have been sent from an already-compromised University account to large numbers of other Oxford users. Seeing multiple such incidents the other afternoon tipped things over the edge. We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action.^[0]

This may very well be the case—the Oxford IT department probably does have a better understanding of security than many of their users. However, by blocking access to Google Docs, they are also blocking access to millions of legitimate articles hosted there, which is far from acceptable. Oxford is more than just a workplace—for which many would argue these actions are acceptable; it is a university that should encourage freedom of expression. They simply must find a better way of dealing with these problems. If a user falls victim to a phishing attack within Oxford, they will likely fall victim outside of it.

Would Oxford consider blocking e-mail access too (where phishing attacks are very cheap and common)?

We appreciate and apologise for the disruption this caused for our users. Nevertheless, we must always think in terms of the overall risk to the University as a whole, and we certainly cannot rule out taking such action again in future ...^[0]

^[0] http://blogs.oucs.ox.ac.uk/oxcert/2013/02/18/google-blocks/

^[1] https://www.schneier.com/blog/archives/2013/03/oxford_universi.html

^[2] https://www.schneier.com/essay-406.html

^[3] http://mikegerwitz.com/ (I posted a link to my response on his blog, but he did not approve the comment.)

That is not to say that “OOP is bad” (just as object-oriented developers often consider procedural code bad, when they may just be terrible at writing procedural code). Indeed, I wrote an ECMAScript framework for Classical OOP (ease.js)^[1]. The problem is that, with the excitement and misunderstandings that surround “good” object-oriented design, designers are eager to over-abstract their implementations (I have been guilty of the same thing). Object oriented programming is often taught to novice CS students (often with the reign of Java in schools)—teaching practices that can be good principles when properly applied and in moderation—which I have also seen contribute to such madness.^[2]

Abstractions are highly important, but only when necessary and when they lead to more concise representations of the problem than would otherwise occur (note that some problems are inherently complicated and, as such, a concise representation may not seen concise). I'm a strong advocate of DSLs when abstractions begin to get in the way and increase the verbosity of the code (languages with strong macro systems like lisp help eliminate the need for DSLs written from scratch)—design patterns exist because of deficiencies in the language: They are “patterns” of code commonly used to achieve a certain effect.

Criticisms against OOP are abundant^[3], just as every other paradigm.

^[0] https://github.com/Herzult/SimplePHPEasyPlus

^[1] http://easejs.org

^[2] http://c2.com/cgi/wiki?TextbookOo

^[3] http://c2.com/cgi/wiki?ArgumentsAgainstOop

^[4] Design Patterns: Elements of Reusable Object-Oriented Software. ISBN 0-201-63361-2. Gamma, Helm, Johnson and Vlissides (the "Gang of Four").

Google said the number of accounts connected to National Security letters ranged between “1000-1999″ for each of the reported years other than 2010. In that year, the range was “2000-2999.”

And it's even worse for FISA subpoenas, which can be used to force anyone to hand over anything in complete secrecy, and which were greatly strengthened by Section 215 of the USA PATRIOT Act. The government doesn't have to show probable cause that the target is a foreign power or agent — only that they are seeking the requested records "for" an intelligence or terrorism investigation. Once the government makes this assertion, the court must issue the subpoena.^[1]

FISA orders and National Security Letters will also come with a gag order that forbids you from discussing them. Do NOT violate the gag order. Only speak to members of your organization whose participation is necessary to comply with the order, and your lawyer.^[1]

^[0] http://www.wired.com/threatlevel/2013/03/google-nsl-range/?cid=co6199824

^[1] https://ssd.eff.org/foreign/fisa

It is also saddening reading the words of such a great man who is no longer with us; perhaps it helps to better appreciate his legacy.

^[0] http://cm.bell-labs.com/cm/cs/who/dmr/primevalC.html

^[1] http://www.catb.org/~esr/jargon/html/K/kludge.html

^[0] http://www.fsf.org/news/winners-announced-for-free-software-gamings-highest-honor-the-liberated-pixel-cup

^[1] http://lpc.opengameart.org/content/code-judging-is-in

^[0] https://www.eff.org/deeplinks/2013/02/cispas-back-faq-what-it-and-why-its-still-dangerous

^[0] https://www.eff.org/is-it-illegal-to-unlock-a-phone

To quote Schneier:^[0]

We have no choice but to trust Microsoft. Microsoft has reasons to be trustworthy, but they also have reasons to betray our trust in favor of other interests. And all we can do is ask them nicely to tell us first.

Skype is a useful demonstration of the unfortunate situation that many users place themselves in by trusting their private data to Microsoft. Skype itself is proprietary—we cannot inspect its source code (easily) in order to ensure that it is respecting our privacy. (Indeed, as a user on the HackerNews discussion^[6] pointed out, Skype has installed undesirable software in the past.^[7]) If Skype were free software^[8], we would be able to inspect its source code and modify it to suit our needs, ensuring that the software did only what we wanted it to do—ensuring that Microsoft was not in control of us.

However, even if Skype were free software, there is another issue at work that is often overlooked by users: Software as a Service (SaaS). When you make use of services that are hosted on remote servers (often called “cloud” services)—such as with Skype, Facebook, Twitter, Flickr, Instagram, iTunes, iCloud and many other popular services—you are blindly entrusting your data to them. Even if the Skype software were free (as in freedom), for example, we still cannot know what their servers are doing with the data we provide to them^[9]. Even if Skype's source code was plainly visible, the servers act as a black box. Do they monitor your calls? Does Facebook abuse your data?^[10] How is that data stored—what happens in the event of a data breach, or in the event of a warrant/subpoena?^[1]

The only way to be safe from these providers is to reject these services entirely and use your own software on your own PC, or use software that will connect directly to your intended recipient without going through a 3rd party.^[9] (Never mind your ISP; that is a separate issue entirely.) If you must use a 3rd party service, ensure that you can adequately encrypt your communications (e.g. using GPG to encrypt e-mail communications)—something that may not necessarily be easy/possible to do, especially if the software is proprietary and works against you.

The EFF has published useful information on protecting yourself against surveillance^[11], covering topics such as encryption and anonymization.

If we are to resist the worlds that Lessig^[4] and Schneier^[3] describe, then we must stand up for our right to privacy and demand action^[12]. Who will have your back^[13] when we're on the brink of “perfect regulation”^[4]; who will stand up for your rights and work with you—not against you—to preserve your liberties? Without this push, services like Skype empower governments and other entities to work toward perfect regulation—to continuously spy on everything that we do. With everyone putting their every thought and movement on services like Facebook, Twitter^[14] and Skype, the Orwellian Thought Police^[5] have the ability to manifest in a form that not even Orwell could have imagined—unless it is stopped.

To help preserve your ever-dwindling rights online,^[15] consider becoming a member of or participating in the campaigns of the Free Software Foundation^[16], Electronic Frontier Foundation^[17], the American Civil Liberties Union^[18] or any other organizations dedicated toward free society.

(Disclaimer: I am a member of the Free Software Foundation.)

^[0] http://www.schneier.com/blog/archives/2013/01/who_does_skype.html

^[1] http://www.skypeopenletter.com/

^[2] http://www.schneier.com/essay-406.html

^[3] http://www.schneier.com/essay-409.html

^[4] http://codev2.cc/

^[5] Orwell, George. Nineteen Eighty-Four. ISBN 978-0-452-28423-4.

^[6] http://news.ycombinator.com/item?id=5139801

^[7] http://blogs.skype.com/garage/2011/05/easybits_update_disabled_for_s.html

^[8] http://www.gnu.org/philosophy/free-sw.html

^[9] http://www.gnu.org/philosophy/who-does-that-server-really-serve.html

^[10] https://www.eff.org/deeplinks/2013/01/facebook-graph-search-privacy-control-you-still-dont-have

^[11] https://ssd.eff.org

^[12] https://www.eff.org/deeplinks/2013/01/its-time-transparency-reports-become-new-normal

^[13] https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back

^[14] https://www.eff.org/deeplinks/2013/01/google-twitters-new-transparency-report-shows-increase-government-demands-sheds

^[15] https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=8750

^[16] http://www.fsf.org/register_form?referrer=5804

^[17] https://supporters.eff.org/donate

^[18] https://www.aclu.org/donate/join-renew-give

Unless the Free Software Foundation becomes more accomodating [sic] of these open-source developers -- who should all share a common goal of wanting to expand free/open-source software -- LibreDWG is likely another project that will ultimately waste away and go without seeing any major adoption due to not working with the GPLv2.

The Free Software Foundation was contacted about making LibreDWG GPLv2+ instead (since the FSF is the copyright holder), but the FSF/Richard Stallman doesn't the DWG library on the earlier version of their own open-source license.

From this perspective, it does not make sense to “downgrade” LibreDWG's license to the GPLv2, which contains various bugs that have since been patched in GPLv3—it is not pursuant to the FSF's goals. (Of course, not all agree with the GPLv3; one such notable disagreement (as well as issues stemming from copyright assignment) leaves the kernel Linux perpetually licensed under the GPLv2^[7] since it does not contain the “or later” clause^[8]).

That is not to say that the author's concern is not legitimate—a number of projects are licensed under the GPLv2 and therefore cannot use the newer (and improved) versions of LibreDWG that are licensed under the GPLv3 (unless they were to upgrade to the GPLv3, of course). Whether or not upgrading is feasible (e.g., in the case of the kernel Linux, it is not) is irrelevant—let us instead focus on the issue of adoption under the assumption that the project is either unwilling or unable to make use of a library licensed under the GPLv3.

As aforementioned, the author focuses on the issue of adoption^[0]:

LibreDWG is likely [...to] go without seeing any major adoption due to not working with the GPLv2

A reader familiar with GNU may then point out the LGPL—the Lesser General Public License—under which popular (and very important) libraries such as glibc are licensed.^[10] In fact, one could extend this argument to any library—why not have LibreDWG licensed under the LGPL to avoid this problem in its entirety, while still preserving the users' freedoms for that library in itself? This understanding requires a brief lesson in history—the rationale under which the LGPL was born. To quote the GNU project:^[11]

Using the ordinary GPL is not advantageous for every library. There are reasons that can make it better to use the Lesser GPL in certain cases. The most common case is when a free library's features are readily available for proprietary software through other alternative libraries. In that case, the library cannot give free software any particular advantage, so it is better to use the Lesser GPL for that library.

What is important is that the FSF does not recommend the LGPL for most libraries^[11] because that would encourage proprietary software developers to take advantage of both the hard work of the free software community and the users of the software. Now, I cannot speak toward the alternatives to LibreDWG—do there exist proprietary alternatives that are reasonable alternatives to non-commercial projects? I do not have experience with the library. However, I hope by this point the FSF's position has been rationalize (even if you—the reader—do not agree with it).

Of course, this rationalization will still leave a sour taste in the mouth of those “open source” developers (or perhaps even some free software developers) that think in terms of what is “lost”: these projects—which are themselves free software and therefore beneficial to our community—cannot take advantage of other free software due to this licensing issue. Since these projects had already existed when LibreDWG was licensed under the GPLv2, the relicensing to GPLv3 may seem unfair and, therefore, a “loss”. It is difficult to counter such an argument if the above rationale has not been sufficient; nor will I argue that the situation is not unfortunate, should the projects be unable to relicense. However, it must be understood that, to ensure the future of free software, the FSF must adopt to combat today's threats and so too must other free software projects.

The Phoronix article mentioned two projects in particular that suffer from LibreDWG's relicensing: LibreCAD and FreeCAD.^[0] LibreCAD omits the “or later” clause that was mentioned above, preventing them from easily migrating to the GPLv2 (which is against the FSF's recommendation^[12]). Unless the project requires that contributors assign copyright to the project owner, then they would have to get permission from each contributor (or rewrite the code) in order to change the license (which is not unheard of; VLC had done so recently to migrate from the GPL to the LGPL^[13]); this is a significant barrier for any project with multiple contributors, especially when your project is a derivative work (of QCad).

The other project mention was FreeCAD, and the author of the article mentions that the project depends on Coin3D and Open CASCADE, “both of which are GPLv2”, so the project cannot migrate to GPLv3.^[0] A quick look at Coin3D's website shows that the software is actually licensed under the modified (3-clause) BSD license, and so migrating to the GPLv3 is not an issue.^[15] Open CASCADE has its own “public license” that I do not have the time to evaluate (nor am I lawyer, so I do not wish to give such advice), so I cannot speak to its compatibility with the GPLv3. That said, I'm unsure if it would be a barrier toward FreeCAD's adoption of the GPLv3.

Ultimately, the moral of the story is to plan for the future—if you use a project licensed under the GPL, ensure that it has the “or later” clause that allows it to be licensed under later version of the GPL, since you can be sure that the FSF and many other free software developers will be quick to adopt the license. Of course, many may not be comfortable with such a licensing decision: you effectively are giving the FSF permission to relicense you work by simply releasing a new version of the GPL. It is your decision whether you are willing to place this kind of trust in the organization responsible for starting the free software movement in the first place.

Readers may now assume that I am placing the entire blame and onus on the implementors of LibreDWG. The onus, perhaps, but not the blame—this truly is an unfortunate circumstance that takes away from hacking a free software project. Unfortunately, the projects are stuck in a bad place, but the FSF is not to blame for standing firm in their ideals. Instead, this can be thought of as a maintenance issue—rather than a source code refactoring resulting from a library API change, we instead require a “legal code” refactoring resulting from a “legal API” change.

^[0] http://www.phoronix.com/scan.php?page=news_item&px=MTI4Mjc

^[1] http://www.gnu.org/licenses/gpl-faq.html#WhatDoesCompatMean

^[2] http://www.gnu.org/philosophy/open-source-misses-the-point.html

^[3] http://www.fsf.org/about/

^[4] http://www.gnu.org/licenses/quick-guide-gplv3.html

^[5] http://www.gnu.org/copyleft/

^[6] http://www.gnu.org/licenses/rms-why-gplv3.html

^[7] http://lwn.net/Articles/200422/

^[8] http://www.gnu.org/licenses/gpl-faq.html#v2v3Compatibility

^[9] http://www.gnu.org/philosophy/free-sw.html

^[10] http://www.gnu.org/licenses/lgpl.html

^[11] http://www.gnu.org/licenses/why-not-lgpl.html

^[12] http://www.gnu.org/licenses/gpl-howto.html

^[13] http://mikegerwitz.com/thoughts/2012/11/VLC-s-Move-to-LGPL.html

^[14] https://bitbucket.org/Coin3D/coin/wiki/Home

^[15] http://www.gnu.org/licenses/license-list.html#ModifiedBSD

^[16] http://www.opencascade.org/getocc/license/

This is a positive development, but unfortunately there has been a lot of negative reaction in the comments on their announcement.

It'd be great if people could chime in and support them their move away from DRM.

At first glance, certain authors seem to be concerned that the absense of DRM will lead to “more illegal file sharing”^[0]:

[...] I’ve got copies of my non-DRM ebooks all over the torrent sites and thousands of downloads registered, for which I haven’t received a cent. As soon as you push for them to be taken down, they’re posted up again.

While it is unfortunate that those authors are not receiving compensation for their hard work, it should be noted that this problem exists even with DRM, so it is not a valid argument toward keeping it.

Companies like Amazon, Apple and Barnes & Noble integrate a reader’s experience from purchasing to downloading and finally to reading. These companies do a fantastic job in this area, and eBooks published through Lulu and distributed through these retail sites will continue to have the same rights management applied as they do today.

^[0] http://www.lulu.com/blog/2013/01/drm-update/

^[1] http://defectivebydesign.org/