It’s not at all surprising why tons of people, including journalists, are sticking around Twitter even if they shouldn’t. Part of it is inertia. People were settled into what worked before, and change is difficult. Partly because of that, people are loathe to switch. Even those who have switched over to alternatives like Mastodon in the Fediverse find it difficult to do so. There’s a bit of a chicken-and-egg problem in which, when people first sign up, it feels “empty” because there’s no algorithm pumping their feed full of content (though I’ve found Mastodon to be quite engaging, to an almost overwhelming degree that I can’t keep up). You have to do a little bit of work, and that can feel like a lot.
But still.
There are so, so, so many reasons to not think this is a good state of affairs. The events of the last few years should demonstrate why relying on any centralized social media is inherently risky. This goes beyond just Twitter, but Elon has been turning that site into a ridiculous plaything in which he makes decisions based on which of his dumbest (but most loyal) fans he thinks will get the biggest kick out of them, rather than any sense of what’s best for the site’s users.
Last week, the pseudonymous Chance from the Chancery Daily publication suggested that we start embracing a concept of “Fedi Friday,” in which even people who feel that they’re going to stick around on Twitter for a while at least just spend one day a week exploring alternative social media, just so they have a general knowledge of it, and experience with it, in case they’re targeted in the next “look at me, I’m in charge now” purge from an insecure, whiny billionaire.
Seeing how Elon has handled the whole NPR situation should be instructive. His pettiness in the whole thing, including yesterday tweeting “defund NPR” should highlight why relying on Twitter is dangerous.
And, even if you think you support and agree with Musk, he’s shown little to no problem with stabbing his supporters in the back the second they push back even the slightest bit. He’ll even publish their private communications just to win a slap fight. So even if you think that Musk is magically “saving” Twitter, it still makes sense to find a space that isn’t controlled by him.
You don’t have to commit to leaving Twitter. You just need to spend a little time each week testing out the alternatives, of which there are many. The ActivtyPub-based “fediverse” is much vaster than people realize, going beyond just Mastodon (though they all interact in some ways). Larger companies such as Medium, Mozilla, and Flipboard are all embracing ActivityPub in one way or another, and others are poking around the edges as well.
There are, of course, a variety of other, centralized platforms, and you can test them out as well, but all of those run the same risk of what’s happened with Twitter: they can be run by a thin-skinned, whiny, out-of-touch billionaire with the maturity of a 15-year-old and the vindictiveness of a pre-school child who has had his ball taken away.
There are some other decentralized platforms worth checking out as well. Nostr is an incredibly simple and lightweight decentralized protocol that keeps improving. Bluesky, which was initially funded by Jack Dorsey to create an independent decentralized protocol that Twitter could adopt, is now in beta with its own AT Protocol. Both are decentralized and worth exploring, through not as widely adopted as the larger Fediverse.
If some of the specifics of Mastodon trouble you, you can look at some various ActivityPub-compatible forks like Calckey or Qoto that include many of the features that people sometimes feel are lacking from vanilla Mastodon (like quote tweets).
There is no one right way to do things. The point is that rather than settling for continuing to feed into a system you know is bad and problematic, at least spend some time on just one day a week (why not Friday) to explore the alternatives. Spend a bit of time find more active accounts to follow, interacting with some of the many people who use these services, and just prepare yourself for the future, rather than pretending there’s nothing to do but be the plaything for a childish billionaire who delights in making you suffer, so long as it pleases his fans.
Last week, I came across two separate speeches that were given recently about the future of the internet — both with very different takes and points, but both that really struck a chord with me. And the two seem to fit together nicely, so I’m combining both of them into one post. The first speech is Jennifer Granick’s recent keynote at the Black Hat conference in Las Vegas. You can see the video here or read a modified version of the speech entitled, “The End of the Internet Dream.”
It goes through a lot of important history — some of which is already probably familiar to many of you. But, it’s also important to remember how we got to where we are today in order to understand the risks and threats to the future of the internet. The key point that Granick makes is that for too long, we’ve been prioritizing a less open internet, in favor of a more centralized internet. And that’s a real risk:
For better or for worse, we?ve prioritized things like security, online civility, user interface, and intellectual property interests above freedom and openness. The Internet is less open and more centralized. It?s more regulated. And increasingly it?s less global, and more divided. These trends: centralization, regulation, and globalization are accelerating. And they will define the future of our communications network, unless something dramatic changes.
Twenty years from now,
You won?t necessarily know anything about the decisions that affect your rights, like whether you get a loan, a job, or if a car runs over you. Things will get decided by data-crunching computer algorithms and no human will really be able to understand why.
The Internet will become a lot more like TV and a lot less like the global conversation we envisioned 20 years ago.
Rather than being overturned, existing power structures will be reinforced and replicated, and this will be particularly true for security.
Internet technology design increasingly facilitates rather than defeats censorship and control.
Later in the speech, she digs deeper into those key trends of centralization, regulation and globalization:
Centralization means a cheap and easy point for control and surveillance.
Regulation means exercise of government power in favor of domestic, national interests and private entities with economic influence over lawmakers.
Globalization means more governments are getting into the Internet regulation mix. They want to both protect and to regulate their citizens. And remember, the next billion Internet users are going to come from countries without a First Amendment, without a Bill of Rights, maybe even without due process or the rule of law. So these limitations won?t necessarily be informed by what we in the U.S. consider basic civil liberties.
This centralization is often done in the name of convenience — because centralized systems currently offer up plenty of cool things:
Remember blogs? Who here still keeps a blog regularly? I had a blog, but now I post updates on Facebook. A lot of people here at Black Hat host their own email servers, but almost everyone else I know uses gmail. We like the spam filtering and the malware detection. When I had an iPhone, I didn?t jailbreak it. I trusted the security of the vetted apps in the Apple store. When I download apps, I click yes on the permissions. I love it when my phone knows I?m at the store and reminds me to buy milk.
This is happening in no small part because we want lots of cool products ?in the cloud.? But the cloud isn?t an amorphous collection of billions of water droplets. The cloud is actually a finite and knowable number of large companies with access to or control over large pieces of the Internet. It?s Level 3 for fiber optic cables, Amazon for servers, Akamai for CDN, Facebook for their ad network, Google for Android and the search engine. It?s more of an oligopoly than a cloud. And, intentionally or otherwise, these products are now choke points for control, surveillance and regulation.
So as things keep going in this direction, what does it mean for privacy, security and freedom of expression? What will be left of the Dream of Internet Freedom?
She goes on to note how this centralization comes with a very real cost: mainly in that it’s now one-stop shopping for government surveillance.
Globalization gives the U.S. a way to spy on Americans?by spying on foreigners we talk to. Our government uses the fact that the network is global against us. The NSA conducts massive spying overseas, and Americans? data gets caught in the net. And, by insisting that foreigners have no Fourth Amendment privacy rights, it?s easy to reach the conclusion that you don?t have such rights either, as least when you?re talking to or even about foreigners.
Surveillance couldn?t get much worse, but in the next 20 years, it actually will. Now we have networked devices, the so-called Internet of Things, that will keep track of our home heating, and how much food we take out of our refrigerator, and our exercise, sleep, heartbeat, and more. These things are taking our off-line physical lives and making them digital and networked, in other words, surveillable.
At the end of her speech, Granick talks about the need to “build in decentralization where possible,” to increase strong end-to-end encryption, to push back on government attempts to censor and spy.
And that’s where the second speech comes in. It’s by the Internet Archive’s Brewster Kahle. And while he actually gave versions (one longer one and one shorter one) earlier this year, he just recently wrote a blog post about why we need to “lock the internet open” by building a much more distributed web — which would counteract many of Granick’s quite accurate fears about our growing reliance on centralized systems.
Kahle also notes how wonderful new services are online and how much fun the web is — but worries about the survivability of a centralized system and the privacy implications. He notes how the original vision of the internet was about it being a truly distributed system, and it’s the web (which is a subsegment of the internet for those of you who think they’re the same), seems to be moving away from that vision.
Contrast the current Web to the Internet?the network of pipes on top of which the World Wide Web sits. The Internet was designed so that if any one piece goes out, it will still function. If some of the routers that sort and transmit packets are knocked out, then the system is designed to automatically reroute the packets through the working parts of the system. While it is possible to knock out so much that you create a chokepoint in the Internet fabric, for most circumstances it is designed to survive hardware faults and slowdowns. Therefore, the Internet can be described as a ?distributed system? because it routes around problems and automatically rebalances loads.
The Web is not distributed in this way. While different websites are located all over the world, in most cases, any particular website has only one physical location. Therefore, if the hardware in that particular location is down then no one can see that website. In this way, the Web is centralized: if someone controls the hardware of a website or the communication line to a website, then they control all the uses of that website.
In this way, the Internet is a truly distributed system, while the Web is not.
And, thus, he wants to build a more distributed web, built on peer-to-peer technology that has better privacy, distributed authentication systems (without centralized usernames and passwords), a built-in versioning/memory system and easy payment mechanisms. As he notes, many of the pieces for this are already in existence, including tools like BitTorrent and the blockchain/Bitcoin. There’s a lot more in there as well, and you should read the whole thing.
Our new Web would be reliable because it would be hosted in many places, and multiple versions. Also, people could even make money, so there could be extra incentive to publish in the Distributed Web.
It would be more private because it would be more difficult to monitor who is reading a particular website. Using cryptography for the identity system makes it less related to personal identity, so there is an ability to walk away without being personally targeted.
And it could be as fun as it is malleable and extendable. With no central entities to regulate the evolution of the Distributed Web, the possibilities are much broader.
Fortunately, the needed technologies are now available in JavaScript, Bitcoin, IPFS/Bittorrent, Namecoin, and others. We do not need to wait for Apple, Microsoft or Google to allow us to build this.
What we need to do now is bring together technologists, visionaries, and philanthropists to build such a system that has no central points of control. Building this as a truly open project could in itself be done in a distributed way, allowing many people and many projects to participate toward a shared goal of a Distributed Web.
Of course, Kahle is hardly the first to suggest this. Nearly five years ago we were writing about some attempts at a more distributed web, and how we were starting to see elements of it showing up in places the old guard wouldn’t realize. Post-Snowden, the idea of a more distributed web got a big boost, with a bunch of other people jumping in as well.
It’s not there yet (by any stretch of the imagination), but a lot of people have been working on different pieces of it, and some of them are going to start to catch on. It may take some time, but the power of a more decentralized system is only going to become more and more apparent over time.
Last month we wrote about Mozilla’s move to deprecate HTTP in favor of encrypted HTTPS, which followed on Chrome’s move to do something similar. What surprised me a bit was the response from many in our comments who didn’t think this was a good idea. People talked about how it added complications to development, or pointed to problems with the whole concept of trusting certificate authorities and a variety of other problems. Some worried about the costs associated with getting a certificate. Ben Klemens, who has written eloquently for years about the problems of software patents, wrote an article noting that this would make it difficult for individuals to easily set up their own web platforms, and require them to rely on a third party with whom you’d have to identify yourself (the certificate authority).
Of course, there are many attempts to deal with these issues, such as the big Let’s Encrypt project from EFF and others to offer free certificates. And, if you’re hosting websites online, you’re likely already going through a third party hosting provider, and it’s not clear how dealing with a certificate authority is really all that different.
But the most compelling argument I’ve seen for why this is so important comes from Eric Mill, who discusses why this is so important by highlighting the many, many ways in which the web has changed over the past few years — allowing both companies and governments to readily abuse the unencrypted nature of the legacy web, putting all of us at risk. This is a real problem that HTTPS goes a long way in solving:
But when I look at the last few years, I see a very different web than the one I was introduced to:
Verizon injects tracking headers into unencrypted traffic so they can sell your browsing activity to advertisers. This program started in 2012, after Verizon realized they “had a latent asset”, but wasn’t noticed until 2014.
Other companies like Turn piggyback on Verizon’s tracking header to sell your data to even more people, because they “are trying to use the most persistent identifier that we can in order to do what we do”, says Turn’s chief privacy officer.
Comcast injects ads into unencrypted traffic, because “it’s a courtesy, and it helps address some concerns that people might not be absolutely sure they’re on a hotspot from Comcast”.
Andreas Gal (Mozilla’s CTO, in his personal capacity) has claimed that Yahoo and Bing “can acquire search traffic by working with large Internet Service providers” to harvest users’ Google search results to improve their own — and strongly implies that they used to do this before Google shut them out through encryption. Even if you support better competition against Google, I doubt you expected your ISP to make deals to sell your traffic to other corporations without your knowledge.
We discussed that last one last month as well, in noting how HTTPS would prevent attacks like the one China launched (and is constantly launching elsewhere as well).
And, also, it’s not just corporate abuse, but government/intelligence community abuse as well:
The NSA’s upstream collection program has not been reformed. It will not be reformed by the current draft of the USA Freedom Act, in fact was endorsed by the only government agency whose job it is to review it, and the most meaningful court victory so far — while a wonderful and important precedent — addresses a separate program that only touches data about telephone calls.
After the Charlie Hebdo attacks, France is now making bulk internet spying explicitly legal and giving its intelligence services vast powers to work with ISPs to surveil the network.
Pretty much everyone agrees that the security certificate system has its problems. We’ve been pointing that out for years. But encouraging more encryption now is solving real problems today. And, as Mill notes, Klemens’ and others’ concerns about this move towards HTTPS being a kind of “recentarlization” of the web are also misguided. All of those examples above show how big companies and governments are, themselves, abusing the unencrypted nature of the internet to take control and force a distributed system to act more like a centralized system by inserting themselves in the middle. HTTPS actually helps protect a more decentralized web by blocking those man in the middle attacks:
When I look at all these things, I see companies and government asserting themselves over their network. I see a network that is not just overseen, but actively hostile. I see an internet being steadily drained of its promise to “interpret censorship as damage”.
In short, I see power moving away from the leafs and devolving back into the center, where power has been used to living for thousands of years.
What animates me is knowing that we can actually change this dynamic by making strong encryption ubiquitous. We can force online surveillance to be as narrowly targeted and inconvenient as law enforcement was always meant to be. We can force ISPs to be the neutral commodity pipes they were always meant to be. On the web, that means HTTPS.
The security certificate system isn’t perfect. But an unencrypted web has serious and dangerous flaws that put us all at risk. In the old days, people could keep their homes unlocked as well, but that got widely exploited so now most of us lock our doors. It’s not perfect and it has problems, but the overall protection is worth it. That’s even more true online where encryption is important in enabling greater freedom of expression and protection of privacy.
If you’ve been following the whole net neutrality fight for a while, the following graphic may be familiar to you — showing what a potential “cable-ized” world the internet would become without strong protections for net neutrality:
At some point, someone created a similar version, that was specific to AT&T:
A little while ago, however, someone took the joke even further, and set up a website for a fake broadband provider, asking people to Join the Fastlane!, and it was pretty dead on in terms of what such a site might look like:
I particularly like this bit:
It’s now come out that this campaign (along with some associated billboards) has been put together by BitTorrent Inc., not all that different than the company’s billboard campaign against the NSA. Along with this, BitTorrent has put out a blog post explaining, in part, how we got here, but more importantly how we need to start thinking about a better way to handle internet traffic to avoid the kind of future described above.
The key issue: building a more decentralized internet:
Many smart researchers are already thinking about this problem. Broadly speaking, this re-imagined Internet is often called Content Centric Networking. The closest working example we have to a Content Centric Network today is BitTorrent. What if heavy bandwidth users, say, Netflix, for example, worked more like BitTorrent?
If they did, each stream — each piece of content — would have a unique address, and would be streamed peer-to-peer. That means that Netflix traffic would no longer be coming from one or two places that are easy to block. Instead, it would be coming from everywhere, all at once; from addresses that were not easily identified as Netflix addresses — from addresses all across the Internet.
To the ISP, they are simply zeroes and ones.
All equal.
There’s obviously a lot more to this, but it’s good to see more and more people realizing that one of the fundamental problems that got us here is the fact that so much of the internet has become centralized — and, as such, can be easily targeted for discrimination. Making the internet much more decentralized is a big step in making it so that discrimination and breaking net neutrality aren’t even on the table.
The classic line about how “the internet interprets censorship as damage and routes around it,” is certainly being proven true yet again these days, but there is an interesting corollary that might be worth considering in this as well: which is that sometimes these attempts at censorship expose the need for new routes, and those routes are quickly created.
We’ve been pointing out repeatedly for a while now that the real issue we’re witnessing with things like Wikileaks and Operation Payback is the confusion a centralized/closed system has when it comes up against a more distributed and open system. Much of what we’ve seen concerning both Wikileaks and Operation Payback over the past few weeks is exposing the cracks in the system where things that should be more decentralized and distributed are not.
However, it seems that each time new centralized intermediaries spring up to cause problems, all it’s really done is to drive more people to figure out ways to create more distributed and decentralized alternatives. We’ve already discussed a more decentralized DNS system, but now the EFF is listing out a variety of distributed and decentralized projects that it hopes will help people route around censorship attempts.
As the EFF notes, many of those individual projects probably won’t succeed or catch on, but others will. In a few years, it will be interesting to look back and see just how many new, more distributed and decentralized infrastructure systems really came out of the “fights” we’re seeing splashed across the news today. The real shame, of course, is that the US government, who has been speaking so forcefully about being against online censorship over the last year or so, may ultimately be the leading cause for these new infrastructure tools to be built, and not because it supported them directly, but because of its current attempts at censorship.
Back in October, I wrote a thought-piece on how “the revolution will be distributed,” comparing Wikileaks to Anonymous’ “Operation Payback” (whose tactics I disagree with). I noted that the two were very different, and were focused on very different issues, but that both were essentially about distributed and open systems taking on systems that were centralized and closed — and that the folks in those centralized and closed systems didn’t seem to understand this. Thus, all of their reactions did little to fix the challenges they were facing.
It seems that my comparison of the two operations was a bit more prophetic than I expected. In the wake of the latest Wikileaks saga, Operation Payback is getting attention for pointing its DDoS takedown efforts on Visa and MasterCard for their decision to disallow any payments to Wikileaks via their cards.
I still disagree with the tactics of Operation Payback — which I fear will be counterproductive and could lead many people to think this is all about some “rowdy kids” rather than people with a serious agenda. However, it is rather telling how much attention they’re getting. The folks behind Operation Payback point out that they’re not affiliated with Wikileaks, but:
We fight for the same reasons. We want transparency and we counter censorship. The attempts to silence WikiLeaks are long strides closer to a world where we can not say what we think and are unable to express our opinions and ideas.
Again, I’m struck by the simple split many have here: it really is an argument between those who believe in distributed and open vs. centralized and closed — and I’m still not sure if the folks supporting centralized and closed even realize this. Their response, to date, has been to act as if they’re fighting a centralized system. They focus on things like Wikileaks’ domain and its founder — as if that’s the issue. They target the centralized pieces. And even if you make the argument that Wikileaks needs Julian Assange to stay together, if it were to shut down, it wouldn’t take long for a ton of other, similar offerings to spring up in its place. And, they would probably be even more effective (and potentially more damaging).
While I don’t necessarily like “war” analogies, what we’re seeing is very much a battle between the way people want to see information flow, and one side seems to be still fighting the last war.