So, I see a lot of wittering and gnashing of teeth about online age verification laws. Both in general and specifically as the apply to Linux, BSD, and other open source operating environments. I want to talk about some practical issues around what technology will have to emerge to make them "work" and how easily even moderately technologically aware people can, to be blunt, screw the laws over.
And I want to propose a new fashion that might, just, catch on in the next few years.
What is going on
A few juristictions (including Brazil and California) have passed legislation pertaining to online age reporting and many other jurisdiction seem to be following suit.
Allegedly these are intended—as so many, many bad ideas have been in the past—to Protect The Childred (tm).
They're not going to work any better than content labeling of music, the v-chip, or video game content rating (just to name a few) did1. I recall a time when every stand-up comedian seemed to have a bit about how parents would have to get their seven-year-olds to program the v-chip just like the kid was the one who set up the VCR. But hey, we have to do something and this is something so obviously we have to do this. Not that I'm depressed by how predicatable all this is or anything.
Why it's weird for open source
There are a few of things going on here. One is strcutural, one is philosophical, and under all that is brute technological fact.
Structural
While Windows, MacOS, IOS, ChromeOS, and Android2 are controlled by large coorporate entities that decide what their customers get to install, Linux, BSD, and other open source operating system are, in principle, fully under control of the individual installing them. The weasle words are in there because few people build out their system from raw parts: they mostly use a distribution, which does have a central point of control (though many offer much more customization that the you get from Apple or MicroSoft).
This is not a funcdametal issue; the kernel and or the encrustation of supporting code could feasibly (I won't say "easily" because I'm not the one programming it) be altered to support the requirements of the laws. And those changes could be incorporated in upcoming distribution releases and make their way out to the mass of users.
But it's not like there is one place to go to try to enforce this decision. Or even ten places. Keep in mind that even if some major distribution (perhaps Ubuntu) were to comply nothing stops a downstream re-packager (say Elementary) from removing, disabling or defanging that support. More on that later.
By the way, there are litteraly scores of distributions originating on all the inhabited continents and from various points in Oceana.
Philosophical
As a generic term "open source" covers a lot of ground, but central to the that nebulous mass broadly known as the open-source/free-software movement we find Creative Common, the Open Source Iniitive, and the Free Software Foundation all of which of are organizations with some money, rather more precisely specified definitions, and some very strong opinions on matters of software control and human flourishing. And they're not the only ones. In fact the space is just crawling with various NGOs that provide legal support, lobbying services, publicity, and (obviously) software packaging.
The whole "the government is telling you how to build your software" thing isn't going down well. You may expect resistance at many levels. Anyone else own a DeCSS shirt?
The foundational reality of Open Source
Programmers program. In one sense that's a tautology, but it has profound implications.
Before delving into what it means for this issue, let's just talk about what it means for organizational cyber security. My employer has recently gone through a series of IT security exercises in an effort to lock down all the possible cyber threats. And they have a problem: what programers do on a day to day basis is indistinguishable from a large class of threats. We create new executables not known to the system and run them. Often dozens of times a day. And that is unavoidable: you can't have the benefits of what programmers do without having the relative chaos of programmers at work.
Similarly, you can't have open source and still be confident that everyone
is running the nannyware you insist on. Remember that I said a downstream
distributor could strip-out or neuter a reporting facility installed by an
upstream provider? Well, in principle every single user is a downstream provider
with that same capability. Worse, capable programers can provide tools to enable
less capable people to perform the necessary
modifications. Indeed, Ageless
Linux is already pushing back against early complinace efforts on the part
of systemd (the dominant, but often derided, init system on major
Linux distros).
Legal aside
I think the intent is that anyone modifying the softawre is the "Provider" that the government enforcers can go after, but if that's just a couple of techy parents who don't want their machine identifying their minor childern to the wider internet, there is a "parent's rights" argument to hand a political and legal challange on.
But ... talk to an actual lawyer in your actual jurisdiction with actual expertese on the legal system you actually might be picked on by before counting on that kind of thing. K?
Speculation on implementation and countermeasures
From ten kilometer altitude, communication between a user's machine and a software store or other endpoint that might want to use a age signal can take one of two forms, and one of them is harder than the other for actual installed systems. You see, one machine has to initiate the conversation, and if that's the store's server, then many home and corporate firewalls will drop the packets on the floor.3 For that reason I suspect the industry will settle on a strategy where the user machine asks the server for a one-off token, hands that to a local age-reporting API which cryptographically mixes it with the answer, and the mixed data is then relayed back to the server for decoding. There are other things they could try, but they're all pretty fragile.
Anyway, on Linux the bit that builds the reply would either be built into the kernel itself or in a kernel module, but either way a savy user will be able to disable them. Then they just substitute a dummy system that respects the protocol, but always returns a least-interesting answer to every query (Yeah, this user is of age. Trust me.).
What Ageless does is more than that: it removes the infrastructure and storage that could be used to respond, which is a good thing, but the above is enough to stop making meaningful responses. And I'll bet a bottle of scotch that the dummy responder can be constructed with code that will fit on a t-shirt.
Intent
I'll write the thing as soon as the spec is available (or grab someone else's if it's avilable, because I'm not stuck about this sort of thing). And then I'll be printing shirts. And maybe hoodies, too. You never know.
1 Which is to say that (a) the kinds of parents who take the trouble to monitor their kids' media consumption will have another tool while other kinds will completely ignore it and (b) the kids will not only find ways around the tech, they'll use the system to advise them where the "good" content is.
2 Android is a little weird, because while Google (whatever name they're going by now) controls the system, many devices ship with manufacture customized versions. But it is still the case that there is a corporate entity for the government to go after.
3 And maybe report them to an intrusion detection system, but that's not really relevant here.
No comments:
Post a Comment