[Plura-list] Mexico's new copyright vs cybersecurity; Google destroys yet more smart-glasses

Cory Doctorow doctorow at craphound.com
Thu Jul 30 11:13:35 EDT 2020

Today's links

* Mexico's new copyright vs cybersecurity: Trump's copyright law makes
Mexico's devices unauditable attack surfaces for the world's

* Google destroys yet more smart-glasses: Glassholes love company.

* Solar heroin: Afghan solar adoption, the heroin market, and the future
of energy and agriculture.

* Why sweat smells: Go home, staphylococcus hominis, you're drunk (on

* Interop to the rescue: The role for interoperability in addressing
tech's competition crisis.

* This day in history: 2019

* Colophon: Recent publications, upcoming appearances, current writing
projects, current reading


🦥 Mexico's new copyright vs cybersecurity

Mexico's new copyright law was rushed through its Congress without
debate or consultation, copy-pasting the US copyright system into
Mexican law as though America's system was working perfectly.


The law poses grave risks to Mexicans' human rights, especially (and
most obviously), their right to free expression.


But perhaps even more urgent is the impact this law will have on the
Mexicans' cybersecurity: the security of their devices and thus the
integrity of their data and even their personal safety:


The new law imports the USA's "anti-circumvention rule" - a rule that
makes it both a criminal and civil matter to tamper with the "technical
protection measures" that restrict access to a device, even if it's your
device, and even if you're not infringing copyright.

This law has been a serious impediment to independent security audits -
when a researcher investigates the devices we're using, to ensure that
they aren't leaking our data or exposing us to risk - say, by allowing
hackers to send lethal shocks to our implanted pacemakers.

That's because security testing often involves bypassing a TPM to get at
the device's internals, and the output of those tests is often "proof of
concept" code, which incontrovertibly demonstrates the defects,
overriding any denials from the manufacturer.

Both of these run afoul of both US and (new) Mexican copyright law, and
since the only way to determine whether a system is secure is to subject
it to independent scrutiny, this leaves devices vulnerable to serious
attacks with real consequences.

Mexicans have direct experience with this. Pegasus, a digital weapon
sold by the arms dealer NSO Group, was used to attack independent
journalists, anti-sugar campaigners, and even young children:


The same weapons were implicated in the Saudi kidnapping, murder and
dismemberment of Jamal Khashoggi; they rely upon lingering security
defects in devices that the arms dealers exploit and sell to dictators
and wealthy thugs.

Like the US law, the Mexican law contains an "exemption" for security
research; in fact, it is nearly a verbatim translation of the US clause.
That exemption is entirely useless. How useless? In 22 years, no one  in
the USA has ever managed to use it.

And in case there was any doubt, the US Copyright Office has officially
acknowledged the insufficiency of this exemption and has created larger,
more explicit carve outs (that are still insufficient).

The US law lets the Copyright Office make these changes; the Mexican law
not only does not define a process for fixing these overreaches, it's
also starting without the USA's 22 years' worth of exemptions.

No nation can afford to tie the hands of cybersecurity researchers.
Mexico's lawmakers could have easily written a law that accommodated
security - all they'd have had to say was, "None of this applies unless
you're infringing someone's copyright." They didn't.

Now it's down to the National Commission for Human Rights, which has
until Jul 31 to announce that it is reviewing the law. If you are in
Mexico or are Mexican, here's a petition to the Commission:



🦥 Google destroys yet more smart-glasses

Late last June, Google bought out "North," a tech company based in
Waterloo, ON, which manufactured "Focals," a line of "smart glasses." A
month later, the company is turning off the servers the glasses rely on,
bricking every pair they ever sold.


The company is refunding its customers' money, but this is cold comfort
for many. As I said when Microsoft revoked every ebook it ever sold by
shutting off its DRM server:

"When I was a bookseller, nothing I could do would result in your losing
the book that I sold you. If I regretted selling you a book, I didn't
get to break into your house and steal it, even if I left you a cash
refund for the price you paid."


Why would Google do this? The company stonewalled CTV News, but we can
make some guesses.

First, Google is incredibly bad at making wearable products. They've
spent hundreds of millions on glasses and watches and they all sucked
and flamed out.


Historically, companies that were bad at something would lose to
companies that were good at it. But in the new Gilded Age, where we no
longer enforce antitrust laws, companies that are bad at things can buy
up companies that are good at them, a monopolistic tactic.

Google's buying a lot of wearable companies, like Fitbit. They have a
buyer's market, because the company has stockpiled billions by
maintaining the absurd pretense that it was headquartered somewhere in
the Irish Sea, in a state of tax-free bliss.


This isn't an advantage that its nascent rivals enjoy - until you have
billions, you can't hide billions, because the enablers who create
trusts and Double-Irish Dutch Sandwiches and other polite names for
"fraud" are not interested in your business.

Google - and other Big Tech companies - literally buy companies more
often than I buy groceries. This is by design: the companies have used
monopolistic tactics to effectively foreclose on the possibility of
their being unseated.


As a result, the "exit" that most founders and investors seek from tech
startups is acquisition - generally an "acqui-hire," where a company is
purchased for its engineering team. The product is scrapped and the team
become employees.

The "acquisition" fee is really just a hiring bonus, with a finder's fee
to the "investors" disguised as a share purchase. America's tech
investors are largely headhunters, a glorified, inefficient
job-placement service.

And the "products" that the "investors" pay "founders" to make aren't
really products: they're portfolio pieces, a post-grad project to prove
that you can execute a product design.

The product was never intended to be used by humans - you, the customer,
are simply a proof-of-concept. It's a wasteful, idiotic system that
throws billions at imaginary products for the purpose of shifting
fractional points from Big Tech's balance sheets to investors.


🦥 Solar heroin

For a glimpse of the future of agriculture and energy, check out Justin
Rowlatt's fascinating article on the role of solar energy in Afghan
heroin cultivation, a booming phenomenon that has boosted yields from a
single annual harvest to two or three.


As Rowlatt points out, there's only one reason that the heroin industry
changes: to increase its profits. The switch to solar in war-torn
Helmand is driven by the plummeting price of solar energy, not local
subsidies or climate concerns.

Which is not to say that climate and subsidies aren't playing indirect
roles here. Part of the reason solar panels are so cheap is that they
scaled up thanks to subsidies elsewhere, like Germany and the USA; those
countries' subsidies drove R&D; and production efficiencies.

The solar is driven by droughts, which send farmers questing for water
with deep wells, draining nonrenewable fossil aquifers. In theory,
farmers elsewhere could use solar to power desalinators, but that has
its own climate consequences (salt flushed into coastal waters).

And while Helmand's farmers don't just grow opium poppies - one farmer
featured in the article also grows tomatoes - the global flood of cheap
heroin has real humanitarian consequences (of course).

But all of that doesn't change the essential fact illustrated by solar
uptake among these poor, illegal, desperate businesses: solar is cheap
and easy. In the Lashkar Gah market, "solar panels are stacked 3 storeys

"And what the changes in Afghan opium production show us is that having
a source of power independent of any electricity grid - or fossil fuel
supplies - can bring significant innovation."


🦥 Why sweat smells

In "The molecular basis of thioalcohol production in human body odour,"
biologists from the University of York trace human body odor to a
metabolite of the enzyme Cys-Gly-3M3SH when it is consumed by the
bacterium staphylococcus hominis.


The source of the "pungent, cheesy, oniony smell" has been something of
a mystery because thioalcohols - the smelly substance - are not produced
by most of our the microorganisms in our skin biomes. The team isolated
the source of thioalcohols as a waste product of staph h.

The enzyme Cys-Gly-3M3SH is released by our apocrine glands - the sweat
glands associated with hair follicles that cluster densely in armpits,
genitals and nipples - from puberty onwards.


In theory, this opens the way to new deodorants that narrowly target a
single component of our microbial nations, rather than the current
scorched-earth microbicidal approach (or its even worse alternative,
plugging our sweat glands).


🦥 Interop to the rescue

In a major new paper, just released as a preprint, the eminent UK
computer scientist and digital rights campaigner Ian Brown makes the
case for "Interoperability as a tool for competition regulation."


The paper pulls together many of the recent interventions on the subject
into a single, readable, brief summary that makes for an excellent
overview - I'm not saying you shouldn't read the CMA's magesterial 450
page report, but realistically...


Brown starts by describing interop - an often slippery topic - in
concrete terms, giving familiar examples from existing tech (eg SMS) and
then describing how interop could open Big Tech's silos up.

He summarizes leading economists' views on the effects of interop on
competition, presenting both pro- and con- arguments (the pro arguments
are MUCH better, but then reality has a well-known leftist bias).

He then presents a taxonomy of types of platforms:

* Gatekeepers: "control access between businesses and potential customers"

* Conglomerates: "companies with a broad range of sometimes
weakly-related businesses"

* Ecosystems: "collections of services connected via privileged channels
not fully available to competitors"

This is a jumping-off point for concepts from competition scholarship:
"complementary innovation," "homogenization," "static vs dynamic
effects" - the ways that companies interpenetrate each others'
products/services for good and ill.

Having covered the economic dimension, Brown turns to the social
consequences of interop: as covid showed us, platform dominance has a
profound effect on our social lives, with choices made by tech giants
redounding to every facet of our digitally mediated, locked down lives.

Competition economists since Thatcher and Reagan have largely dismissed
these consequences, focusing solely on short-term price increases as the
only reliable barometer of whether monopolistic conduct is good or bad.

But tech concentration has profound impacts on our civil society - the
BBC can't get Amazon or Google to put its coronavirus coverage on their
smart speakers, so "tech companies with their executives in the US have
a monopoly in British people’s kitchens and living rooms."

Other media orgs also complain that tech acts as a rent-seeker and
gate-keeper, holding their audiences hostage (though those who succeed
rarely complain on behalf of smaller, new entrants who can't afford to
pay tech's tolls and thus do not compete with Big Content).

Next is privacy and data protection, citing some of the work I've done
with my EFF colleague Bennett Cyphers:


This is a severely undertheorized area, and there are severe potential
pitfalls if we get it wrong. One thing we know, though, is that the
status quo is NOT good for privacy, and lack of competition doesn't
incentivize tech monopolists to do better.


Next, Brown turns to content moderation, an area of growing concern that
regulators have primarily addressed by creating impossibly expensive
mandates to prevent harmful speech, at costs that preclude new market
entrants, strengthening Big Tech's dominance.

Brown cites federated platforms like Mastodon, which allow for partial
interconnetion between autonomously maintained servers, where
communities can make their own policies and block/filter those with
policies they disagree with.

These offer the possibility of having fine-grained locally responsive
rules - enforced by the community itself, not by traumatized
subcontractors in the Philippines tasked with moderating all of
Facebook's 2.6B users' contributions.

Brown takes on "digital sovereignty" and the uneasy fact that most of
the west's online media is controlled by a handful of US-based companies
with "GDP"s larger than most countries'.

Interop lets domestic competitors arise that can benefit from these US
giants' users, while returning control to local firms and regulators.

Brown ends with an appendix that enumerates types of interop and
scenarios for how they could be applied to existing Big Tech firms'
services, bringing the whole thing into focus with concrete examples and

As the US Congress showed us yesterday, we're at a turning point with
our relationship to Big Tech. Smaller tech companies are experiencing a
mass die-off thanks to covid, and Big Tech has huge war-chests it can
use to snap them up.

When these US giants buy all their nascent competitors, they will
present themselves as rescuers, saviors of businesses drowning in debt.
But unless we intervene, they will emerge from the crisis with levels of
dominance we can hardly dream of.


🦥 This day in history

#1yrago Zero Sum Game: action-packed sf thriller about a ninja hero
whose superpower is her incredible math ability

#1yrago Rockstar Games made £4b between 2013-19, paid no corporate tax
in the UK, claimed £42m in tax relief

#1yrago Defects in embedded OS Vxworks leaves an estimated 200m devices
vulnerable, many of them mission-critical, "forever day" systems

#1yrago The darkest SEO: forging judges' signatures on fake court orders
to scrub negative Google results

#1yrago Affluent parents surrender custody of their kids to "scam" their
way into needs-based college scholarships

#1yrago Cop says Amazon told him they had "partnered" with 200 US police
forces to sell and tap into Ring surveillance doorbell


🦥 Colophon

Today's top sources: Bob Loblaw (https://twitter.com/cburatto/),
Slashdot (https://slashdot.org/), Ian Brown (https://twitter.com/1Br0wn/).

Currently writing:

* My next novel, "The Lost Cause," a post-GND novel about truth and
reconciliation. Yesterday's progress: 512 words (43375 total).

Currently reading: The Deficit Myth, Stephanie Kelton

Latest podcast: Someone Comes to Town, Someone Leaves Town (part 11)

Upcoming appearances:

* Reading, Conzealand, Aug 1 (Aug 2 in NZ!),

* Do Androids Dream of Electric Cars? Public Transit in the Age of
Google, Uber, and Elon Musk, Aug 4,

* Virtual event with Christopher Brown for his novel "Failed State," Aug

Latest book:

* "Little Brother/Homeland": A reissue omnibus edition with a new
introduction by Edward Snowden:
https://us.macmillan.com/books/9781250774583; personalized/signed copies

* "Poesy the Monster Slayer" a picture book about monsters, bedtime,
gender, and kicking ass. Order here:
https://us.macmillan.com/books/9781626723627. Get a personalized, signed
copy here:

Upcoming books:

* "Attack Surface": The third Little Brother book, Oct 20, 2020.

This work licensed under a Creative Commons Attribution 4.0 license.
That means you can use it any way you like, including commerically,
provided that you attribute it to me, Cory Doctorow, and include a link
to pluralistic.net.


Quotations and images are not included in this license; they are
included either under a limitation or exception to copyright, or on the
basis of a separate license. Please exercise caution.


🦥 How to get Pluralistic:

Blog (no ads, tracking, or data-collection):


Newsletter (no ads, tracking, or data-collection):


Mastodon (no ads, tracking, or data-collection):


Twitter (mass-scale, unrestricted, third-party surveillance and


Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):


*When life gives you SARS, you make sarsaparilla* -Joey "Accordion Guy"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mail.flarn.com/pipermail/plura-list/attachments/20200730/00cbd196/attachment-0001.sig>

More information about the Plura-list mailing list