self-hosting-advocacy/harmful-communications-201910
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Under pressure!

Browse source
This commit is contained in:
Éibhear Ó hAnluain 2019-09-14 16:28:36 +01:00
parent 909f59763d
commit b34ef48974
1 changed files with 211 additions and 194 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

405
HarmfulCommunications201908.org
View file

@ -130,11 +130,11 @@
*** Online Harrassment, harmful communications and related offences
*Possible issues for address*
**** Definition of communication in legislation
1. There are currently significant gaps in legislation with
regard to harassment and newer, more modern forms of
communication. Is there a need to expand the definition of
communications to include online and digital communications
tools such as WhatsApp, Facebook, Snapchat, etc. when
1. There are currently significant gaps in legislation with
regard to harassment and newer, more modern forms of
communication. Is there a need to expand the definition of
communications to include online and digital communications
tools such as WhatsApp, Facebook, Snapchat, etc. when
addressing crimes of bullying or harassment?
- Éibhear comment :: (/Address in introduction/) It is
necessary not to assume that the current services that
@ -357,83 +357,76 @@
(early 2018) and relevant. However it's not alone, and as we look at
pending legislation coming to us both domestically and from the EU,
it's hard not to see the same failures repeating:
- Pat Rabbitte's and
- Pat Rabbitte's and Lorraine Higgins' bills, since withdrawn
- The EU Terrorism Content Directive...
- The new Copyright Directive...
-
** CONSTODO The nature of the internet from the perspective of the technology
* CONSTODO Self-hosting
** CONSTODO Self-hosting
For the purposes of this submission, /self-hosting/ is where an
individual or small group has opted to provide their own internet
services, making use either of computer capacity provided by an ISP
(for example, Blacknight.com, Amazon AWS) or by maintaining the
computer technology themselves.
The services that the self-hoster exposes, then, are either
developed specifically by the self-hoster or runs software that has
been installed by the self-hoster.
The self-hoster also takes responsibility for the quality of the
service that they provide, including ensuring that it is kept
running and updates are applied appropriately, and so on.
This submission is primarilty concerned about self-hosting as a
hobby and self-hosting engaged in by charity, non-governmental or
community organisations. However, self-hosting for commercial
purposes is a valid use-case, but implications of regulations on
self-hosting has more a direct implication on the former use-cases,
as the effect of poor regulation on vulnerable people would be more
direct, immediate and serious.
*** Why self-host?
There is a myriad of reasons for choosing to host one's own
service. Some examples might be:
** CONSTODO How accessible is self-hosting.
*** CONSTODO Technical protocols
Formally, "the Internet" is a mechanism for identifying computers
on a network, and for ensuring that messages from one computer on
the network get to another computer. For this purpose, each
computer is assigned an address (e.g. 78.153.214.9). This system
is called The Internet Protocol[fn:IP:[[https://tools.ietf.org/html/rfc791][As defined in RFC 791:
https://tools.ietf.org/html/rfc791]]].
In a previous, similar, submission[fn:dccae:Available [[http://www.gibiris.org/eo-blog/posts/2019/04/15_harmful-content-consultation.html][here]] and
[[https://www.dccae.gov.ie/en-ie/communications/consultations/Documents/86/submissions/Eibhear_O_HAnluain.pdf][here]].], I provide an outline of the challenges before someone who
wants to set up their own services. There are few, and they are
small. In summary, the reasons for this are:
- The Internet is mechanism for computers to find each other and
then to share information with each other. The mechanism is
defined in a set of publicly-available documents describing the
relevant protocols.
- Due to the maturity and age of these protocols, software needed
to use them is now abundant and trivially easy to get and
install and run on a computer. Such software is also very easy
to develop for moderately-skilled software engineers.
- Neither the protocols that define, nor the software that
implement the internet regard any computer to be superior or
inferior to any other computer. For this reason, there is no
cost or capacity barrier for someone to cross in order to run an
internet service: if you have the software, and the internet
connection, then you can expose such a service.
These dotted-notation addresses are associated with more
easy-to-remember name-based addresses by means of a system called
the "Domain Name System"[fn:DNS:As defined by [[https://tools.ietf.org/html/rfc1034][RFC 1034
(https://tools.ietf.org/html/rfc1034)]] and [[https://tools.ietf.org/html/rfc1035][RFC 1035
(https://tools.ietf.org/html/rfc1035)]].].
There are a number of protocols[fn:protocols:For the purposes of
this document, a protocol is a set of instructions detailing how
two or more computers should express queries and responses to each
other] for transmitting messages over the Internet, with two of
the more common being
"TCP"[fn:TCP:https://tools.ietf.org/html/rfc1035] and
"UDP"[fn:UDP:https://en.wikipedia.org/wiki/User_Datagram_Protocol].
The software required to implement these communications protocols
is installed onto all forms of internet-connected devices, ranging
from objects as small as (or smaller than) heart pacemakers, to as
large as the largest super-computers.
This software is not aware of the size or capacity of the device
it's installed on. Similarly, the protocols mentioned above have
no regard to the purpose its host computer has, nor to who owns
it, nor to how large it is.
The "World Wide Web" (the Web), from a technological perspective,
is /not/ the Internet. The Web is a set of defined protocols that
make use of the Internet. Unlike the Internet and transmission
protocols -- which are designed to require each computer to regard
all others are peers -- the Web operates a little more on a
client-server basis: the software package, often referred to as a
web browser, on one computer is used to request specific
information from the software package, often referred to as the
web server, on the other computer.
However, despite the "client-server" nature of the Web, due to the
simplicity of the software needed for a computer to be a web
server, you can find web serving software operating on extremely
small "IoT" devices.
*** CONSTODO Low barrier of entry for useful technology
The above demonstrates that someone with a computer, a connection
to the internet and sufficient time and determination can set up a
web service that will function just like the services we're all
familiar with.
This is exemplified by the development of certain internet-related
technology in recent decades:
- The /Linux/ operating system kernel is named after its inventor,
Linus Torvalds, who started work on it in 1991 as a college
project -- he wanted to write a computer operating system that
was accessible to all, and which functioned in a specific
way. The Linux operating system now forms the basis of a
significant proportion of internet connected computing devices
Clear examples from the past of how the accessibility of the
internet technologies has benefited the world include the following:
- The /Linux/ operating system kernel began life in 1991 as a
college project -- Linus Torvalds wanted to write a computer
operating system that was accessible to all. Linux-based
operating systems now form the basis of a significant proportion
of internet connected computing devices
globally[fn:LinuxProportions:https://en.wikipedia.org/wiki/Usage_share_of_operating_systems]
(including 73% of smartphones and tablet computers, through
Google's Android, and somewhere between 36% and 66% of
internet-facing server computers), and 100% of supercomputers.
(including 73% of smartphones and tablet computers, somewhere
between 36% and 66% of internet-facing server computers), and
100% of supercomputers.
- The /Apache/ web server started development when a group of 8
software developers decided they wanted to add functionality to
one of the original web server software packages, /NCSA
httpd/. The Apache web server now powers 43.6% of all web
software developers wanted to add functionality to one of the
original web server software packages, /NCSA httpd/. The Apache
web server now powers 43.6% of all web
sites[fn:apacheProportions:[[https://w3techs.com/technologies/overview/web_server/all][https://w3techs.com/technologies/overview/web_server/all]]. Incidentally,
the no. 2 on that web page, with nearly 42% share of websites is
/nginx/. It also started out as a project by an individual who
@ -448,20 +441,43 @@
since the late '90s, resulting in far richer and more secure
web.
** CONSTODO Self-hosting
When we look at the main services that society is currently
struggling with, we need to consider the following historical
facts:
- Facebook started out as a crude service, developed in Mark
Zuckerberg's room in Harvard University, to allow users (men, of
course) to rate the women in the university in terms of
"hotness".
- Google started out as a search engine called
"Backrub". Development initially took place in a garage.
- eBay was originally an auction service tagged onto the personal
website of its founder, Pierre Omidyar.
- LinkedIn was initially developed in Reid Hoffman's apartment
in 2003.
- Shutterstock, a leading provider of stock images, was founded by
a photographer, John Oringer, who developed the service as a
means to make available 30,000 of his own photographs.
The ease with which internet technology can be accessed has given
rise to the explosion of services that connect people, and people
with businesses.
It is critical to note that many of these technologies and
services started out with an individual or small group developing
an idea and showing it can work *prior* to receiving the large
capital investments that result in their current dominance.
*** CONSTODO The nature of self-hosting
Both the /Linux/ operating system kernel and the /Firefox/ web
browser can be considered truly disruptive technologies. In both
of their domains, their arrival resulted in a dramatic
improvements in internet and other technologies.
All of the above technologies and services can be considered truly
disruptive. In their respective domains, their arrivals resulted in
a dramatic improvements in internet technologies and services.
This affect isn't unique to those examples. There are many
alternatives to the systems that we are familiar with, all
developed by individuals, or small, enthusiastic teams:
However, There are many alternatives to the systems that we are
familiar with, all developed by individuals, or small, enthusiastic
teams:
- /Twitter/ isn't the only micro-blogging service: there's also
/GNU Social/, /Mastodon/.
- One alternative to /Facebook/ is /diaspora*/
/GNU Social/, /Pleroma/, /Mastodon/.
- An alternative to /Facebook/ is /diaspora*/
- /Nextcloud/ and /Owncloud/ are examples of alternatives to
/Dropbox/.
@ -507,130 +523,131 @@
2 of those services, /git.gibiris.org/ and /Social Gibiris/ can
process or post user-uploaded information.
*** CONSTODO Regulation of self-hosted services
** CONSTODO Regulation of self-hosted services
While it is attractive to create regulations to manage the large,
profit-making organisations, it is imperative that such
regulations don't harm the desire of those who want to create
their own services.
While it is attractive to create regulations to manage the large,
profit-making organisations, it is imperative that such
regulations don't harm the desire of those who want to create
their own services.
Any regulation that applies liability on the service for someone
else's words or behaviour, is a regulation that can be adhered to
only by organisations with large amounts of money to hand. For
example, if the regulation was to apply liability on me for
posting made by someone else (and *somewhere* else -- these are
federated services) on the 2 implicated services that I run, I
would have to shut them down, as I would not be able to put in
place the necessary infrastructure that would mitigate my
liability[fn:copyrightDirective:This assumes that my services
aren't forced to shut down by the new EU Copyright Directive
anyway]. Given that my services are intended to provide a positive
benefit to me, my family members and my friends, and that I have
no desire to facilitate harmful behaviour on those services, a law
forcing me to shut these services down benefits no one.
Regulations that apply liability a service-provider for someone
else's behaviour, is a regulation that can be adhered to only by
organisations with large amounts of money to hand. For example, if
the regulation was to apply liability on me for a posting made by
someone else (and *somewhere* else -- these are federated services
after all) that appear on one of the services that I run, I would
have to shut them down, as I would not be able to put in place the
necessary infrastructure that would mitigate my
liability[fn:copyrightDirective:This assumes that my services
aren't forced to shut down by the new EU Copyright Directive
anyway]. Given that my services are intended to provide a positive
benefit to me, my family members and my friends, and that I have no
desire to facilitate harmful behaviour on these services, a law
forcing me to shut these services down benefits no one.
Similarly, a regulation that demands responses from services on
the assumption that the service will be manned at all times,
requires individuals who are self-hosting their services to be
available at all times (i.e. to be able to respond regardless of
whether they are asleep, or overseas on a family holiday, etc.)
Similarly, a regulation that demands responses from services on the
assumption that the service will be manned at all times, requires
individuals who are self-hosting their services to be available at
all times (i.e. to be able to respond regardless of whether they
are asleep, or overseas on a family holiday, too ill to respond,
etc.)
This submission comes from this perspective: that small operators
should not be unduly harmed by regulations; the likelihood of this
harm coming to pass is greater when such small operators are not
even considered during the development of the regulations. If the
regulations have the (hopefully unintended) effect of harming such
small operators, the result will not just be the loss of these
services, but also the loss of opportunity to make the Web richer
by means of the imposition of artificial barriers to entry. Such
regulations will inhibit the development of ideas that pop into
the heads of individuals, who will realise them with nothing more
than a computer connected to the internet.
This submission comes from this perspective: that small operators
should not be unduly harmed by regulations; the likelihood of this
harm coming to pass is greater when such small operators are not
even considered during the development of the regulations. If
regulations have the effect[fn:unintended:unintended, one hopes] of
harming such small operators, the result will not just be the loss
of these services, but also the loss of opportunity to make the Web
richer by means of the imposition of artificial barriers to
entry. Such regulations will inhibit the development of ideas that
pop into the heads of individuals, who will realise them with
nothing more than a computer connected to the internet.
** CONSTODO Abuse
* CONSTODO Abuse
All systems that seek to protect people from harmful or other
objectionable material (e.g. copyright infringement, terrorism
propaganda, etc.) have, to date, been amenable to abuse. For
example, in a recent court filing, Google claimed that 99.97% of
infringement notices it received in from a single party in January
2017 were
bogus[fn:googleTakedown:https://www.techdirt.com/articles/20170223/06160336772/google-report-9995-percent-dmca-takedown-notices-are-bot-generated-bullshit-buckshot.shtml]:
All systems that seek to protect people from harmful or other
objectionable material (e.g. copyright infringement, terrorism
propaganda, etc.) have, to date, been amenable to abuse. For
example, in a recent court filing, Google claimed that 99.97% of
infringement notices it received in from a single party in January
2017 were
bogus[fn:googleTakedown:https://www.techdirt.com/articles/20170223/06160336772/google-report-9995-percent-dmca-takedown-notices-are-bot-generated-bullshit-buckshot.shtml]:
#+BEGIN_QUOTE
A significant portion of the recent increases in DMCA submission
volumes for Google Search stem from notices that appear to be
duplicative, unnecessary, or mistaken. As we explained at the San
Francisco Roundtable, a substantial number of takedown requests
submitted to Google are for URLs that have never been in our search
index, and therefore could never have appeared in our search
results. For example, in January 2017, the most prolific submitter
submitted notices that Google honored for 16,457,433 URLs. But on
further inspection, 16,450,129 (99.97%) of those URLs were not in
our search index in the first place. Nor is this problem limited to
one submitter: in total, 99.95% of all URLs processed from our
Trusted Copyright Removal Program in January 2017 were not in our
index.
#+END_QUOTE
#+BEGIN_QUOTE
A significant portion of the recent increases in DMCA submission
volumes for Google Search stem from notices that appear to be
duplicative, unnecessary, or mistaken. As we explained at the San
Francisco Roundtable, a substantial number of takedown requests
submitted to Google are for URLs that have never been in our search
index, and therefore could never have appeared in our search
results. For example, in January 2017, the most prolific submitter
submitted notices that Google honored for 16,457,433 URLs. But on
further inspection, 16,450,129 (99.97%) of those URLs were not in
our search index in the first place. Nor is this problem limited to
one submitter: in total, 99.95% of all URLs processed from our
Trusted Copyright Removal Program in January 2017 were not in our
index.
#+END_QUOTE
Aside from the percentage of URLs noted that don't exist in
Google's index, that a single entity would submit more than 16
million URLs for delisting in a single month is staggering, and
demonstrates a compelling point: there is no downside for a
bad-faith actor seeking to take advantage of a system for
suppressing information[fn:downside:The law being used in this
specific case is the US Digital Millennium Copyright Act. It
contains a provision that claims of copyright ownership on the part
of the claimant are to be made under penalty of perjury. However,
that provision is very weak, and seems not to be a deterrent for a
determined agent:
https://torrentfreak.com/warner-bros-our-false-dmca-takedowns-are-not-a-crime-131115].
Aside from the percentage of URLs noted that don't exist in
Google's index, that a single entity would submit more than 16
million URLs for delisting in a single month is staggering, and
demonstrates a compelling point: there is no downside for a
bad-faith actor seeking to take advantage of a system for
suppressing information[fn:downside:The law being used in this
specific case is the US Digital Millennium Copyright Act. It
contains a provision that claims of copyright ownership on the part
of the claimant are to be made under penalty of perjury. However,
that provision is very weak, and seems not to be a deterrent for a
determined agent:
https://torrentfreak.com/warner-bros-our-false-dmca-takedowns-are-not-a-crime-131115].
More recently, there is the story of abuse of the GDPR's /Right to
be Forgotten/. An individual from Europe made a claim in 2014,
under the original /Right to be Forgotten/, to have stories related
to him excluded from Google searches for him. This seemed to have
been an acceptable usage under those rules. However, that this
claim was made and processed seems also to be a matter of public
interest, and some stories were written in the online press
regarding it. Subsequently, the same individual used the /Right to
be Forgotten/ to have *these* stories excluded from Google
searches.
More recently, there is the story of abuse of the GDPR's /Right to
be Forgotten/. An individual from Europe made a claim in 2014,
under the original /Right to be Forgotten/, to have stories related
to him excluded from Google searches for him. This seemed to have
been an acceptable usage under those rules. However, that this
claim was made and processed seems also to be a matter of public
interest, and some stories were written in the online press
regarding it. Subsequently, the same individual used the /Right to
be Forgotten/ to have *these* stories excluded from Google
searches.
This cat-and-mouse game continues to the extent that the individual
is (successfully) requiring Google to remove stories *about his
use* of the GDPR's /Right to be Forgotten/. Even stories that cover
*only* his /Right to be Forgotten/ claims, making no reference at
all to the original (objected-to)
story[fn:RTBF:https://www.techdirt.com/articles/20190320/09481541833]. This
is clearly an abuse of the law: Google risks serious sanction from
data protection authorities if it decides to invoke the
"... exercising the right of freedom of expression and information"
exception[fn:FoE_GPDR:GDPR, Article 17, paragraph 3(a)] and it is
determined that the exception didn't apply. However, the claimant
suffers no sanction if it is determined that the exception /does/
apply.
This cat-and-mouse game continues to the extent that the individual
is (successfully) requiring Google to remove stories *about his
use* of the GDPR's /Right to be Forgotten/. Even stories that cover
*only* his /Right to be Forgotten/ claims, making no reference at
all to the original (objected-to)
story[fn:RTBF:https://www.techdirt.com/articles/20190320/09481541833]. This
is clearly an abuse of the law: Google risks serious sanction from
data protection authorities if it decides to invoke the
"... exercising the right of freedom of expression and information"
exception[fn:FoE_GPDR:GDPR, Article 17, paragraph 3(a)] and it is
determined that the exception didn't apply. However, the claimant
suffers no sanction if it is determined that the exception /does/
apply.
In systems that facilitate censorship[fn:censorship:While seeking
to achieve a valuable and socially important goal, this
legislation, and all others of its nature, facilitates censorship:
as a society, we should not be so squeamish about admitting this.],
it is important to do more than merely assert that service
providers should protect fundamental rights for expression and
information. In a regime where sending an e-mail costs nearly
nothing, where a service risks serious penalties (up to and
including having to shutdown) and where a claimant suffers nothing
for abusive claims, the regime is guaranteed to be abused.
In systems that facilitate censorship[fn:censorship:While seeking
to achieve a valuable and socially important goal, this
legislation, and all others of its nature, facilitates censorship:
as a society, we should not be so squeamish about admitting this.],
it is important to do more than merely assert that service
providers should protect fundamental rights for expression and
information. In a regime where sending an e-mail costs nearly
nothing, where a service risks serious penalties (up to and
including having to shutdown) and where a claimant suffers nothing
for abusive claims, the regime is guaranteed to be abused.
** CONSTODO Harmful content definition
* CONSTODO Harmful content definition
This submission will not offer any suggestions as to what should be
considered "harmful content". However, I am of the belief that if
"harmful content" is not narrowly defined, the system will allow
bad actors to abuse it, and in the context where there is no risk
to making claims, and great risk in not taking down the reported
postings, loose definitions will only make it easier for
non-harmful content to be removed.
This submission will not offer any suggestions as to what should be
considered "harmful content". However, I am of the belief that if
"harmful content" is not narrowly defined, the system will allow
bad actors to abuse it, and in the context where there is no risk
to making claims, and great risk in not taking down the reported
postings, loose definitions will only make it easier for
non-harmful content to be removed.
* CONSTODO Answers to consultation questions
** CONSTODO Strand 1 -- National Legislative Proposal