Chatting by Telephone

November 16, 2018 - Reading time: 3 minutes

The main developer of the Conversations app has launched a new chat system called Quicksy. It's a minor variation of the Conversations codebase which uses a centralized closed source XMPP server, has telephone numbers replacing usernames, uses SMS and depends upon the Android contacts list as its roster. It actually uploads your Android contacts telephone numbers to a centralized server.

Basically it's a Signal-a-like, but XMPP and without the video or audio capabilities.

Why do I care at all about some proprietary thing, you may very well ask. You're right, probably I should just ignore this. The main thing that bugs me in a Columbo-like way is that it's coming from the same developer that I otherwise had some amount of confidence in. The thinking behind Quicksy is so mistaken, even if the aim is something simple such as "increase the popularity of XMPP", that I'm beginning to wonder whether continuing to use and promote Conversations is a good idea. I even started to think the unthinkable: could I develop an XMPP client for android myself?

I'll let that slide for now and carry on using Conversations, but block the Quicksy server (which presumably is just ejabberd with modifications). One thing I really don't want is people sending me their telephone numbers as JIDs (i.e. username part of XMPP addresses). That just creates privacy leakage which could end badly. Developing an XMPP client would be a vast amount of work, and is easily a full time job for at least one developer.

Using telephone numbers within chat applications isn't advisable. In some places in the world if you have the wrong telephone number, or a particular telephone number in your contacts list, then a flying robot will drop a missile onto your house or onto your wedding. You don't even need to be a terrorist for that to happen. Just someone who bought the wrong refurbished phone in a local shop, or a friend or relation of the person with The Telephone Number. Machine Learning can make a lot of spurious linkages. Maybe you attended the same church or shopped at the same store. There are also plenty of other threat models including phone numbers. If you're trying to escape from an abuser is publishing your phone number to anyone who can read your JID a good idea? I would guess not. What about if you're an immigrant? I assume that in most cases the Android contacts list is not secure and is probably known to Google (via default cloud backups) and the ISP. And then there's the whole IMSI thing with SMS. There are of course very similar issues with Signal.

The usual retort of the developer of such communications apps is that anyone with a conflicting threat model must be excluded and is not welcome in our system. As technologists, is this what we want?

Freedom is a constant struggle. There are no ideal solutions and technology cannot fix all problems. Sometimes the same battles have to be fought over and over.


Unmotivated by Doom

November 14, 2018 - Reading time: 2 minutes

Earlier I watched some of the talks from the Freenode Live conference - especially the ones with Leslie Hawthorn, Bradley Kuhn and Simon Phipps. Much of the message here seemed to be quite doomy, and it appeared to me that the general idea was that Free Software had peaked some years ago and had now been coopted by big companies or was in decline. Also that Free Software communications systems are failing to keep up with proprietary chat apps.

You do realize that WhatsApp is really just a closed version of XMPP, right?

These people do have good points and know what they're talking about. The engineering, political and legal problems do all exist and are concerning. But I'd caution against a message of despair because that doesn't motivate anyone to do better. Also things may not be as hopeless as they appear and doomy stuff can be quite demoralizing. There is more Free Software being written than in the past and at least some of it is high quality. Free Software communication systems are actually succeeding in a significant way in the fediverse, despite detractors in the mainstream technology news claiming otherwise. It might be true that IRC and Freenode is in decline (although I'm not sure about that) but other communications systems like Matrix and Mastodon are appearing and seem to be doing well.

With Simon Phipps comment about "what does freedom in the cloud look like?" he might be unaware of the current status of projects like FreedomBox and Freedombone. When choosing apps to be included in Freedombone I'm not encountering any situation of decline and quite the opposite there are a growing number of decent apps which can be inexpensively self-hosted and are usually AGPL licensed - respecting user freedom while also being kryptonite to companies like Google.

Anyone who has met me IRL knows that I'm not some happy-clappy person, but I think Free Software needs a more positive message than the talks I saw earlier. We need to celebrate the victories in addition to lamenting the bad legislation. The big tech companies have a lot of money and lobbying power, but when you compare their apps to what it's possible to self-host the value which they deliver is quite marginal and it might not take much to shift things in a different direction.


Centralization isn't the only problem

November 7, 2018 - Reading time: 6 minutes

I was reading a blog post which seems to me to present a straw man argument:

I’ve had many conversations recently with very well meaning people who believe that if we just decentralize everything, it will fix the internet—and perhaps all of society! Decentralize social networks, decentralize money, decentralize the world…if only it was so simple. This is the “magical decentralization fallacy” — the mistaken belief that decentralization on its own can address governance problems.

I don't think there are any such people and if there are I've never encountered them.

Centralization is the biggest problem on the internet today. It's not that the internet was ever highly decentralized, but especially over the last ten years or so it has been becoming much more centralized than ever before, such that a few companies control a lot of what goes on and have really disproportionate influence. You know who they are. It's Google, Facebook, Amazon and Twitter mainly. The introduction of cloud computing in the late 2000s meant that organizations stopped running their own servers and employing local sysadmins, and a lot of that was taken over by a small number of gigantic data centers who now act like the storage and computing brain of the internet. This degree of centralization has political and economic effects which are now hard to ignore. It's essentially a return to the old Compuserve or AOL model of the mid 1990s, or the even earlier era of mainframes and dumb terminals.

But the blog post is right in as much as that centralization isn't the only problem. There are problems at every level of the protocol stack.

In the "good old days" the web was made out of standards. Those standards were defined by W3C. But when we examine actually existing W3C, as opposed to the rose-tinted view of it in the Silicon Valley histrionics, we find that it's just a corporate club encamped by the usual suspects and that it in no way represents - or even makes any effort to represent - "the people of the internets" at large. The standards produced by W3C represent the interests of its corporate/academic members and nothing more than that. This leads to problems where for example things like browser DRM gets pushed through and the rights of billions of people worldwide are trampled because a couple of companies want to maintain a particular business model.

Beyond web standards you have the proprietary protocols of various chat apps which make the days of W3C dominance look like a picnic.

Then there's encryption. The lamentable state of internet security is so comprehensive that it would be difficult to enumerate all of the problems here, but just as a first pass the name system that we all use most of the time (DNS) remains unencrypted and routinely exploited by governments for censorship. The Certificate Authority system was designed in the mid 1990s at Netscape "in a series of 4am decisions". I've yet to find anyone who genuinely trusts all of the CAs in a typical web browser, which includes entities like the Chinese government and some companies with the lowest ethical standards you can imagine. Also decades after its invention there remains no commonly deployed encryption standard for email. Many fine words have been uttered at tech conferences but not a lot of rollout has happened. This has very real consequences in terms of loss of privacy and ultimately loss of freedom, and again its because business models are taking priority over lives.

And then there's community governance. For me, Twitter is the ultimate example of online community done wrong. There's a lot of interesting news published on that site, but the human interactions there often resemble a bar room brawl in a spaghetti Western. Centralization is part of the problem but advertising, optimizing for "engagement" even if that really means "fights" and lack of meaningful controls over who you interact with or what information you share all contribute to one of the worst social experiences which the internet has invented so far. I'm still on Twitter, but some days I wonder why.

There are many other problems and those listed above are just the preface of what could turn into a substantial tome. The traditional remedy is "digital detox" and although that might be ok for some of the people some of the time it's becoming an ever less viable suggestion as the distinction between online activity and IRL becomes hopelessly entangled.

As an alternative to decentralization, a Facebook constitution could leave Facebook as a monopoly. This does keep “the power of violence” (e.g. online policing) centralized just as it is in the physical world but it can also put structures in place to prevent tyranny.

I think constitutional centralism would be the worst of all worlds. Constitutions don't work in politics and are heavily criticized as being ineffective within online communities in which the "code of conduct" is the closest analogy. Constitutions only really work in small, decentralized, communities of active participants in which every member is able - and more importantly willing - to take direct action to uphold the code.

The worst sort of constitutionalism is the sort of thing that we've seen recently from Tim Berners Lee - the "Contract For The Web". This is guaranteed to be ineffective from the outset and is really just a kind of corporate spin-doctoring to paper over the many problems which the internet has. Just telling companies and governments to "respect privacy" isn't going to work. The problems are a lot more complex than that and need smarter solutions.


Deciphering Microsoft

November 3, 2018 - Reading time: 3 minutes

Microsoft isn't as big as it once was. In the last decade we would obsess over their desktop hegemony and underhanded dealings, but these days not so much. Microsoft missed the boat with regards to mobile. They never entirely grokked the internet and are only recently trying to make inroads into the cloud.

My tepid take on the state of Microsoft is that they're going to be all about the cloud in the next few years. I expect Windows to become freeware or adware and to be a thin client operating system with minimal onboard processing. Anything that matters will happen in an Azure cloud and Windows laptops will be remotely managed clients, reminiscent of the days of mainframe computing. Users will be able to change a few settings, but other than that all of the software maintenance will be handled centrally.

So why did they buy Github? Was it to finally assassinate open source, their hatred of which was famously outlined within the Halloween documents?

Actually, subsequent to the Ballmer period, which ended four years ago, I think they're following a different strategy. The Windows desktop operating system is now legacy, and not their main focus. The new business model is going to be about telemetry and pushing targeted ads from the cloud to the desktop. That means they won't open source Windows but they'll try to cut its maintenance costs to the bare minimum. If they open sourced it then they'd lose control of the telemetry and ad delivery pipeline. I think the way they're going to reduce maintenance costs is by using as much open source software as they can, where they're not paying the developers. Note that here I'm using the term "open source" deliberately and not "Free Software". Owning Github puts them in a good position to do that. They can nudge things towards Azure over time in a slowly-slowly frog-boiling type of strategy and generally "communitize the community" in a Windows direction.

In the coming years I expect that Microsoft will do with Windows what Canonical has done With GNOME after Unity. An increasing fraction of the desktop OS will be maintained by the open source developer community at large and not by Microsoft. Privatize the benefits, externalize the costs. So open source, or even Free Software, is not the same kind of threat to them that it was during the Gates/Ballmer era and it may even be considered a business-critical ally.

You could object that this strategy is all about centralized cloud systems and that it fails to take into account that there is an emerging decentralization trend.

I think the decentralization trend is not quite what it appears to be. In most cases you'll find that what is decentralized is the software only and that the physical computing remains centralized within giant data centers. So even if we are entering a federated era based on ActivityPub or some similar protocol the Azure strategy would still work for Microsoft and wouldn't change their profitability much. If their Windows desktop client becomes thin enough it may also be suitable for mobile.


Integrated Search

October 31, 2018 - Reading time: ~1 minute

Internet search is such a fundamental function that in an effort to make it easier to get out of the habit of just using Google all the time I've moved the Searx metasearch app to being part of the base system of Freedombone so that it's installed by default. When you navigate to the web interface there is now a search bar there, or you can use http://freedombone/search or the equivalent onion address for the web interface.

Outgoing search queries are routed through Tor so that you have a reasonable level of privacy. Metasearch isn't a complete solution to the problem of searching in a decentralized architecture, since it merely sends out your query to other search engines. You could call this a less centralized approach which does a better job of avoiding privacy problems.


Cover Image

Pi-Hole on Freedombone

October 23, 2018 - Reading time: ~1 minute

The ad blocking system called pi-hole has now been integrated with the new web based user interface of Freedombone. This blocks ads at the DNS level on your home network. It's not perfect and doesn't block all ads, but it does help to improve the user experience and speed of browsing the web. One thing I notice in particular is that it doesn't block ads on YouTube, and that Google has been adopting devious ways to avoid ad blocking by using randomly generated subdomains to serve advertising content from.

For a long time I didn't really care about ads and the internet didn't depend highly upon them. Then I distinctly remember the occasion in 2007 when my web browsing experience went from having discreet banner ads which I didn't care about to having actually offensive ads shoved in my face in a highly disrespectful manner. From that time onwards I started using browser based ad blockers, and then eventually pi-hole.

Pi-hole has its own web based user interface, but I've made no attempt to integrate that into the Freedombone web UI. That's because it requires logging, and from both a security and a performance perspective I'd rather avoid any additional unnecessary logging. If you're running on a microSD card then writing the minimum amount of things to disk is important because I/O bandwidth is low and the disk itself wears out eventually.