Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-05 Thread Seb35

I don’t see precisely how mandatory HTTPS could help spread the knowledge;
accordingly if users feel themselves spied and it prevent them to
contribute, yes, HTTPS helps; but if others feel cluttered by HTTPS (time
load, unfriendly firewalls, various problems), it could also lower the
number of editors.

On another side HTTPS is quite useless if users click-through any warning
(You are spied.: Ok/close me that ad → privacy education); anyway
encryption and code breaking is always a cat-and-mouse play, and we sould
have to carefully monitor state of the art if we really want to protect
the users; but imho it’s not our vision.

For HTTPS, I would like to see the users opt-in to the security they want:
e.g. if they write about intelligence, they probably know the dangers
about being spied and want minimize it as part of other means; if they
write about butterflies, perhaps they don’t matter about being spied. For
specific-rights editors security could be enforced, but possibly with
other means than encryption; e.g. if an oversight has to hide an article,
it is primarly needed to be sure the user has oversight rights
(authorisation), and it is not really useful to hide what article it is
(it was public). Accordingly for checkusers, we want the IPs stay private
(encrypted during the transport). This point is: HTTPS is not the solution
to all problems.

For HTTPS I see some security levels chosed by the users: no HTTPS at all
(Chinese users), equal HTTP/HTTPS (butterflies editor), prefered HTTPS
(privacy-conscious editor, but travelling to China regularly), always
HTTPS or nothing (intelligence editor). And this could be also implemented
for readers during their session. This option is politically neutral, it
just let the user choose.

Sébastien


Le Tue, 03 Sep 2013 21:38:36 +0200, Terry Chay tc...@wikimedia.org a
écrit:
This part of the discussion has strayed a bit far from the politics of  
encryption. ;-)


Not that it doesn't have value, but if I can bring it back on-topic for  
a moment…


The gist of the HTTPS issues is that it's simply not an engineering  
discussion, it's a political one. The abuses recently revealed in the  
United States is either orthogonal to the issue of the politics of  
encryption (in that HTTPS encryption in China, Iran, and the future is  
in discussion), or is the direct salient (in that it is a prime  
motivator for accelerating HTTPS rollout which has triggered this issue).


I, for one, would like to see the discussion of what to do. I'm of the  
believe that there is no simple engineering decision without introducing  
practical, political, legal, and moral complications. I suspect that  
even the more clever or complex ones also introduce these issues. It's  
important to outline what our choices are and the consequences of those  
choices, and derive consensus on what the right choice is going forward,  
as it is clear what we have now[1] is a temporary band-aid.[2]


I'm less sanguine about Erik's suggestion that creating a deadline to  
HTTP-canonical will actually get us to an adequate resolution. The  
reason is simply—whatever I think of Google personally—I feel Google has  
a highly-capable, highly-motivated, engineering-driven staff, and they  
were unable to come up with a workable solution. Unlike Google, we have  
a clear sense about what motivates us[3], so we need to figure out how  
best to get there/interpret it.


[1]:  
http://blog.wikimedia.org/2013/08/28/https-default-logged-in-users-wikimedia-sites/
[2]: Maybe start an RfC or other wiki page on Meta with a summary of the  
discussion so far?

[3]: http://wikimediafoundation.org/wiki/Vision

Take care,

terry

On Sep 3, 2013, at 11:50 AM, Kirill Lokshin kirill.loks...@gmail.com  
wrote:


The thing is, it's kind of a crapshoot anyways.  You might see  
something that you think might be classified and report it; but, unless  
you actually have the corresponding clearance yourself, you have no way  
of knowing for certain whether the material is in fact classified in  
the first place.  Conversely, anyone who does have that information is  
unlikely to confirm it one way or the other, for obvious reasons.


To make things even more convoluted, reporting certain kinds of  
material to the WMF could itself potentially be considered illegal in  
some circumstances, since not everyone at the WMF is considered a US  
person for ITAR purposes.


Kirill

On Sep 3, 2013, at 2:34 PM, Fred Bauder fredb...@fairpoint.net  
wrote:



To be fair, none of the people receiving requests through legal@ or
emergency@ have security clearances either.

Kirill


True, but there are not so many of them. I'm not sure if a request  
about
a major matter has ever been made through any channel. In a way, that  
is

kind of a dumb move.

Fred





___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,  

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-05 Thread George Herbert
Theo:

 They even have a Key
 recovery service and it's been going on for a long while apparently, to
 the point that the NSA has been steering the release of encryption
 standards and tools. I suppose that should make the politics of
 encryption a bit less relevant?



No; with Perfect Forward Security it is still entirely relevant, and PFS
has been discussed in the game plan for WMF (I don't recall the status of
the long term security roadmap, but it's been widely discussed on technical
lists here).

It's also entirely relevant with or without PFS for any
less-than-NSA-capable agency or third party attempting to watch WMF project
users.  UK and China may be somewhere up there in capability, for example,
but most countries won't be.

https://en.wikipedia.org/wiki/Perfect_forward_secrecy




On Thu, Sep 5, 2013 at 4:55 PM, Theo10011 de10...@gmail.com wrote:

 So, does this have any bearing on the discussion? -

 http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html

 Or are we just partial to the US surveillance over PRC.

 The article does mention SSL, VPNs and 4G security. They even have a Key
 recovery service and it's been going on for a long while apparently, to
 the point that the NSA has been steering the release of encryption
 standards and tools. I suppose that should make the politics of
 encryption a bit less relevant?

 -Theo


 On Wed, Sep 4, 2013 at 10:09 PM, Erik Moeller e...@wikimedia.org wrote:

  On Wed, Sep 4, 2013 at 7:46 AM, Brion Vibber bvib...@wikimedia.org
  wrote:
 
   I would love to see Wikipedia content made available in China on
 Chinese
   infrastructure operated by a Chinese organization, with total ability
 to
   determine their own security and censorship policies.
  
   But that's what Baidu did and we hate them! you say?
  
   We could work *with* such an organization to coordinate, share content,
   etc, without compromising basic web security for our sites or giving up
  our
   liberal content policies on Wikipedia proper.
 
  I don't buy the argument. Last time I checked, Hudong (now just
  Baike) and Baidu Baike were the main wiki-like encyclopedias
  operating out of and serving mainland China. Both use non-free
  licensing terms, and both are subject to local censorship policies and
  practices. That may include turning over contributors if they post
  content that's deemed to be problematic by local authorities.
 
  At least on the surface, the projects are successful, with millions of
  articles and lots of traffic. I have no idea what the quality of the
  content is, but looking at an article like DNA, I'm guessing it
  provides useful value to its readers:
 
  http://www.baike.com/wiki/DNAprd=button_doc_jinru
 
  Where they are failing to do so, they can improve, if necessary by
  copying Wikipedia content. But the one thing that they _cannot_
  provide, and that a neutral encyclopedia _must_ provide, is precisely
  information of the kind that the Chinese government would censor.
  Neutral information about people, politics and history, irrespective
  of whether that information afflicts a comfortable bureaucrat
  somewhere.
 
  I would posit a different argument. The problem of providing basic
  information about any subject _is_ being solved for by local
  information providers. China isn't some backwater waiting for us to
  educate them about physics and disease control. The problem of
  providing a neutral, uncensored encyclopedia in the Chinese language,
  on the other hand, isn't being solved for by anyone but us. The answer
  is not to water down our security or partner with local information
  providers that allow censorship and are willing to turn over user
  data. It's to find ways to get that information to people, including
  the bits they'd rather have people not see.
 
  Erik
 
  ___
  Wikimedia-l mailing list
  Wikimedia-l@lists.wikimedia.org
  Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
  mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe
 
 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
 mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe




-- 
-george william herbert
george.herb...@gmail.com
___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Peter Gervai
On Tue, Sep 3, 2013 at 12:23 AM, Fred Bauder fredb...@fairpoint.net wrote:

 Their orders would be classified; disclosure of them would be a crime.
 Not a problem for us, but a big problem for staff on the ground in China.

Indeed, I believe it may even be outright life threatening to have
strong connection to WMF China operation.

And as a sidenote it's the same in the US and the world in general
(and I do not know about the US but isn't it so that WMF can be forced
not to tell about data extraction). And let's face it: https is like a
5 mm diameter wire lock against a skilled bike thief. It is there but
will not stop skilled adversaries. But, obviously, that'd be also
classified, so I haven't mentioned it. Google it around.

g

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Gerard Meijssen
Hoi,

Fred, what is different in your scenario from what happens in the USA ?

Thanks,
  GerardM


On 3 September 2013 00:23, Fred Bauder fredb...@fairpoint.net wrote:

  On 31/08/13 15:17, Erik Moeller wrote:
  It could be argued
  that it’s time to draw a line in the sand - if you’re prohibiting
  the
  use of encryption, you’re effectively not part of the web. You’re
  subverting basic web technologies.
 
  China is not prohibiting encryption. They're prohibiting specific
  instances of encryption which facilitate circumvention of censorship.
 
  So, what to do? My main suggestion is to organize a broad request for
  comments and input on possible paths forward.
 
  OK, well there's one fairly obvious solution which hasn't been
  proposed or discussed. It would allow the end-to-end encryption and
  would allow us to stay as popular in China as we are now.
 
  We could open a data centre in China, send frontend requests from
  clients in China to that data centre, and comply with local censorship
  and surveillance as required to continue such operation.
 
  It would be kind of like the cooperation we give to the US government
  at the moment, except specific to readers in China instead of imposed
  on everyone in the world.
 
  It would allow WMF to monitor censorship and surveillance by being in
  the request loop. It would give WMF greater influence over local
  policy, because our staff would be in direct contact with their staff.
  We would be able to deliver clear error messages in place of censored
  content, instead of a connection reset.
 
  -- Tim Starling

 Their orders would be classified; disclosure of them would be a crime.
 Not a problem for us, but a big problem for staff on the ground in China.

 Fred


 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
 mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread James Alexander
On Mon, Sep 2, 2013 at 10:58 PM, Peter Gervai grin...@gmail.com wrote:

 illegally collect personal data about them and *monetize it *or use to
 pressure or
 threaten selected individuals, companies or agencies.


Monetize it?

I am in no way going to defend my government on most of this given that I
think they are doing much of it unconstitutionally and much of the rest
immorally (though I will say that we would/do fight our ass off against
inappropriate demands and that the demands that would be placed on us in
Europe are actually worse so I really wouldn't agree with this supposition
that the US is significantly worse then the rest of the world... though I'd
agree that we're less 'better' then we like to claim) but how do you think
they will *monetize* it?
___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Fred Bauder
Any censor from the United States or European governments that works
directly with us (I have no personal knowledge of this, I just know it
has to be) is concerned with classified information, not someone's
opinions or factual information about historical events or political
personalities.

Detailed information about construction of advanced nuclear weapons or
the details of military or intelligence operations cannot be on Wikipedia
just as child pornography cannot be; on the other hand, a distorted, or
devastatingly accurate picture, of the Iraq War, or Obama, can be.

So, while the details of material removed for legitimate security reasons
cannot be published; in China the identity and any personal information
we have gathered such as the ip address of an editor and the content of
their edits to the Tiananmen Square protests of 1989 article would be of
interest to the security apparatus and classified. Any local employee or
volunteer of ours who shared that information with others even within our
organization could be prosecuted. It is quite impossible to work with the
Chinese government in the manner suggested and maintain a scintilla of
integrity. A request by them to remove details about their advanced
nuclear weapons or specific details of their military deployments would,
of course, be legitimate.

The Chinese government has legitimate reason to avoid extensive public
attention to past errors and disasters; one has only to look at the
history of the Soviet Union to observe the effect of focusing on past
outrages on public morale, but that is their burden to bear not ours to
share.

Fred

 Hoi,

 Fred, what is different in your scenario from what happens in the USA ?

 Thanks,
   GerardM


 On 3 September 2013 00:23, Fred Bauder fredb...@fairpoint.net wrote:

  On 31/08/13 15:17, Erik Moeller wrote:
  It could be argued
  that it’s time to draw a line in the sand - if you’re
 prohibiting
  the
  use of encryption, you’re effectively not part of the web.
 You’re
  subverting basic web technologies.
 
  China is not prohibiting encryption. They're prohibiting specific
  instances of encryption which facilitate circumvention of censorship.
 
  So, what to do? My main suggestion is to organize a broad request
 for
  comments and input on possible paths forward.
 
  OK, well there's one fairly obvious solution which hasn't been
  proposed or discussed. It would allow the end-to-end encryption and
  would allow us to stay as popular in China as we are now.
 
  We could open a data centre in China, send frontend requests from
  clients in China to that data centre, and comply with local
 censorship
  and surveillance as required to continue such operation.
 
  It would be kind of like the cooperation we give to the US government
  at the moment, except specific to readers in China instead of imposed
  on everyone in the world.
 
  It would allow WMF to monitor censorship and surveillance by being in
  the request loop. It would give WMF greater influence over local
  policy, because our staff would be in direct contact with their
 staff.
  We would be able to deliver clear error messages in place of censored
  content, instead of a connection reset.
 
  -- Tim Starling

 Their orders would be classified; disclosure of them would be a crime.
 Not a problem for us, but a big problem for staff on the ground in
 China.

 Fred


 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
 mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe





___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Gerard Meijssen
Fred,

Sorry, there is no us. As far as the United States is concerned they
allowed themselves to spy on any person who is not one of US to be speid
on. Given that our movement is a global movement, the fact that it is based
in the US is incidental.
Thanks,
  GerardM


On 3 September 2013 14:36, Fred Bauder fredb...@fairpoint.net wrote:

 Any censor from the United States or European governments that works
 directly with us (I have no personal knowledge of this, I just know it
 has to be) is concerned with classified information, not someone's
 opinions or factual information about historical events or political
 personalities.

 Detailed information about construction of advanced nuclear weapons or
 the details of military or intelligence operations cannot be on Wikipedia
 just as child pornography cannot be; on the other hand, a distorted, or
 devastatingly accurate picture, of the Iraq War, or Obama, can be.

 So, while the details of material removed for legitimate security reasons
 cannot be published; in China the identity and any personal information
 we have gathered such as the ip address of an editor and the content of
 their edits to the Tiananmen Square protests of 1989 article would be of
 interest to the security apparatus and classified. Any local employee or
 volunteer of ours who shared that information with others even within our
 organization could be prosecuted. It is quite impossible to work with the
 Chinese government in the manner suggested and maintain a scintilla of
 integrity. A request by them to remove details about their advanced
 nuclear weapons or specific details of their military deployments would,
 of course, be legitimate.

 The Chinese government has legitimate reason to avoid extensive public
 attention to past errors and disasters; one has only to look at the
 history of the Soviet Union to observe the effect of focusing on past
 outrages on public morale, but that is their burden to bear not ours to
 share.

 Fred

  Hoi,
 
  Fred, what is different in your scenario from what happens in the USA ?
 
  Thanks,
GerardM
 
 
  On 3 September 2013 00:23, Fred Bauder fredb...@fairpoint.net wrote:
 
   On 31/08/13 15:17, Erik Moeller wrote:
   It could be argued
   that it’s time to draw a line in the sand - if you’re
  prohibiting
   the
   use of encryption, you’re effectively not part of the web.
  You’re
   subverting basic web technologies.
  
   China is not prohibiting encryption. They're prohibiting specific
   instances of encryption which facilitate circumvention of censorship.
  
   So, what to do? My main suggestion is to organize a broad request
  for
   comments and input on possible paths forward.
  
   OK, well there's one fairly obvious solution which hasn't been
   proposed or discussed. It would allow the end-to-end encryption and
   would allow us to stay as popular in China as we are now.
  
   We could open a data centre in China, send frontend requests from
   clients in China to that data centre, and comply with local
  censorship
   and surveillance as required to continue such operation.
  
   It would be kind of like the cooperation we give to the US government
   at the moment, except specific to readers in China instead of imposed
   on everyone in the world.
  
   It would allow WMF to monitor censorship and surveillance by being in
   the request loop. It would give WMF greater influence over local
   policy, because our staff would be in direct contact with their
  staff.
   We would be able to deliver clear error messages in place of censored
   content, instead of a connection reset.
  
   -- Tim Starling
 
  Their orders would be classified; disclosure of them would be a crime.
  Not a problem for us, but a big problem for staff on the ground in
  China.
 
  Fred
 
 
  ___
  Wikimedia-l mailing list
  Wikimedia-l@lists.wikimedia.org
  Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
  mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe
 
 



 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
 mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Fred Bauder
And from that assertion what practical action or policy should follow?

Fred

 Fred,

 Sorry, there is no us. As far as the United States is concerned they
 allowed themselves to spy on any person who is not one of US to be speid
 on. Given that our movement is a global movement, the fact that it is
 based
 in the US is incidental.
 Thanks,
   GerardM


 On 3 September 2013 14:36, Fred Bauder fredb...@fairpoint.net wrote:

 Any censor from the United States or European governments that works
 directly with us (I have no personal knowledge of this, I just know it
 has to be) is concerned with classified information, not someone's
 opinions or factual information about historical events or political
 personalities.

 Detailed information about construction of advanced nuclear weapons or
 the details of military or intelligence operations cannot be on
 Wikipedia
 just as child pornography cannot be; on the other hand, a distorted, or
 devastatingly accurate picture, of the Iraq War, or Obama, can be.

 So, while the details of material removed for legitimate security
 reasons
 cannot be published; in China the identity and any personal information
 we have gathered such as the ip address of an editor and the content of
 their edits to the Tiananmen Square protests of 1989 article would be
 of
 interest to the security apparatus and classified. Any local employee
 or
 volunteer of ours who shared that information with others even within
 our
 organization could be prosecuted. It is quite impossible to work with
 the
 Chinese government in the manner suggested and maintain a scintilla of
 integrity. A request by them to remove details about their advanced
 nuclear weapons or specific details of their military deployments
 would,
 of course, be legitimate.

 The Chinese government has legitimate reason to avoid extensive public
 attention to past errors and disasters; one has only to look at the
 history of the Soviet Union to observe the effect of focusing on past
 outrages on public morale, but that is their burden to bear not ours to
 share.

 Fred

  Hoi,
 
  Fred, what is different in your scenario from what happens in the USA
 ?
 
  Thanks,
GerardM
 
 
  On 3 September 2013 00:23, Fred Bauder fredb...@fairpoint.net
 wrote:
 
   On 31/08/13 15:17, Erik Moeller wrote:
   It could be argued
   that it’s time to draw a line in the sand - if
 you’re
  prohibiting
   the
   use of encryption, you’re effectively not part
 of the web.
  You’re
   subverting basic web technologies.
  
   China is not prohibiting encryption. They're prohibiting specific
   instances of encryption which facilitate circumvention of
 censorship.
  
   So, what to do? My main suggestion is to organize a broad request
  for
   comments and input on possible paths forward.
  
   OK, well there's one fairly obvious solution which hasn't been
   proposed or discussed. It would allow the end-to-end encryption
 and
   would allow us to stay as popular in China as we are now.
  
   We could open a data centre in China, send frontend requests from
   clients in China to that data centre, and comply with local
  censorship
   and surveillance as required to continue such operation.
  
   It would be kind of like the cooperation we give to the US
 government
   at the moment, except specific to readers in China instead of
 imposed
   on everyone in the world.
  
   It would allow WMF to monitor censorship and surveillance by being
 in
   the request loop. It would give WMF greater influence over local
   policy, because our staff would be in direct contact with their
  staff.
   We would be able to deliver clear error messages in place of
 censored
   content, instead of a connection reset.
  
   -- Tim Starling
 
  Their orders would be classified; disclosure of them would be a
 crime.
  Not a problem for us, but a big problem for staff on the ground in
  China.
 
  Fred
 
 
  ___
  Wikimedia-l mailing list
  Wikimedia-l@lists.wikimedia.org
  Unsubscribe:
 https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
  mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe
 
 



 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
 mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe





___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Marc A. Pelletier
On 09/03/2013 08:36 AM, Fred Bauder wrote:
 Any censor from the United States or European governments that works
 directly with us (I have no personal knowledge of this, I just know it
 has to be) is concerned with classified information, not someone's
 opinions or factual information about historical events or political
 personalities.

You have an optimism and faith in your government(s) that is, sadly, not
justified by history (past and recent).  The blanket classified (or,
more recently national security) has and is being used to cover up
embarrassing more often than not.

-- Marc


___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Marc A. Pelletier
On 09/02/2013 06:17 PM, Tim Starling wrote:
 OK, well there's one fairly obvious solution which hasn't been
 proposed or discussed.

[collaborating with the PRC]

That's because, ideologically, it would be abhorrent to a very large
segment (possibly even the majority) of editors, staff and readers.

And because it would set a /horrible/ precedent that other governments
who currently feel obligated to tolerate unfettered access to our
projects would be quick to demand.

The idea of playing along with censors doesn't just not fly, it's a
non-starter.

-- Marc


___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Marc A. Pelletier
On 09/03/2013 09:45 AM, Fred Bauder wrote:
 Abusive nonsense does not make that fact go away. Someone,
 actually, many someones, need to be trusted.

Доверяй, но проверяй.

I agree with your assessment of the risks of working with the PRC, I
simply think that if you think that those risks do not exist in our
Western countries, you are ignoring history.

The only thing that protects us is transparency and visibility, and
maintaining those requires constant vigilance, not blind trust.

-- Marc

P.S.:  I mean, the two things that protect us are transparency,
visibility and vigilance.  Wait.  AMONGST the things that protect us are...



___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Marc A. Pelletier
On 09/03/2013 12:33 PM, Delirium wrote:
 I certainly agree with learning from history, but when it comes to
 censoring encyclopedias or similar reference works, are there good
 examples that might more concretely narrow down the specific type of
 thing we ought to be learning from history?

Not that I know of, but that's because the model of what an encyclopedia
/is/ has changed a great deal -- they used to be centralized
distribution of knowledge and subject to an unknown number of pressure
points (including, most dangerously, self-censorship).

Wikipedia, and the Net in general, have changed the landscape
substantially and -- accordingly -- the attack vectors.  I don't think
we have much left to fear from attempts to repress individual bits of
data so much as attempts to change the landscape back to top-down
control (through legislation, disinformation, and so on).

Certainly, the Défence Nationale's attempt to rubber hose information
out of the French Wikipedia is a recent and very visible failed attempt.
 I've no doubt that for every very visible and embarrassing failure like
that one, there are a dozen that fly under the radar.

 Are there more successful attempts?

It would be difficult to enumerate successful attempts since, by
definition, they would have been successful at not being known.  :-)  I
don't disagree that it would be very difficult, perhaps even nearly
impossible, to completely censor information in this day and age and
under our current political climate -- but that is exactly *because* we
reflexively fight authority figures attempting to control information
not because there is no longer a desire or attempts to do so have gotten
less frequent.

Gilmore was already noting in in 1993 while the 'net was still the
province of the elite geekdom; there is no reason to believe this has
gotten better since (and lots of reasons why it could have gotten worse).

-- Marc


___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Fred Bauder
I guess emergencies should not go to legal as there may be a considerable
delay.

Fred


 Are there more successful attempts?

 It would be difficult to enumerate successful attempts since, by
 definition, they would have been successful at not being known.  :-)
 -- Marc

 I once suppressed information about a troop movement underway in Iraq
 after a request. Troop movements are explicitly mentioned in the
 Espionage Act.

 Such requests, and other requests regarding obviously illegal material,
 should go to legal at wikimedia.org or emergency at wikimedia.org at the
 Foundation rather than to User:Oversight, by the way. There is a whole
 bunch of people on the oversight committee none of whom are known to have
 security clearances.

 Fred


 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
 mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe



___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Fred Bauder

 Are there more successful attempts?

 It would be difficult to enumerate successful attempts since, by
 definition, they would have been successful at not being known.  :-)
 -- Marc

I once suppressed information about a troop movement underway in Iraq
after a request. Troop movements are explicitly mentioned in the
Espionage Act.

Such requests, and other requests regarding obviously illegal material,
should go to legal at wikimedia.org or emergency at wikimedia.org at the
Foundation rather than to User:Oversight, by the way. There is a whole
bunch of people on the oversight committee none of whom are known to have
security clearances.

Fred


___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Delirium

On 9/3/13 4:28 PM, Marc A. Pelletier wrote:

On 09/03/2013 09:45 AM, Fred Bauder wrote:

Abusive nonsense does not make that fact go away. Someone,
actually, many someones, need to be trusted.

Доверяй, но проверяй.

I agree with your assessment of the risks of working with the PRC, I
simply think that if you think that those risks do not exist in our
Western countries, you are ignoring history.

I certainly agree with learning from history, but when it comes to 
censoring encyclopedias or similar reference works, are there good 
examples that might more concretely narrow down the specific type of 
thing we ought to be learning from history?


The best example of which I'm aware is the 1979 attempt by the U.S. 
Department of Energy to stop the publication of a reconstruction of the 
Teller-Ulam hydrogen bomb design. But that attempt ended up being 
unsuccessful, and encyclopedias (including Wikipedia) include that 
information. Are there more successful attempts?


-Mark


___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Michelle Paulson
Hi Fred,

Emergencies should go to emerge...@wikimedia.org.  Any other concerns
should be directed to le...@wikimedia.org.

Please note that emergency@ should only be used for actual emergencies
(i.e. immediate threats to life, limb, or property).

Thanks!

-Michelle


On Tue, Sep 3, 2013 at 10:48 AM, Fred Bauder fredb...@fairpoint.net wrote:

 I guess emergencies should not go to legal as there may be a considerable
 delay.

 Fred

 
  Are there more successful attempts?
 
  It would be difficult to enumerate successful attempts since, by
  definition, they would have been successful at not being known.  :-)
  -- Marc
 
  I once suppressed information about a troop movement underway in Iraq
  after a request. Troop movements are explicitly mentioned in the
  Espionage Act.
 
  Such requests, and other requests regarding obviously illegal material,
  should go to legal at wikimedia.org or emergency at wikimedia.org at the
  Foundation rather than to User:Oversight, by the way. There is a whole
  bunch of people on the oversight committee none of whom are known to have
  security clearances.
 
  Fred
 
 
  ___
  Wikimedia-l mailing list
  Wikimedia-l@lists.wikimedia.org
  Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
  mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe



 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
 mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe




-- 
Michelle Paulson
Legal Counsel
Wikimedia Foundation
149 New Montgomery Street, 6th Floor
San Francisco, CA 94105
mpaul...@wikimedia.org
415.839.6885 ext. 6608 (Office)
415.882.0495 (Fax)




NOTICE: *This message might have confidential or legally privileged
information in it. If you have received this message by accident, please
delete it and let us know about the mistake. For legal reasons, I may only
serve as an attorney for the Wikimedia Foundation. This means I may not
give legal advice to or serve as a lawyer for community members,
volunteers, or staff members in their personal capacity.*
___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Kirill Lokshin
To be fair, none of the people receiving requests through legal@ or emergency@ 
have security clearances either.

Kirill

On Sep 3, 2013, at 1:44 PM, Fred Bauder fredb...@fairpoint.net wrote:

 
 Are there more successful attempts?
 
 It would be difficult to enumerate successful attempts since, by
 definition, they would have been successful at not being known.  :-)
 -- Marc
 
 I once suppressed information about a troop movement underway in Iraq
 after a request. Troop movements are explicitly mentioned in the
 Espionage Act.
 
 Such requests, and other requests regarding obviously illegal material,
 should go to legal at wikimedia.org or emergency at wikimedia.org at the
 Foundation rather than to User:Oversight, by the way. There is a whole
 bunch of people on the oversight committee none of whom are known to have
 security clearances.
 
 Fred
 
 
 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
 mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-03 Thread Kirill Lokshin
The thing is, it's kind of a crapshoot anyways.  You might see something that 
you think might be classified and report it; but, unless you actually have the 
corresponding clearance yourself, you have no way of knowing for certain 
whether the material is in fact classified in the first place.  Conversely, 
anyone who does have that information is unlikely to confirm it one way or the 
other, for obvious reasons. 

To make things even more convoluted, reporting certain kinds of material to the 
WMF could itself potentially be considered illegal in some circumstances, since 
not everyone at the WMF is considered a US person for ITAR purposes. 

Kirill

On Sep 3, 2013, at 2:34 PM, Fred Bauder fredb...@fairpoint.net wrote:

 To be fair, none of the people receiving requests through legal@ or
 emergency@ have security clearances either.
 
 Kirill
 
 True, but there are not so many of them. I'm not sure if a request about
 a major matter has ever been made through any channel. In a way, that is
 kind of a dumb move.
 
 Fred
 
 
 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
 mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-02 Thread MZMcBride
Erik Moeller wrote:
So, what to do? My main suggestion is to organize a broad request for
comments and input on possible paths forward. I think we’re doing the
right thing by initially implementing these exemptions -- but I do
think this decision needs to finally rest with the Board of the
Wikimedia Foundation, based on community input, taking the tradeoffs
into account.

Thanks for writing out these thoughts. A broad request for comments and
input seems reasonable, though there seems to be quite a bit of work
needed to get ready to begin such a discussion.

My own stance, which I will continue to argue for (and which is my
view as an individual -- there are many divergent opinions on this
even inside WMF), is clear: I think we should set a deadline for the
current approach, and shift to HTTPS for all traffic, for all sites,
for all users, by default, after that deadline passes. This will force
us to take the consequences of that shift seriously, and to explore
alternatives to designing our technical policies around the practices
of regimes that undermine web security in order to better censor and
monitor their citizens.

I think it would help the conversation to have more data. Everybody knows
that there are over a billion people in China. However, how many people
globally can't use HTTPS (for whatever reason)? What is that breakdown by
country? How many users have opted out of HTTPS via user preference?

There's merit to the idea of ignoring user-hostile countries such as Iran
and China and cutting them off: certainly it's a mess of their own making.
But it seems to me that this idea is orthogonal to the idea that Wikimedia
needs to make a political point, engage in political advocacy, or take a
stand. Wikimedia is in the business of spreading free educational content.
It seems to me that getting involved in politics leads down a perilous
path that could ultimately destroy Wikimedia.

Of course, we've already decided to act by specifically exempting certain
countries from the new HTTPS requirement. But there might be a strong
contingent of users in the community that feels we should stop exempting
countries (i.e., treat everybody the same), but also _not_ be involved in
attempting to subvert whichever government monitoring we feel is most
egregious. While we can pretend as though it's only China and Iran, many
countries are spying on their own people at various levels.

And it becomes a question of cost versus benefit, much like everything
else that Wikimedia decides to work on. There's a very public trail of any
edits that you make. What information, exactly, are we trying to prevent
governments from getting ahold of? I think a stronger, clearer case for
what benefits Wikimedia will see would help justify (or help eliminate)
some of the proposed costs.

Both the community and the Board need to think about these questions and
their answers and ultimately address how to move forward.

MZMcBride



___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-02 Thread FT2
There are many very sane comments in this thread.  I agree with most of
them -

   - Network encryption is important as one aspect;
   - Local threats and digging dirt are an important realistic threat
   (far more people are of interest to *THEIR OWN COMMUNITIES* vs nationally,
   or open to so many types of harm - defamation, humiliation, Lulz);
   - Moving to https and forcing a serious look at technical implications
   and needed workarounds is a strong argument;
   - Asking those affected is a strong argument;
   - We are a global presence, so our stance, its strength, its
   rightness, and the signal we send, are crucial.

With all respect to local editors, whose position I wish were better, there
is more at stake in Chinese and other affected Wikipedias, than China.
There are questions of internet/freedom/privacy-related beliefs, policies,
and directions -- what one might describe as the battleground for privacy
of thought vs. state right to monitor thought. That is what it comes to,
whether now, or in 5 or 15 years.

I'm reminded of public reaction years back, to Google, when as a condition
of entry to China it agreed to filter its results. Part of the logic was
better partial information and presence than none.  Did it help Google's
efforts in China? It was seen by many outside as a betrayal. Google had to
leave eventually. Are there lessons we should consider from others who have
tried different approaches in these countries?

I see no reason to believe that state oversight and interception will be
benevolent institutions - and would disregard assurances that they are
designed as such. History teaches over and again that fallibility and
expansion of power is the more usual rule, and good intentions easily turn
to dark uses. To take a simple scenario and how we are affected, if passage
of time and public indifference endorses states being usually able to
watch what one studies and writes on, how long before immigration, access
to medical or welfare services, legal rights, marginalization, 'staged'
crimes, targeting, accusations of sedition or anti-state activity, and so
on, become informed by (among other things) a standard government lookup by
state authorities and law enforcement, of one's Wikipedia (or other online)
accesses, and negative interpretations of what those may mean? Self
censorship is a grave possibility, and will encroach from the edges.

To give specific examples, take a Western visitor to Russia who once 8
years ago edited a Wikipedia article adding a note on homosexuality policy
in a school or a legal case in a county. There is no expectation that a
state body would not save all data they can and even in US law a URL is
probably metadata and has no right of privacy. When immigration routinely
obtains visitors' names 72 hours in advance (as some countries expect and
others may demand as a norm) won't they at some time turn around and ask as
part of that process, what is known of possible visitors, and annotate
their immigration records with Edits pro-jewish topics or Seems to
support homosexuality? Perhaps editors on contentious topics (drugs,
abortion, religion) will have these noted by immigration and less ethical
law enforcement bodies seeking visitors to target, if editing or reading
patterns become easily accessible. The same goes double for editors
attempting to uphold NPOV in countries where this is a risk, and the act of
simply toning down articles that contain inappropriately POV tone in
locally controversial articles may put one at risk.

Twitter and Facebook may show ones daily life, but Wikipedia editing and
page reads show what one sees as areas of interest to inform others, and
areas to be informed oneself. There are workarounds but we can't simply say
people should know or if they are at risk they shouldn't edit. That's
not sustainable.

While this isn't explicitly known to happen yet in the US or UK, I
suggest that it's likely to be a logical step round the corner, worldwide,
where state bodies seek to know in advance more about individuals, and
individuals screen and self-censor in response. We need that not to become
a habit, or NPOV can be kissed goodbye.

The profound and poignant comment appeared in one media report a month ago,
that people like Merkel do act as strong advocates of privacy precisely
because - *unlike* US and UK citizens - they have actually lived under the
Stasi. They know what a file on every person, or state access to innermost
and private thoughts for the common good truly means for a country.
We probably do need to do what we can to afford a safe ecosphere, as our
whole endeavor depends on it and we have the position to make that point.
It may be difficult, but we probably have a good call for discussing the
possible need to support the ball rolling.

FT2


On Mon, Sep 2, 2013 at 11:23 PM, Fred Bauder fredb...@fairpoint.net wrote:

  On 31/08/13 15:17, Erik Moeller wrote:
  It could be argued
  that it’s time to draw a line in the sand 

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-02 Thread Matthew Flaschen

On 09/02/2013 06:17 PM, Tim Starling wrote:

It would allow WMF to monitor censorship and surveillance by being in
the request loop.


There's no guarantee they would accept HTTPS, even if there were still 
user surveillance inside the data center.


 It would be kind of like the cooperation we give to the US government
 at the moment, except specific to readers in China instead of imposed
 on everyone in the world.

This is apples and oranges, in my opinion.  Yes, the U.S. monitors 
Internet traffic in some circumstances.  And I assume they occasionally 
serve subpoenas and such to Wikimedia.


But as far as I know, the U.S. government has never blocked the general 
public from accessing a Wikipedia article, nor have they sent a takedown 
that was based on ideology/social harmony/etc.



We would be able to deliver clear error messages in place of censored
content, instead of a connection reset.


Not necessarily.  Google was delivering such censorship notes for a 
while 
(http://www.theguardian.com/technology/2013/jan/04/google-defeat-china-censorship-battle), 
but eventually conceded to China in a game of chicken.


As mentioned by other people, they also tried this approach of 
tolerating censorship in China for google.cn, but eventually pulled out. 
 google.cn is now just a picture of their home page that links to 
google.com.hk


I understand the goals of your hypothetical solution.  However, 
pragmatic matters aside, I think it's too far down the road of appeasing 
censorship.


Matt Flaschen

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-09-02 Thread Peter Gervai
On Tue, Sep 3, 2013 at 6:38 AM, Matthew Flaschen
matthew.flasc...@gatech.edu wrote:

 But as far as I know, the U.S. government has never blocked the general
 public from accessing a Wikipedia article, nor have they sent a takedown
 that was based on ideology/social harmony/etc.

Instead they use terrorism (or really anything they come up with)
poilerplate to monitor their and foreign citizens, illegally collect
personal data about them and monetize it or use to pressure or
threaten selected individuals, companies or agencies. They,
additionally, use various ceasedesist processes (which is basically
the same as blocking but they let you do the work instead of them).
And it's just the same way based on ideology and social harminy as of
China, apart from that it's for a slightly different agenda.

China does censorship to prevent unwanted content, USA does
surveillance and pressure to prevent unwanted content. Not much of a
difference.

g

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Wikimedia and the politics of encryption

2013-08-31 Thread Emmanuel Engelhart
Le 31/08/2013 07:17, Erik Moeller a écrit :
 We can, of course, ask users in the affected countries. Given that
 this may lead to degradation or loss of access, users are likely to be
 opposed, and indeed, when plans to expand HTTPS usage were announced,
 a group of Chinese Wikipedians published an open letter asking for
 exemptions to be implemented:
 
 https://zh.wikipedia.org/wiki/Wikipedia:%E5%BC%BA%E5%88%B6%E5%8A%A0%E5%AF%86%E7%99%BB%E5%BD%95/openletter
 
 This was a big part of what drove the decision to implement exemptions.

This attitude seems to be, on a first look, the most logical and
respectful one.

But, I want to be remember, that the risk perception is often not
proportional *at all* to the risk itself. In daily life, many risks are
suppressed because the imagination of a constant threat would paralyse
all activities. So, this feedback from the Chinese community should be
handled carefully.

I tend myself to think that deploying HTTPS everywhere and force its
usage is the best long term approach.

However, this is without any doubt, a difficult dilemma.

Emmanuel
-- 
Kiwix - Wikipedia Offline  more
* Web: http://www.kiwix.org
* Twitter: https://twitter.com/KiwixOffline
* more: http://www.kiwix.org/wiki/Communication

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe