political software - III

radical networks - nyc - 2016

This is the third of a three-part post (on top of an introduction).

The first part looks at protests as a historical phenomenon, and attempts to highlight features that seem to form the common basis of successful political protests. The second part focuses on today's use of software for protest, while the third part looks at potential avenues for how software could be used in the future.


- - -

THE POTENTIAL FOR POLITICAL SOFTWARE


So what I’ll do here is outline some relevant examples of how I think software is being used in interesting ways for political protest, or could be used, along with some technical features and legal implications.

But first of all, why do we need software tools? Right now, software is used almost always in creating networks, and that integrates very well with existing networks, so what are the other network tools that we can develop to complement what is already there?

Can software remediate to the weak parts of today’s political actions? Can it build legitimacy, can it contribute to informed consent? Can facilitate direct, targeted and disruptive political action? Maybe it doesn't actually work, maybe the best thing is still face-to-face communication, but this is still uncharted or un-publicized territory, so it is worth looking into.


WHAT IS SOFTWARE GOOD AT?


First of all, it lowers the barrier for expression, it lets anyone say something to potentially the rest of the world. It also allows for real-time adjustments. It's easy to say something to a lot of people, and to do it really fast. And this is what software has been used for so far. That is the whole ecosystem of websites, blogs, social media, alternative press, collaborative platforms, wikis, etc.

But here are some other things software is good at:

Monitoring is a comparison mechanism. You give it a desired state, and you feed it data related to that state, and software tells you when it’s out of bounds. I’m not talking about cybernetics, I’m not talking about adjusting. Just watching, relentlessly and simply firing an event when some conditions are met.

Interfacing is allowing two things to communicate which are not exactly the same. A lot of things can be interfaces: a parliament is an interface between executive power and the people. Software allows for a seamless interface, though. Once it’s set up, it runs pretty much on its own.

Intercepting is a corollary of monitoring. When you see something, you act automatically upon it. You decide what to look for and what to do, and then you make the software run.

Scaling is the ability to do one thing one million times. If you have one data structure, you can theoretically have a million of them. You can add a massive multiplier to whatever you do and scale at which you operate becomes much, much different.


MONITORING


The monitoring part is being able to follow a flow of data, see discrepancies, flag them whenever that happens, and raise an alert to the user. it’s not proactive per se, but it’s the basis for action, it’s informed consent which then leads to legitimate action.

This is actually anticipating the non-violent protest. Because preventing is better than curing, these kind of monitoring tools allow citizens to avoid having to become protesters. They constantly provide feedback to their legislators, upholding the network that was created on election day. And the network is targeted to their most official leverage point: their representative, and the institutions they serve.

Targeted advertisement is so powerful because it’s targeted, because they know who they are talking to. Politicians are also using targeting tools to make the use of their resources when campaigning. So protesters need to have that information to start with. All of these micro-interactions enabled by monitoring, short feedback loops, small tweaks is characteristic is power systems that have been forced upon citizens for almost a hundred years, now.

So if government and corporations are so adamant on monitoring us, we can also monitor them. Legally.

That’s what happens when you don’t monitor things:




Space capitalism.


Votesmart is actually everything you can think of.


INTERFACING


We need to start interfacing with the people we protest against.

A government is a system which interfaces with the people. Sometimes it’s slow and annoying and messy, and that’s called bureaucracy. There are parts of it that are exposed (a street-level clerk) which allow you to reach other parts (a secretary). The task of changing bureaucracy, or making it more bearable, is a daunting one. However, simplifying the digital interface of a government is much easier.

That relates to the petition problem. If the petition is a request, what endpoint does it hit? what are the digital interfaces with government, and how can we optimize them?

Here are some ways to interact with the government: contact forms, email addresses, phone numbers, petitions, publications.

The added value here is making it easy to interact with institutions. If it becomes as easy to reach a representative as to click on a change.org petition, then at least we can make sure that we’re talking to the right person. Instead of an algorithmic echo chamber, we can direct the streams of information, from the protesters directly to the protestees.

Almost all the studies on voting and electoral behaviour say that someone who calls a neighbor is 100x more efficient than someone who clicks on a link. And, so far, software can’t emulate a human mind. Ao the next best thing is to make it as easy as possible for an existing human mind to hit where it is supposed to hit. You’re giving the means to act, and not just to react.

Direct engagement shows the politicians that people care, and in this world where our political systems are slowly losing, it is more important than ever to strike a balance in the facilitation of the process. In my opinion, the online petition model goes too far, facilitates too much, but how easy is it to set-up several phone numbers, which can broker the connection between you and your representative?

Half of the work is actually dialing the number. If you have a website where it automatically brokers a connection between the protester and the protestee, you’re doing the maximum amount of the work you can do as the developer, and leave the rest to the citizen?

And then that would imply best practices for talking on the phone to politicians/elected officials. This is where we start interfacing with other NGOs, who have been doing that for much longer.

And it’s not just using what is disclosed on website in terms of communication information. It’s actually even legal to get information from a computer, as long as it is not for business competition, and employees are free to disclose email addresses. The person who hacked into Gov Palin’s email account was convicted of some things, but was not convicted of leaking an email address. The question is always unauthorized access. Logging in the email account is unauthorized access. Sending emails to that email account is authorized access, because there is no “confidential” email address.

So you could also set up a phonebook / emailbook for the contact information of political and economic representatives.


INTERCEPTING


So if monitoring lays the groundwork, and if interfacing is the legal kind of protest within existing structures, this is where it gets more aggressive.

If something wrong is going on, if we’re disagreeing post-legal decision, then we need to intercept the public’s attention and raise awareness. The difference between the street and the internet is that in the streets, you can hopefully target anyone who’s walking by. On the internet, you can’t intercept someone who’s walking by. It’s getting harder and harder to do that online. You have algorithmic echochambers that are being set-up all around which actually prevent you from disclosing information to a broader (non-agreeing) audience.

So \ the way people used to grab attention was by setting up picket lines. Whatever was going on regarding a particular entity (a store, a corporation, etc.) you could stand in front of it, and provoke a direct correlation between what you had to say, and who was targeted. This doesn’t work that much anymore, because if you protest against one T-Mobile store, there are hundreds of other stores customers can go to and not worry about what you have to say.

So picketing is intercepting traffic. And how do you intercept traffic with software?

Here is an extract from a description of a BLM protest:

“The protesters who willingly ventured out onto such a roadway last week disrupted more than traffic. They challenged the idea that highways exist somehow outside of us, in a theoretical space that doesn’t have to do with human interaction, with people’s words and faces and feelings. They made the invisible visible. They demanded that, if only for a moment, we stop and look at where we are. In that way, what they did was truly radical.”

Public space was one of the spaces we could grab information, but it’s now slowly disappearing -hence all the initiatives to “re-create communities” all around the world. Not that these are bad, but we can also intercept traffic in a different space, and make people understand that the information they are accessing is not innocent, not removed from physical problems.

If we consider websites as places where we gather, can it become possible to raise issues on these platforms? Can we intercept traffic, the same way we intercept attention, to raise awareness about some issues?

This sort of action is currently called a man-in-the-middle attack, and I’ve never seen it used for political action. Whenever someone wants to access a webpage on a public network, you give them your complaint.

The law is very clear on how closed/controlled picketing is.

“You do not have the right to block a building entrance or physically harass people. The general rule is that free speech activity cannot take place on private property, including shopping malls, without consent of the property owner. You do not have the right to remain on private property after being told to leave by the owner.”

Since every website is hosted by a “private machine”, then all the nodes on the internet are private, therefore legally out of bounds. However, there is no limit to intercepting traffic on a public network, so packet sniffing is fair game. That was actually decided when Google was sniffing away public networks when they were mapping out Google Street View.

Federal law makes it illegal to intercept electronic communications, but it includes an important exception. It's not illegal to intercept communications:

"made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public." Section 18 U.S. Code § 2511 (2) (a) (i) also states: “It shall not be unlawful ... to intercept ... while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service.”.

The Computer Fraud and Security Act only focuses on “gathered data”, and even more so if it is unauthorized. Not on intercepted data on authorized networks.

And, coincidentally, public wifi is becoming more and more of a thing. Most public buildings have a “guest” network.

So you could set up your own wifi access point, and that access point would scan automatically the possible devices you can connect to, and offer to connect to your network, incidentally exposing the information you want the public to be exposed to.

The problem that remains, then is deploying such attacks, because you need to be physically on those networks. Which seems like a problem for hackers, but it’s not a problem for protesters. The point is to actually be known. The point of the protest is to be physically present. If you are there, you are OK with being caught, you are OK with the sacrifice that goes with it.

Private wifi is a bit trickier, because you could argue that you’re taking the bandwidth of someone who is paying for it, and therefore you can be accused of theft. But if you are the owner, you can do whatever you want. It’s trickier legally, but it’s exactly the same from a purely technical standpoint.

So what is the target of the protest, here? The target is actually the public. What you’re protesting against with this kind of tool is both the actions of a given entity (the same way picket lines do), and at the same time helping the legitimization of your cause by providing information to the public.

Intercepting traffic is a very old form of protest. Intercepting digital traffic is still uncharted territory in terms of protest. So what would that software look like?

You know when the user requests a page. You provide an addition to the browsing content. It could be a pop-up, or even just a

that doesn’t harm the navigation of the website, overlaid on top. Users could actually mistake it as an ad (is that a good thing or a bad thing?). You could have it show up once, or show up on every page, or just on specific websites. An activist organization could choose to set-up the tool however they want, and then deploy that tool wherever they want, either through personal computers or things like the raspberry pi.

You can also let your users opt-out by setting an inoffensive cookie, stating that you do so, and then having your script always check for that cookie. (but still, in real-life protests, the only way to get away from the picketeers is to walk away, so…).

And where could that be applied? Public wifis at private universities, city halls, banking headquarters, airports.

So how is it proactive protest? You’re creating a network by way of having users connect to you, and relating. We’re assuming you’re holding a legitimate claim against the institution, the network holder that you’re protesting. You’re making a very direct connection between the person you’re complaining against and forcing acknowledgment of the issue.


SCALING


So, for the last part, let’s look at scaling. Software is good at scaling. scaling is the theoretical ability of software to the same thing on a scale of 1 and on a scale of 1 million. If we look at active disruption, where does scaling stand?

In classical protests, the thing that depends the most on the number of people is physical disruption. The most protesters you have, the bigger the disruption. You block one street, or the whole city. You block one floor of a factory or the whole building. The most radical resort of protesters is denying the use of resources to the protestees. In physical form that’s a blockade, a sit-in or a strike. Historically, a strike was stopping the means of production in order to force the owners of the company, the capitalists, to negotiate with their workers. Workers would assemble, under a union, to protest for their rights. They had a way to pressure the system. There was no actual destruction of property. When there was destruction of property, the army or the police was called and seized the protesters. It was just retention of wealth.

In some ways a Distributed Denial of Service is like a sit-in. A DDoS is a large number of requests being sent to a single server. Under the load, the computer crashes. It cannot perform anything while down, either serve content, or serve emails or serve files, rendering it useless. Both, at their conceptual core, consist of overutilizing scarce resources (in the former, server cycles; in the latter, space at a counter) to exclude others for political effect. Both are nonviolent but economically painful. And both can have a political character that might contextualize the offense.

DDoS is also a way of publicly halting the means of production. When an email is the most productive tool around, what happens when enough people shut down an email server? Wconomic loss, and a means of pressure. Some DDoS attacks have been used for political protests, but they are incredibly limited. I found 3 in the last 20 years, even though their efficiency is widely acknowledged by people who want to protect their networks (sysadmins) and people who want to protect their business (corporations)

That actually happened in the case of Pulte-Holmes vs. Laborers’ International Union of North America. Someone was fired, the laborers started a DDoS attack on the company’s email servers. and the company filed a lawsuit under the Computer Fraud and Abuse Act, with the most important clause being that someone is guilty if he or she:

“knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;”

The Sixth circuit Court of Virginia held that the union was guilty under the CFAA for interfering with the proper functioning of software, but it also held that, by filing suit so quickly after the denial of service campaign began, Pulte failed to comply with Section 8 of the NLGA, which prohibits a court from granting an injunction "to any complainant who has failed to make every reasonable effort to settle [a labor] dispute …by negotiation." The court concluded that Pulte did little or nothing to attempt to settle its dispute with LIUNA. Instead of defending the reasonableness of its settlement efforts, Pulte attempted to avoid this procedural requirement under the NLGA by arguing that many of the phone calls and emails contained threats of violence and destruction of property. But the court concluded that LIUNA’s members merely committed "nonviolent, albeit harassing, business disruption."

So the ruling ended up saying that it is illegal to send too many emails. on the one hand, you’re on the wrong side of the law. on the other hand, you’re actually harming the company and making your voice heard. as a matter of fact, the ruling specified that the company should have settled first in order. this forces negotiation with unions. so clearly, the corporation saw that as just a destruction, but the court also saw it as a leverage tool during a political struggle.

But on the other side of the pond, some courts have upheld DDoS actions as valid free speech.

Andreas-Thomas Vogel is an activist and website administrator for the Libertad, an advocacy group criticizing as “inhumane” Lufthansa’s policy of letting the police use its planes for the forced deportation of asylum seekers. In 2001, he organized a DDoS event using a tool which was a derivative of FloodNet -another DDoS tools developed for political purposes. He was ultimately acquitted by the Frankfurt appeal court in 2006.

Lufthansa's lawyers had filed a lawsuit claiming that 1.2 million hits caused unspecified economic damage. He was originally found guilty to 900 euros fine (and a criminal record).

So in some countries, DDoS is being recognized as political protests. In the US, not so much. The problem that I found in the US is actually the endless appeal system, until you reach the Supreme Court. On every circuit, the counts of fraud can pile up so fast when charged within the scope of the CFAA that ist is almost always better for defendants to settle (like the 14 people from Anonymous that were charged with disrupting the operations of PayPal). Defendants always plead guilty before any court has the chance to rule over the case and make jurisdiction.

So strike have been somewhat legalized. It’s a constitutional right in some countries. It’s somewhat limited in others. Only in “dictatorships” is it outright prohibited. Everywhere else, it is recognized as a form of protest, and not just an act of destruction. It’s very limited in the US, though, so I don’t know what that says about the dictatorship of money...

At first glance, it’s hard to see it as a tool for protest. It’s heavily used for violent means, which means that the communication around a ddos attack is very much geared towards antagonistic, unilateral purposes. it is meant to hurt, and hardly to discuss constructively. It’s criminalized. yes, it could be a problem. and it’s actually an ever bigger problem because the CFAA is very very very very loosely applied, especially on a federal level, helping criminalize anything remotely related to a computer. It’s invisible. that might be the potential problem. the network is great, but the network needs a face. it needs something to talk for it and express its condoleances, instead of just tweets. And, finally, a tool can always fall into the wrong hands, and the developer of that tool can be prosecuted if anything happens because of that tool.

For further reference, I highly recommend The Coming Swarm by Molly Sauter.


HOW DO WE MAKE A DDoS MORE LIKE A STRIKE?


  • - do not use a bot net
  • - users act directly
  • - integrate an identical political message in each request
  • - provide a specific target (possible hardcoded)
  • - provide a public timeline of the attack
  • - include terms of use
  • - discourage anonymous participation


The tricky part in the CFAA is the “intent”. If the intent is clearly stated that you want to communicate your grievances, nothing prevents you from doing that. What harms is when the system itself is targeted. So you could theoretically focus on communicating to specific people, for example by asking that everyone inputs a custom message to the email, or providing templates to be filled by the user, and, as a consequence, shut down the email server. And even if you don’t shut down the email server, the amount of communications generated stands for something.

But then, really, now that you have smartphones and an explosion of demographics, all you need is smartphones and word to mouth.

How would a ddos during a protest look like? Everybody has a smartphone. Everybody can log in to a website with “terms of use”, recognizing their legal responsibility. Dedicated URL to hit, and nothing else. Only happens during the protest (time and geolocalisation).

And you can actually bypass that. You don’t need to distribute a tool to make a DDoS happen during a protest. Everybody has a email. And everybody comes through the protest via some sort of information. While they are registering, or meeting, you can tell people to send an email with a massive attachment.

In regards to the CFAA, the only harmful code used here is email. And everyone is responsible. So yeah, theoretically they could ban emails and fine everyone. But that would be a victory in my opinion, because it could be done again, and act as a leverage point for the protesters.

In order to do physical harm, the crowd is still the most important. The technicality of the tool is no longer the most important. It is how you present it, how you contextualize it, how you legitimize it



- - -


At the end of the day, networked technology, social media, neo-capitalism themselves are not actually directly responsible for the inefficacy of protest today. The problem is not only that protest did not evolve on par with systems of power, but they also seemed to be disserved by an over-use of a specific kind of software, and a mostly re-active use of software. It is our use of the available technologies that, in my opinion, is not optimal.

The problem is (1) being content with what we have. Social media presence, permits to go out on the streets, passive broadcast of information (a.k.a the path of least resistance) gives us the illusion of accomplishment but is a meaningless action and, (2) isolation. most of those tools are directed at specific issues that concern software developers -privacy, freedom of speech, etc. Very few of these tools are connected to other issues, or actually re-useable by others, and none of them are re-usable by non-developers, -they live on their own websites, their own world, and don’t take advantage of the fact that they are within a network.

The most praised software tools today (social media and petitions) are actually not that efficient, and quite detrimental, and we’ve taken a look at some things that are already developed, that are in current development, and how they could also be improved.

Here are some things to keep in mind when we think about software protest:

  • - Monitoring turning surveillance tactics onto the surveillors,
  • - Facilitating to the maximum contact between the government and the people,
  • - Capturing the public’s attention in a new kind of public space,
  • - Causing targeted, effective, but legitimate physical disruption.

All of this still is very much on a theoretical level. To me, they make sense, and I think it would be a great addition to the toolbelt of political activists if they existed. However, we won’t really know until they’re as widely spread as social media and online petitions, so they can only benefit from a wider adoption, and more contributions from our community.