[Freedombox-discuss] Relationship driven privacy

[Isaac Wilder]

Sébastien,

Comments follow inline, but I wanted to say before I begin that this
conversation seems utterly necessary to me at this juncture. I think
that you've presented a workable breakdown of the issues at hand,
though I hold that you've neglected one FreedomBox capacity that I
would consider essential.

I also want to pose a question to the wider community, which I hope
won't be considered presumptuous. It's asked only in the spirit of
cooperation, common cause, and camaraderie. Does anyone else feel like
there is a progress-inhibiting rift developing between a group of
'insiders' and 'outsiders?' I only mean to say that I have some doubts
about the efficacy of on-list conversation, because I do not see much
participation from members of the TAC. This makes me worry that we
are engaging in idle chatter while the actual decisions about
FreedomBox and its features are being made in a back room somewhere.

I would be happy to be told that I'm wrong on this one, and that a
quorum is indeed present. Just thought I would see if anyone else if
having similar feelings. What is the organisational structure here?
What does it mean? Who are we? Is this a worthwhile question?

On 07/11/2011 06:46 PM, Sébastien Lerique wrote:
> On 08/07/11 14:13, Daniel Kahn Gillmor wrote:
> > On 07/08/2011 12:20 PM, nathan nolast wrote:
> >> now, i know that the freedombox is going to be used by average
> individuals
> >> that are not interested in remaining anonymous for what ever
> reason. But
> >> lets not kid ourself, social networking is social networking... we can
> >> increase the privacy, make strong privacy relation policys, but
> posting your
> >> pictures and life story on a service is not in any way shape or
> form ...
> >> logical.
Perhaps we could adopt something of a 'harm reduction' approach here.
It's like binge drinking in colleges. We know that people are going to
do it anyway, so we should do whatever we can to make them safe in
doing so. More than that, as Daniel said, there is value in it.

>
> > Wanting to form a meaningful and potentially lasting relationship with
> > other humans may not be "logical", but i consider it very valuable.
Not to mention the fact that it is becoming increasingly difficult to
function as a member of society *without* engaging in broad-spectrum
social networking. There are some of us holding out, until we can do
it safely, but it is a race against time. If we cannot figure out a
way to distribute network ownership while improving on the feature
set, even the holdouts will soon hop on the google+/facebook bandwagon.

>
> > If we build a network that is completely opaque, such that no one can
> > form any lasting relationship across it, we might as well not bother.
Agreed. As I see it, there are three modes of network access:
anonymous, eponymous, and onymous. It is the access session itself that
has the attributes, not the activity. Anonymous means that there is no
link between a session and an identity. Eponymous means that there is
a link between a session and an avatar. Onymous means that there is a
link between a session and an actual person in the web of trust.

Does it make sense to other people to break the issue down into these
three session types?

> <snip>
> > We should not be segregating our work into systems for "normal people"
> > and "dissidents".  To make that segregation implies two things:
>
> >  0) surveillance and corporate- or government-controlled communications
> > for "normal people" is acceptable, and
>
> >  1) that these categories are fixed, mutually-exclusive, and static --
> > an individual cannot be both at once, or change from one to the other,
> > either voluntarily or involuntarily.
Agreed. User categories are fluid. Session categories are not. Users
should be able to identify their needs, and pick a session type
(anonymous, eponymous, or onymous) accordingly. Different modes are
appropriate for the same people at different times. I would like to be
able to maintain my anonymity, build the reputation of an avatar that
can't be traced to my real name, and to be the exclusive
representative of my legal self, Isaac Wilder, in cyberspace.

>
> > We should support people making connections with other people, creating
> > social bonds and sharing values.  We should discourage or prohibit third
> > parties from commoditizing or surveilling these relationships.  We
> > should enable people to take a stand publicly for what matters to them.
> >  And we should enable people to publish material anonymously, to ensure
> > that even people with significant vulnerabilities have a way to get
> > their important information out to the world.
Hear hear.
I'll only add that anonymity is part of the authentication spectrum,
but it's not the only part that matters. Giving people distinct and
understandable choices as regards their mode of access seems
essential. That means providing mechanisms not just for anonymization,
but for building avatars which are identified but not verified, and
finally for presenting an identity that is verifiably linked to a person.

>
> > We cannot presume to say that sharing personal stories, opinions,
> > images, movies, jokes, etc. is somehow irrelevant to the creation of a
> > more just society.  And we can't afford to ignore the appeal of sharing
> > in making this network something people actively want to participate in,
> > and enjoy using.
It is becoming impossible to resist.

>
> >     --dkg
>
>
> -----------------
> Some sort of disclaimer: what I write below is based on reading the
> FreedomBox list for many months, as well as the TAC list. I do not know
> what the TAC members are doing, especially behind the scenes (work at
> the Foundation, etc.)
> -----------------
Sébastien, I hope that you won't mind my saying so, but I wish that
people didn't have to make this sort of disclaimer. I'll just put it
this way: it sucks not knowing if big decisions are being made in a
room somewhere. If they are, is the room open to the public, because I
swear I'll show up. Perhaps this is just frustration with the nature
of collaboration in cyberspace. Everything is shadows - we've got no
idea what kind of attention is being paid, and by who. I think we
would do well to give some consideration to community process. We
need more transparency on several fronts. I know that it may not feel
like the most important work, but it does pay dividends, in the end.

>
> It seems to me FreedomBox has evolved into an opportunity for many
> people to fix most of the problems they identify with today's Internet,
> but where we haven't yet acquired the means of successfully doing so,
> or, which is more of a concern to me, where we haven't yet realized the
> size and the complexity of what we want to tackle (or at least I don't
> see us acting upon it). I'm answering in the "privacy" thread because I
> see it as a strong example of what's happening to the project:
It's tough, because there are some pretty serious interdependencies
between the various aspects of the project. You're right though, to
pick a patch and dive ahead. We've got to learn not to worry about
so-called 'chicken and egg' problems, because the thing is, chickens
exist. As long as week keep making incremental progress in many areas,
things will get to where they need to be. We've just got to divide the
problem up into little actionable parts, be realistic about what we,
as individuals can do, and then take ownership of tasks. If somebody
doesn't like the job that's done, then can do it better. If we wait
for too much direction from above, nothing is ever going to get done.

>
> Yesterday I was watching the Federated Social Web 2011 Summit videos[0]
> (they are well worth the time watching), which led me to Seda
> Gürses,<snip>
I haven't yet had time to watch the talk, but I look forward to it.
Apologies for respond before I've gotten the chance.

>
> Privacy has to do with surveillance, control, identities, hiding of
> information, anonymity, audience and context (and more), and all those
> concepts are difficult to define in a clear and operational manner. In
> the cases where they have been defined, many interesting results have
> been proven (for example, Seda talks about a mathematical proof showing
> that anonymizing a database is impossible in practice: the data in the
> database can be cross-linked with other databases, eventually leading to
> identify 80% or 90% of the people in the initial database). This is
> quite similar to what Sam Hartmann explains in his post on the TAC list,
> about anonymity on Internet[3] (that, too, is enlightening).
This depends on what sort of information is in the database, no?

I see no reason why we can achieve the sort of session identification
scheme that I mentioned above. After that, it is a matter of people
understanding the difference between anonymity, pseudonymity, and
onymity, and using their various identities responsibly.

>
> A lot of research is going on about this, and a lot of money is being
> put into it especially by the European Union (and according to Seda,
> part or most of those initiatives are not going the right way). I
> believe the Tor wiki is another great source of information and framing
> of the subject.
That's too bad about the direction of research.
Tor has certainly laid much of the groundwork for anoymous sessions.
Any particular pages in their wiki that you had in mind?

>
> What I am trying to say is that "privacy" is a *hard* and *complicated*
> problem, and we cannot aim to implement it correctly without better
> resources, means, or organization. I think we need to 1) get all
> competent parties on board, and 2) organize ourselves accordingly, if we
> want to achieve something useful.
I agree wholeheartedly. The global network is an unbelievably complex
system. We need many people with many perspectives working on many
problems, because the problems are hard, and because they are
important. It is difficult to overstate the importance of the work
that we are doing, and it is easy to get frustrated at the slow pace
of progress. Then again, things are moving. We will get there, one way
or another.

I wonder if we need to draw a distinction between FreedomBox and the
sovereign computing / free network movements in general. FreedomBox
seems like it could be a useful base for other projects, and careful
stewardship does make a degree of sense. This comes back to the role
of the TAC, of Mr. Moglen, of the people who are in charge, but who do
not seem to be a part of this conversation. The division of labor in
this community is unclear. The boundaries, scope and roles are fuzzy
as well. If this organization were completely bottom-up, we could move
forward with Sébastien's suggestion. As it is, things fall flat
because they do not come from authority figures. We are top-heavy.

>
> Privacy is not the only *hard* problem we are tackling. I would say
> there are four main areas the project aims for at large (all of them
> interlinked of course):
>
> 1. Privacy (see above)
yes.

>
> 2. The Federated Social Web. I understand the Fbx will be social deep in
> its heart, and may (or should) have that layer separated from
> application layer. <snip>
yes.

>
> 3. User Experience. Not much to say here. Ideally, I envision a
> usability level like Apple or Google do it.
yes.

>
> 4. Data ownership: acquiring the legal rights given by hosting one's
> data at home or at a friends' home (namely, higher legal requirements
> for authorities to search that data, though this varies between
> countries). I think this aspect is the only one which is "deliverable"
> right now, i.e. which we are able to provide properly at the moment (and
> many tech-savvy people already benefit from it by using their own home
> server -including me-).
yes.

I'd like to throw in another broad category: device-as-infrastructure
capacity. FreedomBox should be able to communicate with other
FreedomBoxes via local routes. It should be intelligent enough to know
when those routes are available, and use them automatically. We're
basically talking about mesh networking here, which has been discussed
form the beginning as a central functionality of the box.

At the Free Network Foundation, we make the distinction between
logical peer-to-peer (what we have today) and material peer-to-peer,
where the actual path that the bits take is peer-to-peer. The social
parts of FreedomBox should enable secure, logical peer-to-peer at all
times, and material peer-to-peer when possible. We call this behavior
opportunistic peer-to-peer

Does this come through to people? If not, please let me know, because
I believe it to be of critical importance, and I'd be happy to try to
express it differently and more clearly. Let me know. Anyways, let's
call device-as-infrastructure/opportunistic peer-to-peer capacity
point 0, not because it is more important, but to keep numbering
contiguous, and because who doesn't love a good zero-index

>
> IMO, points 1), 2), and 3) need thorough work/development and maybe
> research, and are not only about bundling existing stuff together. Each
> one is virtually a sub-project of its own (or has the ambition of one,
> at least). Those areas are already explored by many other entities
> working sometimes individually or not so individually (software
> projects, standards organizations, researchers, etc.). I think we need
> to reach out to as many of them as possible, and explicitly start
> working with them.
Point 0) needs work and development as well. There is lots of
interesting work coming out of both Project Byzantium and the
Commotion Project, but there is a massive job to be done. We need to
get all of critical people under a banner, doesn't matter which, but
that is proving difficult. Sascha Meinrath is in charge of Commotion,
and sits on the TAC, and folks from Byzantium are certainly on board
as well. It's a shame we can just all drop everything and do this. It
seems like the right thing to do.

>
> I don't know if those categories are shared at all among members on this
> list. Another way of categorizing could be with the different layers of
> the FreedomBox: data layer, identity management layer, authentication
> layer, social and people-discovery layer, UI layer, etc. But I think it
> is not yet clear how "privacy" interacts with each of those layers.
I think that comes next. Let's focus on division by functionality for
now, and division by architecture later.

>
> I suggest we form dedicated (and publicized) working groups for areas
> 1), 2), and 3). Those groups could reach out to other competent entities
> and work with them (other projects, standards organizations,
> researchers, etc.), at the same time updating each other on the progress
> that is made, so as to make sure all parts work together (because those
> areas are interlinked and can't be separated so easily) and don't
> diverge. This would make sure we don't reinvent the wheel or overlook
> existing knowledge and expertise on a subject, as well as providing
> specific spaces for discussion about those areas (that way not flooding
> a common list with a maze of diverse subjects). In this sense, I see
> FreedomBox as some sort of meta-project.
I agree with this suggestion. We should do so for my proposed area 0)
as well. I would be happy to participate/facilitate that group.

The first challenge for group 0 could be to bring folks from
Commotion, Byzantium, Serval, open-mesh and others into dialogue. Then
we need to share knowledge and decide on a standard. I've got stuff to
say here, but I'll save it for a more appropriate venue.

>
> Those groups need only exist on sub-mailing-lists, reporting progress to
> the main list (or the TAC list). To me, the first challenges to those
> groups *could* be:
>
> For 1), defining "privacy", reaching out to Seda to see what paradigm or
> model we can use, and what requirements we should set (maybe she's on
> this list in fact, or somehow already involved? I did not see her in the
> recipients list)
Agreed. I would like to be a part of this discussion as well. I'll
save my comments until then.

>
> For 2), reaching out to the various projects and standards organizations
> to see what kind of unified identity management can be made... <snip>
Agreed.

>
> For 3), building UX scenarios (I think the question about where the box
> sits in a home network --behind a NAT, or as main router-- has not been
> decided), reaching out to UX designers (who?), sketching UI parts.
Agreed. This needs to be done early and often, with input from real,
non-technical users as an integral part of the design process. I'm
happy to test on my family!

>
> Please note that these are only hypothetical examples to give a better
> idea of what kind of tasks I see for each of these working groups.
>
> Concerning what help I can bring, I am currently studying sociology and
> cognitive science in a masters program after having studied quite a lot
> of maths, and am therefore relatively close to the academic world of
> privacy and social network research. I would be happy to be part of a
> "privacy" working group if this view is shared. If people agree with
> this, please drop me an email (and we could start).
I'm in. I only worry that it will be fruitless unless sanctioned by
the TAC and Board of Directors.

>
> Again, sorry for this long post and for any offense I might have made
> due to ignorance, my goal is to have this project succeed in the best of
> ways!
>
No worries over here. Thank you for moving the conversation along.


take care,
Isaac Wilder
The Free Network Foundation