Archive for the ‘technology’ Category

Take a moment, go view this video, specifically but not exclusively the supplementary questions by Jan Logie, (about 5:35) then come back to this post so you have the background you’ll need.

Done? Thanks. The Ministry of Social Development has made an outrageous decision to hold NGO funding hostage to big data collection. The level of data collection they want might not be a problem for certain NGOs, especially were to compromise and allow an opt-in basis, such as say, ones offering immunisations. But prominent organisations like NZAC1 have expressed that handing over the requested data is a breach of confidentiality and in their view unethical, and Rape Crisis have announced they will boycott government funding if they’re made to disclose any additional data. For context, rape crisis centres are constantly struggling to recieve enough community funding to provide the services they need to even with the government’s help, so this should reinforce that they view this mandatory data-sharing as an existential threat.

As someone who has done data analysis in their work, (I did it even though it wasn’t in my job description, in fact) and who even does it in my spare time to settle matters of debate, I absolutely understand the value of this data to the government, especially in targeting their social assistance dollars more effectively. (because money should be prioritised to places where we can prove it’s effective, for sure) I understand the challenges of incomplete data sets. I also understand the challenges of people misinterpreting what data they need to provide. I will even grant that the people in the government who initially requested this data will want it for nothing other than researching what the most effective types of social spending are, and that they fully intend to be ethical caretakers of people’s private information, and to store it securely.

But none of that makes it a good idea to hold hostage NGO funding to big data. Firstly, there is the obvious issue that services involving counselling or survivors of abusive behaviour absolutely, critically need to be able to provide services on a condition of strict confidentially or even complete anonymity in some cases in order to be able to help people in our society that need it the most.

Not only is it tying the hands of counsellours or volunteers to require them to explain that clients’ data is confidential and private even though it will be provided to MSD, (in addition to being flat out inaccurate- the strict interpretation of confidentiality held to by most such services requires that records be only held in one place, be secured using physical lock-and-key for paper records and encryption for digital ones, and not be shared with anyone else outside of anonymous use in ethical review or in the event that a client is a risk to their own or someone else’s safety) people who have been raped will have difficulty filling out a form identifying themselves when they’re seeking help because they may not be ready to admit what they experienced is real, and writing something down can “make it real.” Jan Logie’s example of men who won’t even give their names is not only accurate but typical of many people seeking support, and not just men. Anyone who accepts this contract is going to be committing to turning away people unable to accept anything less than the strictest confidentiality, or worse, they’re going to entrap themselves into breaching the contract in order to help people.

What adds insult upon insult to this issue, (we’re well past the initial injury if these contracts aren’t amended for services that require confidentiality) is that the government has an expert panel2 helping guide its data strategy that has recommended against precisely this type of mandatory collection in their report3, calling for at least an easily accessible opt-out procedure for all big data collection by Government agencies, so even the proponents of big data don’t want the government to take this approach. Literally the best defense that can be made is that the government is legally allowed to insist that its data collection is more important than anonymity.

If the government wants more data from these services, the most they should reasonably do is require that clients be allowed to opt in to data collection if they’re comfortable with the idea. This allows those receptive to provide a limited data set for analysis, or to ask the questions the government are so keen for their NGO partners to explain, and those not amenable to the idea to dismiss it and still access life-saving services that most likely are incredibly effective uses of funding. If the government can concede that paid leave to deal with the aftermath of domestic violence is effective, they can certainly concede that funding services like Rape Crisis shouldn’t be contingent on mandatory data sharing.

(more…)

Advertisements

Not in TOP shape

Posted: March 5, 2017 in elections, New Zealand, technology
Tags:

This one is a really quick hit:

I’ve been suspicious this might be the case for a while, but I reached out to Roy Morgan the other day, and they’ve confirmed that TOP’s vote share is so insignificant they still haven’t separated them out from “Other” Parties. (This means that TOP are likely polling consistently below 0.5%. Roy Morgan’s “Other” category has recently been at about 2%, and generally fluctuates between 1-2%, but they split out small parties who round all the way down to 0% from time to time, such as UF and the Conservatives, so this indicates a very low polling for TOP despite their 4% show at the Mt. Albert by-election) I had previously checked in with Colmar Brunton, who said they have not been counting responses for TOP in their previous polls, as they were an unregistered political party at the time, and that is their standard practice.

So, ouch. There go those dreams of certain cheerleaders that a group of policy-wonk technocrats crowdsourcing their policies with a rich bankroll imitating the Green Party would get all the way above the 5% threshold. They’ll need a serious electorate run if they want to get into Parliament, but they didn’t have one planned yet, so that will make things tight, especially as Labour will have no incentive to make space for them given their stated intentions to sit on the cross-bench, and that Labour has already lined up a candidate for every single electorate.

All in all, if nothing changes, TOP’s only relevancy to this election will be how many votes it splits away from the Greens into the “other” pool that gets re-allocated to everyone. I will be advising anyone sympathetic that I don’t think it’s worth risking your Party Vote on them at this stage. The one thing I think other parties should take from TOP is that crowdsourcing policy, especially from experts, is a good idea. But at this stage, that looks like that may be their epitaph.

For those of you who haven’t been following things, (and you could be forgiven for having been busy on boxing day, much the way Valve could be forgiven) a technical hiccough has exposed private information of some steam customers.

This may not be 100% confirmed yet, but apparently valve pushed an update to its caching on its store pages that didn’t work as intended, and exposed other people’s emails, their usernames, their steam wallet balances, (think prepaid cash balance, although it can also be the proceeds from selling digital goods such as steam trading cards) and the last two digits of their credit cards. We don’t know the exact timeframe, but potentially everyone who accessed any steam store pages and saw anyone else’s info has had this information exposed. Fortunately, nobody had the ability to charge anyone else’s account during the time as far as I know.

This exposure occured for roughly an hour, after which Valve managed to get someone on-site and shut down external access to the problematic pages, until they could rectify the breach. (Store pages are now accessible with no adverse consequences as of my drafting of this post) This is a relatively impressive turnaround for a public holiday and is to be commended, not attacked. Only the most basic services should be using real staff on public holidays, and Steam is not a basic service.

As a former employee of an organisation that has struggled with both public perceptions and privacy breaches, I can tell you that there are some basic steps that need to be taken as soon as Valve can get people back into work:

  1. Firstly, own up publicly to what information was exposed, apologise to all customers, even those unaffected, and offer to allow people to close their accounts and have their personal information deleted. The first part of this is the basic necessity. You HAVE to apologise if you’ve screwed up, full stop. It also helps if no excuses are made until after the unreserved apology is delivered. But allowing people to express their distrust in you by leaving your service, and deleting their information if they do so, shows you really mean your apology and are accepting the consequences of your mistake.
  2. If possible, generate a list of customers whose accounts were accessed during the timeframe the breach occured, and warn all of them their privacy may have been breached by email. Valve should also recommend that they be aware of potential phishing attempts, take any necessary steps to ensure their credit card remains secure, and change their steam passwords, and any other passwords that match their steam passwords. While in the short term actively notifying people of the breach who haven’t learned of it might seem bad PR, in the medium and long term it means customers know that Valve is willing to be accountable when mistakes are made, and that they will place their customers needs ahead of their own PR.
  3. Valve should put ALL employees through privacy training immediately, so they are aware of the consequences of for instance accidentally disclosing an email address or a partial credit card number. This is both a practical (Valve will be under extra scrutiny now, and human security breaches will be much more serious) and a PR requirement.
  4. Valve should take immediate policy steps to ensure this same breach cannot occur again. For instance, they may want to institute a policy that no software patches or website changes that could impact security or privacy are to be pushed near holidays.
  5. In the medium term, Valve needs to upgrade its privacy security policies and systems. Valve serves some of its private information directly over insecure protocols- this needs to stop. If valve wants to offer Steam pages over the web, it should secure them if the web pages offer private information, or it should only serve account information through its client in secure packets, or on seperate, secured pages. (similar to how purchases are currently handled) The worst privacy breach that should be possible using secure software is that someone unintended views your account name. There are also some really basic information security steps that can be taken, such as:
    1. turning off auto-complete for any external addresses in all email clients,
    2. stocktaking access to private and/or confidential information and ensuring all access granted is either necessary or authorised, practical, and secure,
    3. disabling insecure methods of file-sharing, such as email attachments, without a second employee authorising them,
    4. implement quality-checking on any existing and new safeguards, at least in the short term.
  6. In the longer term, ensure customer data is secure from external access, hackers, and properly anonymised to internal employees.

Valve has a lot of work to do. A lot of this work is better done before any privacy issues occur, but they’re in for a lot of learning about why prevention is better than cure. I’m pretty sorry to all of the employees who weren’t responsible but are about to be affected.

Firstly, good news: Huge congratulations to the tens of millions of netizens who participated all around the world in the blackout to inform people about SOPA and PIPA. Everyone who cares about technology even slightly now knows about those outrageous bills and the guilt-by-accusation approach to piracy they espouse, and as this tactic is still relatively new, it had an amazing effect on both houses of the US congress, flipping many sponsors of both SOPA and PIPA firmly into the “opposition” category of the bill, with the usual gormless comments about needing to “read it more carefully” or “more thorougly research the implications”- which means they thought they could coast through and not bother to actually analyse the bill because it had so much support from rights-holders.

This is a victory, but it’s also just a reprieve- SOPA and PIPA were just new versions of COICA, which was similarly disgusting, and New Zealand has had its own brush with guilt-by-association copyright laws before, too, which it also took local blackouts to defeat.

Finally, there’s been excellent stories about SOPA and PIPA all over the mainstream journalist sources recently, to highlight only a couple, there is a great piece written by Dan Gillmor up at The Guardian, a great summary of SOPA and PIPA by Rachel Maddow, and Chris Hayes’ Up With Chris has a video panel discussing SOPA, and a blog that rebuts the fact-light defense of SOPA on the video panel courtesy of Joe Sestak.

 

Now, onto the mixed news: Megaupload is down, in a joint operation between New Zealand police and the FBI that saw four arrests and a $10 million asset seizure, and the seizure of Megaupload’s domain name. The accusations against Megaupload and its sister company are very unclear, and it’s murky precisely what actions are being claimed to have broken the law on the charges being laid- including conspiracies to commit racketeering, money laundering, and copyright infringement, and some of it seems to centre on what I like to call the “blind eye” fallacy, which is that because individuals in the company may have been able to cite examples of infringing content that were not taken down, the people running the company were responsible. I hope that the police plan to actually show that at the least, the people they arrested were criminally liable or criminally negligent in their actions. It’s very disturbing to me that middlemen are being held liable for enforcing copyright- I’m not sure the onus should be on megaupload to prevent infringement when they aren’t actively notified by rights-holders, as the precedent of intellectual property rights cases has been that rights-holders are responsible for objecting to misuse of their ideas in order to maintain their rights. Time (eww, I know, but they’re doing good journalism this time) has more on the “Mega Conspiracy”, as authorities are calling it.

If having to establish evidence that copyright infringement is happening is too hard for the incredibly wealthy rights-holders in Hollywood that are largely responsible for DMCA notices, then I don’t think they ought to be allowed to ask for arrests, or for content to be taken down. The presumption should be that content is licenced until someone complains, and even then, legally, the assumption should be that content doesn’t infringe copyright until it is proven to be (a) work that has been copyrighted by someone else, (b) no valid licence is produced, and (c) proven that the use did not fall within fair usage provisions of legal copying, derivative work, or sharing. That’s a high standard, but legal action should have to meet a high standard. More on other options rights-holders have in a subsequent post, because this one is huge already.

 

Anonymous, a activist/hacking (or “hacktivist”) collective that operates entirely under pseudonyms, (there’s also more to say about Anonymous, which I will get to, I promise, but I’d sum them up provisionally as “very zealous ‘good guys’ on issues of freedom of speech, who break the law in order to defend its principles”) has launched counterattacks on several rights-holders’ sites, and also on the department of justice, taking down those sites. While I absolutely oppose holding service providers responsible for piracy they aren’t notified of, these counterattacks may be premature, and may generate some degree of sympathy for rights-holders among more conservative citizens. Assuming the trial of those arrested is timely, we should wait to see what kind of evidence is presented before condemning authorities- but of course, that’s not Anonymous’ style.

You’ll also be amused to know that currently The Pirate Bay has rebranded itself as “The Promo Bay”, a function which to some degree it no doubt serves, and has lambasted Hollywood rights-holders with a press release on SOPA, making very good points about how Hollywood was built on (legal) copyright violation. I’ll have some opinion posts on the details of piracy soon, seeing that’s the big issue at the moment.

On strike

Posted: January 18, 2012 in freedom of speech, technology
Tags: ,

While SOPA has been stalled by popular opposition, PIPA is still going ahead, so due to the inability to shut the blog down for the day, I’m simply going silent and linking you to the SOPA Strike redirect, which is actually really good.

For those of you that don’t follow tech news or American Politics, let alone the intersection of them, we’ve had some great news recently: the President of the USA, who has been barely sufficient on so many issues, has finally come out swinging on the side of free speech and innovation against the two twins of censorship, the Protect IP Act of the US Senate, and the House of Representatives’ “Stop Online Piracy Act.” He hasn’t outright threatened that the laws will get vetoed no matter what, but he’s implied that they’re heavily flawed and he can’t support them as-is. Hopefully he will expand on that and avoid the devils on his shoulder that so often prompt President Obama to compromise for the detriment of his country and the world.

While I oppose piracy in general, (as an amateur programmer I have a cat in this YouTube video, to switch up a popular metaphor) I think that to some degree it’s a necessary evil to allow us to have national sovereignty, freedom of speech, and innovation on the internet, and laws like SOPA and PIPA reinforce that impression. I also like to combat it or support people who fight it by investing their customers in the continued development and success of a product in the case of software. I can understand the film industry at least is unable to take a more creative approach here, simply due to the nature of their product. And so of course both of these bills have massive support from entertainment industries, with most of the push coming from large film makers, but there are also some technology traitors, including the ESA and several domain registry companies. (I recall GoDaddy was on this list for a while, who you should already be switching away from if you use, because they are a terrible company for other reasons)

What SOPA and PIPA propose, essentially, is that the government be allowed to censor any site containing pirated material with extreme prejudice, stripping away their DNS, (the ability of you to reach their site with a .com address the way everyone normally uses the internet, as opposed to entering an IP number you had bookmarked) and then heaping on an extra helping of economic sanctions, barring advertisers in the USA from using those sites, and cutting off payments through online services like Paypal, much like was done to Wikileaks through right-wing pressure. It gets worse from here, but I’ve already told you enough that you should see the core of the problem.

The US government having an infrastructure to censor the internet is an incredibly scary proposition. It’s this whole notion of building walls and fences again, but in the name of profits for movie tycoons, the USA would be doing it with information, effectively putting them in a position where they could become the thought police, or at least shut down independent media, after it only just started up again with podcasts, YouTube videos, and blogs.

Let’s get into the truly Orwellian stuff: To be considered a pirate under these laws, you don’t have to host a significant amount of pirated material. (There’s an amendment to PIPA that redefines the law down to that, which would make it merely objectionable as opposed to horrendous) You don’t even need to have someone uploading pirated data to a video or file sharing site that you’ve missed. You don’t even need to, personally, write a link to a site with pirated material. No, it’s much easier than that. You can simply fail to take down a link in a comment to a site that may contain a single, obscure pirated file somewhere.

SOPA and PIPA consider site owners responsible for what their users post. All a big business needs to do is continuously post links to pirated content until they flood the ability of the site to moderate their comments, and tip off the rights holders to get their competitors embargoed and censored. This is taking that childhood game of “stop punching yourself!” to a whole new level. It is not exaggerating to say that this could kill the internet as we know it- under these laws, tech giants like Facebook and Google wouldn’t be able to get started.

Some major sites are still planning on going dark this Wednesday (US time, naturally) to raise awareness that these bills are still under consideration by the US congress. (congress temporarily backed off both of them previously due to public opposition) I thought it might make more sense to just talk about it in advance, as I’m running a blog and all. 🙂

edit: Wikipedia, one of the most searched sites on the internet, has agreed to join the blackout tommorow.