IoT

We, in the US, are starting to  talk more widely about the dangers posed by Internet of Things (IoT) devices. This is great!

IoT devices are by and large terrible. They’re truly horrendous. They can be nice in a lot of ways — I enjoy controlling the music in the kitchen from my phone — but they normalize the situation where we trade our privacy and data for convenience. This is not just true of obvious surveillance technologies, though it is especially true for them and I want to talk about those.

Most of the conversation I have seen about surveillance IoT — like Ring doorbells and home surveillance devices — is focused on the insecurity of it. Major news outlets covered when a girl was harassed by someone hacking into a Ring camera her parents installed into her bedroom.

Ignoring how creepy it is that her parents decided to install a camera in her bedroom, this story is disturbing because it’s about someone violating the sanctity of what should be a safe space for a family and, moreso, for a child. This is posed as a security issue affecting an individual.

We need to shift the conversation in two ways:

1) No amount of security will make these kind of devices safe;

and

2) This is not just about the individual — these types of surveillance put communities at risk.

I think the latter is the more important point, and something I want to focus on. The conversation should not just be about the security risk of someone breaking into my home surveillance. Instead it should focus on how, for example, surveillance systems are putting your neighbors at risk, especially as these systems are being co-opted by law enforcement and faulty facial recognition tech is being used.

We should talk about how victims of domestic violence and stalking can be monitored and tracked more easily by their abusers.

I believe strongly that the people making decisions, designing, building, and selling these technologies have a responsibility to the people who purchase them as well as those who come in contact with them. I view broadening the conversations beyond the “unhackability” of devices as a necessary next step.

 

 

MollyGive 2019

After much deliberation, I decided to not do MollyGive 2019. This was a bit of a blow, especially after MollyGive 2018 having a lot less reach than previous years. (For MollyGive 2018 I supported a large, matching donation to the Software Freedom Conservancy.)

I’ve spent the past seven months paying helping a friend pay their rent. I’ve paid for groceries, train tickets, meals, coffee, books for people I know and people I don’t. Medications for strangers. I stopped keeping track of the “good” I was doing, and instead just gave when I saw people in need.

This is counter to my past behavior. I’ve been burned a few times when offering funds to people who have a major need in their life — thousands of dollars to help people make major life changes only to have them instead use the money on other things.

I believe pretty strongly that, generally, people in need know what they need and are capable of taking care of it themselves. I don’t think it’s my place to dictate or prescribe. The experience of being burned and my thought about people knowing what they need were at odds.

At the same time, I saw people suffering around me. People who know what they needed .People in positions I’ve been in: food or medication? A winter jacket or rent? I have the resources to take care of those material needs, so I supported them when the opportunity presented itself.

I have a friend who is scheduled to have surgery this spring. They have been given advice on how to fundraise for the surgery. In fact, people facing  the prospect of life saving, crushing debt generating treatments are given lots of information about how to run successful crowd funding campaigns. This is appalling. You should be disgusted by it. You need to be disgusted by it.

Giving to charity helps. Giving to your neighbors helps. However, this is not enough. The sheer level of suffering and injustice in the world, in your country, your neighborhood, your home is sickening and giving ourselves a reprieve by donating to charities will not fix these systemic problems.

All of that being said, I have made donations to non-profits, and will make more. I hope you’ll join me in supporting groups that are doing good, necessary work. I also hope you’ll join me in striving to bring about the big societal changes that will make it so we don’t need so many charities.

My career has been in non-profits, it is my dearest hope to one day be out of a job. In the mean time, I’ll continue to work, and I’ll continue to give in whatever ways I can.

Consent

I was walking down the platform at the train station when I caught eyes with a police officer. Instinctively, I smiled and he smiled back. When I got closer, he said “Excuse me, do you mind if I swipe down your bag?” He gestured to a machine he was holding. “Just a random check.”

The slight tension I’d felt since I first saw him grabbed hold of my spine, shoulders, and jaw. I stood up a little straighter and clenched my teeth down.

“Sure, I guess,” I said uncertainly.

He could hear something in my voice, or read something in my change of posture. “You have to consent in order for me to be allowed to do it.”

Consent. I’d just been writing about consent that morning, before going to catch the train down to New York for Thanksgiving. It set me on edge and made more real what was happening: someone wanted to move into my personal space. There was now a legal interaction happening. “I don’t want to be difficult, but I’d rather you didn’t if you don’t have to.”

“It’s just a random check,” he said. “You don’t have to consent.”

“What happens if I say no?”

“You can’t get on the train,” he gestured to the track with his machine.

“So, my options are to let you search my bag or not go see my family for Thanksgiving?”

“You could take a bus,” he offered.

I thought about how I wanted to say this. Words are powerful and important.

“I consent to this in as much as I must without having any other reasonable option presented to me.”

He looked unconvinced, but swiped down my bag anyway, declared it safe, and sent me off.

Did I really have the right to withhold consent in this situation? Technically, yes. I could have told him no, but I had no other reasonable option.

At the heart of user freedom is the idea that we must be able to consent to the technology we’re directly and indirectly using. It is also important to note that we should not suffer unduly by denying consent.

If I don’t want to interact with a facial recognition system at an airport, I should be able to say no, but I should not be required to give up my seat or risk missing my flight spending exceptional effort as a consequence of refusing to consent. Consenting to something that you don’t want to do should not be incentivized, especially by making you take on extra risk or make extra sacrifices.

In many situations, especially with technology, we are presented with the option to opt out, but that doesn’t just mean opting out of playing a particular game: it can mean choosing whether or not to get a life saving medical implant; not filing your taxes because of government mandated tax software; or being unable to count yourself in a census.

When the choice is “agree or suffer the consequences” we do not have an option to actually consent.

Ethical Source (2)

Continued from “Ethical Source.

Keeping Ethics in Open Source

For the sake of argument, we’re currently going to assume that open source (defined as “software under an OSI approved license”) does not adequately address social issues.

Ethical Source proponents suggest adopting licenses with “ethics clauses,” also frequently known as “do no harm clauses.” These include such points as:

  • must confirm to local labor laws;
  • may not be used by governments;
  • environmental destruction; and
  • may not be used to profit from “the destruction of people’s physical and mental health”

as well as the above examples from the Vaccine License and the Hippocratic License.

I would argue that these types of clauses are inherently flawed either due to ambiguity or unintended consequences.

To address the former, I want us to look at “environmental destruction.” There is a solid argument that all software causes environmental destruction – due to the drain on non-renewable energy resources. Software that makes cars safer also powers these cars, which fits into a narrative of car driven environmental damage.

When considering “the destruction of people’s physical and mental health,” we have to acknowledge how much software is damaging to both the physical and the mental. I am definitely having back problems due to poor posture as I sit typing away all day at my laptop. Social media has enabled bullying that has literally killed people.

These sorts of clauses are just too ambiguous to use.

Then there are more firm qualifiers, like must confirm to local labor laws. This seems rather straight forward, but there are plenty of places where women are still fighting for the right to work, for equal pay, and against all forms of discrimination. In some countries husbands can prevent their wives from working. Following local labor laws means creating a community where whole groups of people are not allowed to participating in the building of open source software.

I also want to point out that “government use” is a very broad category. Governments provide health care, social security, scientific funding, arts funding, and necessary infrastructure. By restricting government use, we are restricting our access to things like education and weather data.

Licenses are not the tool to push for social issues. Licenses are a tool to build equity, and they are even a tool to fight against inequality, but they alone are not enough.

Seth Vargo pulled source code from the Chef code base when it came to light that Chef was working with ICE. Google employees staged walkouts and protests against Project Dragonfly. Tech workers and contributors can institute codes of conduct, ban companies doing evil from their communities, refuse to accept pull requests or contracts, unionize, collectively organize, and simply refuse to work when the technology they’re creating is being used for evil or by evil.

The other problem with Do No Harm licenses is that they require the adoption of those licenses. There are already many open source licenses to choose from. Much of the critical infrastructure we’re discussing is being built by companies, which I think are unlikely to adopt Do No Harm licenses.

Acknowledgments to Elana Hashman for ideas here.

Ethical Source

This is going to be post one of some unknown number. I think I cannot write everything I want to say in one post, but also that it would just make it undigestably long.

Read part 2!

Is Ethical Source Open?

Let’s first define our terms here: “open source,” for the sake of this particular post, means “under an OSI approved license.” An OSI approved license must meet the points laid out in the Open Source Definition (OSD) — a ten point list of qualifications. “Ethical source” is being defined as being “under a license that applies moral or ethical limitations to the use and modification of the software.”

Ethical source is not open source. Eevery ethical source license I’ve seen violates OSD 5 and/or OSD 6.

5. No Discrimination Against Persons or Groups

The license must not discriminate against any person or group of persons.

6. No Discrimination Against Fields of Endeavor

The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

The Vaccine License is a good example of the first:

The Vaccine License is a software license that requires that users vaccinate their children, and themselves, and that user businesses make a similar requirement of their employees, to the greatest extent legally possible. The required vaccinations are those recommended by the user’s national administration, for example the United States Center for Disease Control. There is an exception for those who, for medical reasons, should not receive a vaccine.

The Vaccine License is saying that you cannot use software under the vaccine license if you’re not vaccinated (medical exceptions exist).

The Hippocratic License violates the second point:

No Harm: The software may not be used by anyone for systems or activities that actively and knowingly endanger, harm, or otherwise threaten the physical, mental, economic, or general well-being of other individuals or groups, in violation of the United Nations Universal Declaration of Human Rights (https://www.un.org/en/universal-declaration-human-rights/).

Services: If the Software is used to provide a service to others, the licensee shall, as a condition of use, require those others not to use the service in any way that violates the No Harm clause above.

If you have been following the conversation around licenses and ethical source, this is not new. If you haven’t, then it might be!

In the former case, there is a straightforward connection: not vaccinated? Not eligible to use it! This is specifically about the individual user.

The latter example, the Hippocratic License, violates OSD 5 in that it may not be used by individuals (or groups of individuals) found in violation, but it also makes verboten fields of endeavor — horrible, illegal ones, but fields of endeavor none the less. You cannot use this software for torture.

Neither of these licenses are open source.

In general, ethical sources licenses place restrictions on individuals, groups, or fields of endeavor, this means that they cannot be open source.

Does it matter that they are not “open source”?

There is commercial and social value in a license being open source. For a company, it’s a friendly certification mark that appeals to customers, consumers, and potential employees. From a social perspective, by creating open source software you’re adding to the Software Commons — the resources available to everyone. This is just nice. Plenty of people want their software to be open source, and they especially want it to be open source on their terms.

In some contexts and for some people, ethical technology is nearly synonymous with free/open technology — or it is a prerequisite that a piece of technology be open source for it to be ethical.

There is also already a strong community around open source software. People consider themselves not just a member of a project’s community, but the open source community. By being part of the open source community, you are getting access to a lot of people and you are part of something. There’s a lot of value in that. It is understandable why proponents of Ethical Source licenses would want it to also be open source.

However, under the current circumstances, something simply cannot be open if there are restrictions to “ethical” cases.

Autonomy

I’ve been stuck on the question: Why is autonomy an ethical imperative? or, worded another way Why does autonomy matter? I think if we’re going to argue that free software matters (or if I am anyway), there needs to be a point where we have to be able to answer why autonomy matters.

I’ve been thinking about this in the framing of technology and consent since the summer of 2018, when Karen Sandler and I spoke at HOPE and DebConf 18 on user and software freedom. Sitting with Karen before HOPE, I had a bit of a crisis of faith and lost track of why software freedom matters after I moved to the point that consent is necessary to our continued autonomy. But why does autonomy matter?

Autonomy matters because autonomy matters. It is the postulate on which not only have I built my arguments, but my entire world view. It is an idea that is instilled in us very deeply that all arguments about what should be a legal right are framed. We have the idea of autonomy so fundamental as part of our society, that we have been trained to have negative, sometimes physical, reactions to the loss of autonomy. Pro-choice and anti-choice arguments both boil down to the question of respecting autonomy — but whose autonomy?  Arguments against euthanasia come down to autonomy — questions of whether someone really have the agency to decide to die versus concerns about autonomy being ignored and death being forced on a person. Even climate change is a question of autonomy — how can we be autonomous if we can’t even be?

Person autonomy means we can consent, user freedom is a tool for consent, software freedom is a tool for user freedom, free software is a tool for software freedom. We can also think about this in reverse:

Free software is the reality of software freedom. Software freedom protects user freedom. User freedom enables consent. Consent is necessary to autonomy. Autonomy is essential. Autonomy is essential because autonomy is essential. And that’s enough.

Free software activities (November 2019)

November brings two things very demanding of my time: Thanksgiving and the start of fundraising season.

Free software activities (personal)

  • The Open Source Initiative had it’s twice-a-year face to face board meeting! Good times all around.
  • Debian is having a GR. I’ve been following the development of proposals and conversation, which is basically a part time job in and of itself.
  • Participated in Debian Community Team meetings.
  • I started drafting Bits from the Debian Community Team.
  • Wrote some blog posts! I liked them this month.
  • Wearing multiple hats I attended SustainNYC, talking about sustainability in free and open source software.
  • I submitted to some CFPs — SCaLE, FOSSASIA, and OSCON.
  • I am serving on the papers committee for CopyLeftConf, and for this I reviewed proposals.

Free software activities (professional)

  • We launched a fundraiser! (About a patent infringement case)
  • Funding a legal case is an expensive proposition, so I am also meeting with companies and potential large donors interested in helping out with the case.
  • We launched another fundraiser! (About general Foundation activities)
  • I participated in the hiring process to fill two roles at the GNOME Foundation.

Health care

One of the most important issues for free software within the US is one we rarely talk about: healthcare. That is why I am going to write about it.

These days, sustainability in FOSS is a hot topic. In my experience, for many years this conversation focused nearly exclusively on making FOSS -profitable- for companies, in order to create jobs. Now, the conversation is shifting to ask: what conditions do we need to create so that everyone who wants to work in FOSS can do so?

The answer is not the same for everyone, nor is it the same in every country. Someone supporting a family of two, three, four, or however many has greater income needs than I do, as my biggest financial responsibilities are debt and a cat. However, I also have a condition with a mortality rate estimated at 15%. Access to affordable, comprehensive health care is not just a nice perk, but crucial for my continued survival.

Access to health insurance has been the primary factor in all of my professional decisions: staying places where I was miserable, doing work I hated, even choosing where to apply. Access to health insurance was a major factor in my moving to Massachusetts, which offers health insurance to all residents.

While my free software career has been amazing — I am extremely lucky that I was able to cultivate a skill set and social network that enabled me to work in the greater sphere of FOSS (and previously open ed) — I would have made different decisions had I not been reliant on employers to provide me with health insurance.

In the United States (and many, many other places), access to affordable, comprehensive healthcare (from here on: healthcare) is a major factor holding people back from FOSS contribution. When your access to health care is tied to your employer, your time — and literally your life — is dependent on your employer. This seriously impacts your ability to even have free time, let alone using that time to build FOSS.

Since the creation of software largely relies on people’s professional skill sets, we’re asking people to do in their free time what they do in their paid time — design, develop software, plan architecture, organize events, maintain systems and infrastructure, be a lawyer, manage finances, and everything else that strengthens FOSS and FOSS communities. In asking someone to take on a leadership role in a FOSS project or community, you’re asking them to take on another job — one that comes with neither pay nor benefits.

When people face constant threats to their existence due to fearing for their lives (i.e. their health), it can be hard, if not impossible to spend their time contributing to FOSS, or indeed to any activist project.

People who live in societies that rise to meet the basic material needs of all citizens are able to spend time contributing to the greater good. Those of us struggling to survive, however, must forgo opportunities to become participating members of communities that are trying to change the world. Instead, we look to our employers (usually with commercial interests) to meet our needs.

When you work in tech, meeting our basic material needs through employer-sponsored insurance comes at a steep price: non-compete agreements, signing away patent and intellectual property rights, fights to ensure your work is available under a free and/or open source license, and giving up more than 8 hours a day/40 hours a week. When we try to create good FOSS in addition to that, we burn out, we become miserable, and we’re trapped.

People are incapable of creating FOSS when they’re sick, burnt out, worried about their health, struggling with an ongoing condition or disability, or dead. It’s that simple. [powerful]

People fighting for access to healthcare should care about free software for many reasons, but we as a free software community also need to care about access to health care. This is for the sake of ourselves and the sake of our communities. We cannot build the tools and resources the world needs when we are struggling simply to live.

If you accept the notion that lack of access to comprehensive healthcare impacts our ability to have the resources necessary to create something like free software, then we can acknowledge that, by providing health care to everyone, everyone will then be in a better, more equitable position from which they can contribute to FOSS and lead safer, happier lives.

According to the KHN, 8.5% of U.S. Americans didn’t have health insurance in 2018. Un-insurance rates are even higher among non-white populations according to HHS. As a community, we’ve accepted that the lack of diversity and the over-representation of cis white folks is a problem. We need to create more equitable conditions — so that people come to FOSS from similar places of privilege, rather than having a huge disparity in privilege and oppression. Providing health care to everyone will help alleviate this, and will enable more people to do the things they are passionate about — or things they will become passionate about once they have the chance to do so.

If we are to create a world where FOSS is successful, access to health care is paramount and we need to take it seriously.

Rebellion

We spend a lot of time focusing on the epic side of free software and user freedom: joys come from providing encrypted communication options to journalists and political dissidents; losses are when IoT devices are used to victimize and abuse.

I think a lot about the little ways technology interacts with our lives, the threats to or successes for user freedom we encounter in regular situations that anyone can find themselves able to understand: sexting with a secure app, sharing  DRM-free piece of media, or having your communications listened to by a “home assistant.”

When I was writing a talk about ethics and IoT, I was looking for these small examples of the threats posed by smart doorbells. False arrests and racial profiling, deals with law enforcement to monitor neighborhoods, the digital panopticon — these are big deals. I remembered something I read about kids giving their neighbor a pair of slippers for Christmas. This sort of anonymous gift giving becomes impossible when your front door is constantly being monitored. People laughed when I shared this idea with them — that we’re really losing something by giving up the opportunity to anonymously leave presents.

We are also giving up what my roommate calls “benign acts of rebellion.” From one perspective, making it harder for teenagers to sneak out at night is a good thing. Keeping better tabs on your kids and where they are is a safety issue. Being able to monitor what they do on their computer can prevent descent into objectively bad communities and behavior patterns, but it can also prevent someone from participating in the cultural coming of age narratives that help define who we are as a society and give us points of connection across generations.

People sneak out. People go places their parents don’t want them to. People stay up late at night reading or playing video games. People explore their sexuality by looking at porn when they’re underage. People do things their parents don’t want them to, and these are things their parents are increasingly able to prevent them from doing using technology.

I met someone at a conference who was talking about potentially installing a camera into the bedroom of their pubescent child — the same kind designed to allow parents to monitor their babies at night — because their child was playing video games when they “should be sleeping.”

This appalled me, but one of the things that really struck me was how casually they said it. Technology made it not a big deal. They already had one in their baby’s room, putting another in seemed simple.

I would happily argue all the epic points that come out of this: creating a surveillance state, normalizing the reality of being monitored, controlling behavior and creating a docile population. These are real threats, but also, seriously, poor sleep hygiene is just a thing teenagers do and it’s okay.

These benign acts of rebellion — staying up later than we’re told to, chatting with our friends when we’re not “supposed to” — are not just important points of cultural connection, but also just important for our own individual development. Making mistakes, doing dumb things, acting the fool, and learning from all of this is important in the process of defining ourselves. Technology should not be used to hinder our personal growth, especially when it offers to many opportunities for us to better explore who we are, or makes it safer for us to continue to rebel in the myriad ways we always have. Rebellion is important to our narratives — it’s certainly integral to mine. I hope that people younger than me don’t lose that because of the fear others hold.

Free software activities, October 2019

A belated hello! I was traveling at the end of October and missed this. Apologies!

A beautiful, green Japanese maple tree in front of a Buddhist shrine.

In October, work was quite busy, though a lot of it was behind-the-scenes stuff I cannot yet update you on. It was also very busy with a very exciting trip I took that had absolutely nothing to do with free software. If you’re ever going to Kyoto or Tokyo and looking for some recommendations for coffee, cocktail bars, restaurants, or general things to do, hmu.

Free software activities (personal)

  • I have regular meetings with Patrick Masson, the general manager of the OSI. We made most of them in October.
  • I did some writing for the OSI. Not all of it is published at this point.
  • I worked on crafting drafts of organizational policies for the OSI, including staffing, travel, and a whistle blower policy. I hope to be able to arrange for an HR specialist or employment lawyer to review these.
  • The OSI has two new board members! In order to make this happen, I contacted all of the nominees for whom I had contact information. I spoke with them about the OSI, the Board and it’s activities, and how they saw their potential involvement. Basically I interviewed a bunch of ~fancy~ people. It was so much fun talking with every one of them and I learned so much during the process.
  • The Debian Community Team had some meetings, wrote some emails, and discussed The Future together and with the greater Debian community.
  • I attended All Things Open and spoke about ethics and IoT devices. My slides were puppy themed.
  • I did some philosophy based writing. I got a  lot out of this and hope you did too.
  • I also found out that my brother’s company does some open source work!
  • I submitted to the Open Source Festival 2020 CfP. And you can too!

Free software activities (professional)

  • I attended All Things Open and had one of the most awesome tabling experiences I have had to date! It was such a great crowd at ATO! They took all of our stickers!
  • I had a lot of meetings with some more great people. Thank you everyone who made some time for me!
  • We launched a Patent Troll Defense Fund! I cannot thank the donors enough! It’s so inspiring for me to see the community come together to support a project I really believe in.
  • We’ve been doing a lot of work on this Rothschild Imaging thing.
  • We did some fundraising for Linux Application Summit (which happened this week!).