How should Internet regulation of content work?

I first published the following query in a closed discussion forum for CIS 125/LAW 613 (Technology & Policy) at Penn Law. It is reposted here with minor edits.

Understanding the layers of the Internet (TCP/IP, etc) helps us to think about Internet governance in terms of allocating scarce resources, such as IP addresses and domain names. There is another layer to regulating the Internet that has little to do with scarcity or technical concerns: content on the World Wide Web. While people around the world effectively must agree to the same technical standards and the same mechanisms of allocating scarce resources in order for the Internet to function, there seems to be disagreement on which laws relating to speech and content apply, the geographic boundaries (if any) within which they apply, and to what extent foreign entities must comply. These concerns are obvious when we talk about the “Great Firewall of China”, highlighted by Google’s pull-out from mainland China, but less so evident when talking about countries that don’t use technical measures to censor citizens’ Web access.

This week, the issue became topical when Russia’s media/telecom regulator clarified existing rules on use of an individual’s image, seeming to outlaw certain forms of the Internet phenomenon known as memes.[1] The clarification came on the heels of a Russian court ruling in favour of a singer whose likeness was used without his permission in various Internet memes, some of which were unflattering. According to the Roskomnadzor—the agency that issued the clarification—as reported by the Washington Post, it is illegal in Russia to depict a public figure in a way that is unrelated to their “personality”, whatever that should mean. As expected, American media quickly seized on this act as part of a broader effort to control dialogue on the Web, at least within the Web as seen in Russia; noncompliance with the agency’s rules can result in a website being blacklisted in all of Russia.[2]

Setting aside any immediate visceral reaction that categorizes this as censorship, we might pause to consider Roskomnadzor’s justification, which pointed to the offence to celebrities’ “honor, dignity and business.”[3] But this is not some novel argument to protect celebrities at the expense of open expression; after all, even US law, which is weaker than European regimes that acknowledge a dignitary right in privacy, protects one’s likeness and privacy to some extent in tort, for very similar reasons.[4] And even if we disagree with the application of this principle in the agency’s rule, protecting individuals’ privacy and identity is still a legitimate state interest.

The real question, I think, is not whether Russia’s rule accomplishes the right balance of priorities, between privacy/control-of-likeness and open expression. After all, the extent to which the rule can even be enforced is dubious. (It would be a waste of resources for the Russian government to go after every meme of Putin on horseback.)

The much more interesting question for us is, to what extent should geopolitical nations be able to control content on the global Web according to their own sovereign laws? Moreover, given the borderless (by default) accessibility of websites and the diverse origins of Web publishers, is it reasonable to burden companies across the world with the task and cost of complying with a patchwork of nation-by-nation rules and judicial orders lest they allow their site to go dark in Pakistan or Russia or China?

In other contexts, like inconsistent cybersecurity laws across US states, companies have found it easiest to follow the strictest set of rules, hence simplifying their task. Maybe an image host like 9gag, catering to meme-makers, would find it technically easiest to comply with these inconsistent rules by deleting content whenever any nation complains. But then free speech everywhere is constrained to the narrowest rules among jurisdictions, so this is an unacceptable outcome. What is the alternative? Does the company have to add technical complexity to its systems to block Russian visitors only from accessing a picture of Putin? Isn’t this option economically inefficient?

Looking to a historical example, even a company that wants to stand up for human rights and free speech principles might find a weighty cost of defiance. In 2010, Google withdrew from operating the mainland Chinese edition of its search engine so as to relieve itself of the burden of obeying mainland Chinese regulations.[5] Reportedly frustrated with complying with strict censorship, and probably having small market share in the shadow of China’s Baidu, Google decided to redirect all mainland Chinese visitors to its Hong Kong edition, which operates under more lax rules. The cost of doing so? Losing relevance in the Chinese market.[6]

Many other companies lacking Google’s backbone and cash would likely roll over when requested to avoid losing their audience. Does this give too much influence to countries like the United States, China, and the UK, over what citizens can see on the Web? Is the Web any better under the rules of the superpowers than under the patchwork of nation-by-nation restrictions on free speech?

Footnotes

Footnotes
1 Megan Geuss, Russia’s Internet censor reminds citizens that some memes are illegal, Ars Technica (Apr. 11, 2015), http://arstechnica.com/tech-policy/2015/04/russias-internet-censor-reminds-citizens-that-some-memes-are-illegal/; Caitlin Dewey, Russia just made a ton of Internet memes illegal, Wash. Post Intersect Blog (Apr. 10, 2015), http://www.washingtonpost.com/news/the-intersect/wp/2015/04/10/russia-just-made-a-ton-of-internet-memes-illegal/.
2 See Caitlin Dewey, supra note 1.
3 Id.
4 Restatement (Second) of Torts § 652A-E (1977).
5 Jemima Kiss, Roundup: Google pulls out of China, Guardian (Mar. 23, 2010), http://www.theguardian.com/media/pda/2010/mar/23/google-china.
6 See Kaylene Hong, Google’s steady decline in China continues, now ranked fifth with just 2% of search traffic, Next Web (Jul. 5, 2013), http://thenextweb.com/asia/2013/07/05/googles-steady-decline-in-china-continues-now-ranked-fifth-with-just-2-of-search-traffic/.

Google, you should know better

Gmail doesn't recognize YYYY-MM-DD format
Google doesn’t recognize YYYY-MM-DD format in contacts.

The YYYY-MM-DD format (%Y-%m-%d) is an internationally accepted, and standardized (ISO 8601) date format. The entire ISO 8601 system is based on big-endian ordering (greatest-to-least units) within the string, so… year, month, day, hour, minute, second. It makes a hell lot more sense than the American traditional MM/DD/YY format. So much so, in fact, that ANSI and the National Institute of Standards and Technology (NIST) have both adopted it. In some countries, like China, the traditional format in the language follows the same big-endianness: 2006年1月29日, which spells out 2006-01-29.

The advantage of this format isn’t just for programmers, where sorting dates and times requires no special logic (i.e. 2014-01-31 unambiguously precedes 2014-02-01, even if they were both written without delimiter symbols).

The format also eliminates any confusion between the fields. For instance, though colloquial American 11/12/13 should be interpreted as November 12, __13, it could just as easily pass for December 13, 2011. There is no room for confusion in 2013-11-12.

XKCD says it best:

XKCD reminds us of ISO 8601
xkcd: ISO 8601

Now, it’s understandable that maybe Google needs to recognize people’s different formats of entering dates in their colloquial formats, like MM/DD/YY. But there is no excuse not to recognize the YYYY-MM-DD format.

Even more so, because the date in my screenshot, 1995-09-24, has no possible misinterpretation. To any rational human being, there’s no way to think that this is the 9th day of the 24th month (!) of 1995.

iOS 7 icons: you can’t be serious

I’ve been a proud Android user for years. Yesterday, I became even stauncher of a loyalist.

I only had to look at some of the incredibly stupid decisions Apple made with its iOS 7 redesign. There’s no need for me to write a long rant because that’s already been done — by countless individuals.

Basically, there was nothing significantly innovative in this iteration, and the design is now a horrible, inferior mixture of Windows Phone/Metro, Android, and WebOS.

Just compare the icons of “stock” apps on Android 4.2.2 (on my Nexus 4, left) vs iOS 7 (from the Apple site).

Both sets have moved away from skeuomorphism, but Android's is more professional
Both sets have moved away from skeuomorphism, but Android’s is more professional

The legacy rounded corners in the iOS designs, the mid-2000s gradients, and bubbly, cartoonish icons don’t fit the image of a polished operating system. The roundness of it all is really bad considering the emphasis on flatness in the calculator and call screen (or FaceTime incoming screen).

What really struck me was the redesign of the 4 core dock icons. I don’t think I’m crazy in picking stock Android over iOS 7 on this one:

A typical set of Android dock icons compared to their iOS 7 equivalents
A typical set of Android dock icons compared to their iOS 7 equivalents

Don’t get me started on how cluttered Control Center looks.

I’ll just leave you to read a “quick feature comparison” between iOS 7 and Android.

TL;DR I’m not impressed.

Windows Live Hotmail is now authenticating DKIM

Hotmail inbox screenshot

I haven’t seen anything published about this yet, but I noticed today that Windows Live Hotmail seems to be authenticating incoming e-mail using DKIM in addition to Sender ID.

Background

In the past, Hotmail has verified the authenticity of incoming e-mail through Microsoft’s proprietary version of Sender Policy Framework called Sender ID. Both of these projects were designed to verify that the computer sending the message, as identified by the originating IP address, is authorized to send e-mail on behalf of the named sender.

A typical SPF policy, specified through a TXT record in DNS, might say

v=spf1 ip4:208.97.132.0/24 -all

This means that only IP addresses in the 208.97.132.1–208.97.132.254 range are allowed to send e-mail on behalf of this domain. (The Sender ID policy would look similar, but starting with spf2.0/pra.)

Hotmail’s policy has been to verify all incoming e-mail using the Sender ID framework. This theoretically reassures users that authenticated e-mail definitely comes from the named sender, reducing the likelihood of header forgery. If an e-mail does not pass Sender ID verification (softfail) and has other signs of being forged, it will likely be classified as junk.

A valid e-mail is marked with these headers:

X-SID-Result: Pass
X-AUTH-Result: PASS

If the organization’s policy uses the strictest policy (-all), and the message does not pass Sender ID validation, and the organization has submitted its Sender ID records to Microsoft, invalid e-mail sent to @live.ca and @live.com domains are rejected. As far as I am aware, this protection is not applied to @hotmail.com accounts.

From SPF to DKIM

The problem with SPF is that it doesn’t verify much. All it tells us is that an e-mail comes from the right computer—not that an intermediate server hasn’t tampered with it. In addition, SPF only really validates the From: or Sender: headers.

Besides, many large service providers cannot implement a strict SPF/Sender ID policy because users may be sending e-mail through other servers. (For example, I might use my ISP’s SMTP servers to send e-mail from my Windows Live Hotmail address; a strict SPF/Sender ID policy would mark those e-mails as junk.)

DKIM, however, encompasses the contents of the message body, in addition to the headers. It does not necessarily require the e-mail to come from a certain IP address. Using public key cryptography, it allows organizations to take responsibility for sent e-mails by verifying that the e-mail came from an authorized source, similar to the way secure servers connect over TLS/SSL.

Implementing DKIM means that all outgoing e-mails are signed using a private key; the signatures are then checked by compatible software against the public keys published in DNS. Each domain can have multiple DKIM keys, allowing multiple sending systems to sign outgoing e-mails independently.

A sample DKIM signature looks like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=frederickding.com; s=google;
        h=domainkey-signature:mime-version:from:date:message-id:subject:to
         :content-type;
        bh=b3wR4p4G21l92tc0ahioopi7atMwDp2wkaQb/uOL65E=;
        b=YJ6nD3Nx5hgwRhYppb/n2g5lQxA5jzFvYEJ0dR4dtkRFv14GVJWStQXwwZryGuujC/
         v4ve5ZE3ZAEAtv5hCj99ZLAfR52rskpbitso+106M8uQvryLyuLSnX1mrk6JaDFLMr8V
         qHmCEZUF5+cnWEYSwlLo1T8hntgN28hj8OyJY=

DKIM actually requires a lot more work for organizations to implement, as it requires additional DNS lookups and (perhaps) expensive cryptographic calculations. A decade ago, it would have been unfeasible to implement this on an organization as large as Windows Live Hotmail.

Hotmail today

Today, the inexpensive cost of processing power makes it possible for Hotmail to validate DKIM. Yahoo! has been doing this since the beginning, as it was the source of this technology. Gmail, too, has been validating DKIM for some time. (Both Yahoo! and Gmail sign outgoing e-mail with DKIM signatures, and Google has made this possible through its Google Apps service for companies as well.)

While Windows Live Hotmail has always validated Sender ID, today I noticed the addition of a new e-mail header:

X-DKIM-Result: Pass

This is good news.

Conclusion

To summarize a post’s worth of babbling, this means that Windows Live Hotmail is taking additional steps to combat e-mail forgery, phishing and spam. A step forward for everybody.

Happy New Year!

It’s the end of another year and the end of a ground-breaking decade. Let’s look back at what’s been accomplished in the years of 2000–2009, focusing on technology.

Technology

Windows has entered a new era

The decade—indeed, the century—began with Windows 2000, which I consider the first great version of the operating system. XP was the version that brought widespread success, and people just seem to refuse to upgrade; even today, almost three quarters of the computers on the net are on XP.

Despite the dismal failure of Windows Vista, it too brought change, which was followed by the enhancements of Windows 7. Compare my desktop today to the ugly screens of a decade ago:


Microsoft Store
Windows 98 desktop screenshot

Apple deserves an honourable mention for the ground-breaking work they’ve done on the Mac, elevating it to a newly trendy status.

Portable media players have completely changed

A decade ago, CD players and tape-based Walkmans were still the norm for ‘portable’ audio players. The iPod, launched in 2001, entirely changed the game. (I suppose this and the iPhone were the “comeback of the decade”.) It was no longer a device that played removable media. That was followed by thousands of other portable media players, to which the public generally refers inaccurately as “MP3 players”, reflecting the popularity of the 15-year-old MP3 format that has also been notorious for illegal file sharing (see below).

Cell phones and mobile devices have become ubiquitous

These devices used to be ugly, huge and heavy objects. As we move into 2010, cell phones have become more compact (usually this means thinner and lighter) and more powerful.

In China, about 739 million people have cell phones; that’s more than there are Internet users in China (which is about 360 million).

Mobile devices have become truly powerful. The iPhone, purportedly the most popular cell phone of 2009, is one of the biggest platforms for software development. And it has a touch screen. RIM’s BlackBerry, initially launched in 1999, is the most popular smartphone among business users.

Ordinary people begin to embrace ultra-portable netbooks for lightweight computing. The move to mobile is probably the most noticeable trend in end-user gadgetry in this decade.
Continue reading “Happy New Year!”