Circumventing fragmentation; Who pays?; Are link previews secure?
The internet is becoming increasingly fragmented at the technical level with various companies and countries developing their own digital ecosystems and national intranets. Even if basic internet connectivity is available, and inter-connectivity possible, user access to information and services can be unequal across jurisdictions. Circumventing fragmentation with VPNs is not enough. VPNs aren't yet ubiquitous and VPNs don't fix fundamental internet resilience issues. Two, invite-only events are coming up and both are oriented to solutions in infrastructures and architectures.
Splintercon: Deadline for papers is 1 November and the conference will be held in Montreal on 7-8 December.
IAB workshop on Barriers to Internet Access of Services (BIAS): Deadline for papers is 24 November and the workshop will be online week of 15 January.
I'm on the program committees for them both and the hope isn't just for visionary solutions– it's to make circumvention more normalized as a design goal in technical standards.
From time to time there is superficial resonance with the idea that the largest tech companies, because they produce so much traffic, should pay for the construction and maintenance of internet infrastructure. That idea is almost always suggested by internet service providers, who are in the business of selling access to internet infrastructure– that they build and maintain– to consumers. The implications of an architectural model that any "sender pays" ISPs, too, in addition to client subscribers, include: unequal delivery speeds, content providers avoid entering the market, higher prices for subscribers, and all without guaranteeing more and better networks. They are also far reaching: South Korea, India and the EU might enact these proposals, but the entire fabric of the global internet would be impacted.
"Sender pays" is shelved in the EU for now, after an extensive public consultation resulted in broad rejection of the proposal. It's important to repeal this part of South Korea’s Telecommunications Business Act, and to push back on India's emerging "revenue sharing" proposal, too.
Tomorrow: Make plans to attend "Power to the People: The Encryption Summit". The Global Encryption Coalition and Tech Policy Press are hosting a series of panels on encryption, privacy, security. Saturday 21 Oct is Global Encryption Day.
Last weekend: While digital security experts were asking one another about the origin of a rumored Signal vulnerability, many more were left wondering "Are link previews secure?"
While the "link unfurling" debate was perhaps settled in 2019 when Signal released the feature that shows users a preview of a link (thumbnail, title, blurb), the reason it was a discussion at all is that it requires the application to, securely and consensually (it can be turned off), fetch content from a third-party endpoint (the video/article/etc server) that exists outside of the end-to-end conversation.
Signal was extremely cautious about this feature, however mundane it might seem. That's because it's important to develop technical design principles and guidance for in-app functionality that users want, but in a way that doesn't break the promises of confidentiality and privacy of end-to-end encrypted messaging and conferencing systems. Concrete suggestions and cryptographically verifiable techniques for end-to-end application development should both prioritize enhancing user experience and agency in encrypted systems, so that encryption becomes more usable and ubiquitous, while still preserving the key promises of privacy and confidentiality.
One recommendation from CDT’s "Outside Looking In" report is for researchers to emphasize user agency when developing techniques for content detection in E2EE services. This can include ways to improve user control of their communications on E2EE services without weakening or breaking encryption. This is a perspective that is still missing from existing research (and some of the follow-up research since our report) on content moderation and E2EE. One area that my colleague Michal Luria explores in a research report that comes out in a few days focuses on understanding the opportunities to improve young people's ability to protect themselves. (Spoiler: one of the main findings is that the focus should be on preventing unwanted messages, as opposed to dealing with them once they arrive.)
User research into how users can choose or create their own filters to block unwanted content within an E2EE app on their device, while not exposing information about the filters to third parties, is a critical area for future user research. But while ease of use of user-empowered filtering is important, one could argue that the more valuable aspect of such a research project would be to understand why people lack the motivation to use existing user empowerment features like blocking and reporting, and what could be done to change that. A 2021 report by Amnesty International suggested that 25% of women who reported abuse were unhappy with the response, and that 100% of women who did not report abuse said it "wasn't worth the effort".
E2EE systems have to grapple with this, just like with link previews. But it only gets more complicated from here.
Lastly! Check out this short guide from the Office of the High Commissioner on Human Rights about why encryption matters for everyone.