Four social rules for a “No Asshole Zone”

Free Software needs a strong community. If we fail to attract everyone willing to work for Free Software, we’re shooting ourselves in the foot. Also, we’re probably not being as friendly and open towards people as we should be, morally speaking. That’s a serious failure for a community where morals matter.

The low share of women participating in the community (oh, where to start with the links? I’ll just pick this one by Jodi Biddle) is an especially egregious problem. I’m sorry to say that FSFE is doing no better in this regard than the overall community, much as we want to.

One easy step that we’ve already taken is to update our internship page to say that when choosing between two or more similarly qualified candidates, we’ll prefer female applicants. Yes I know, hardly revolutionary – but you have to start somewhere.

I just came across Sumana Harihareswara’s keynote at WikiCon 2014, titled “Hospitality, Jerks, and What I Learned“. The whole text is interesting, and I recommend you read it in full.

In one section, Sumana talks about constructing a “No Asshole Zone”, and specifically focuses on four social rules that help people to work in public – something that sometimes includes failing and showing ignorance.  The rules are:

No feigned surprise. No well-actuallys. No back-seat driving. And no sexism, racism, homophobia, and so on.

It’s important to realise that these rules aren’t specifically about being more welcoming towards women. They’re about being more welcoming towards everyone. They’re about making our work more productive and satisfying.

A more detailed explanation

Feigning surprise. When someone says “I don’t know what X is”, you don’t say “You don’t know what X is?!” or “I can’t believe you don’t know what X is!” Because that’s just a dominance display. That’s grandstanding. That makes the other person feel a little bit bad and makes them less likely to show you vulnerability in the future. It makes them more likely to go off and surround themselves in a protective shell of seeming knowledge before ever contacting you again.

Well-actuallys. That’s the pedantic corrections that don’t make a difference to the conversation that’s happening.  Sometimes it’s better to err on the side of clarity rather than precision. Well-actuallys are breaking that. You sometimes see, when people actually start trying to take this rule in, that in a conversation, if they have a correction, they struggle and think about it. Is it worth making? Is this actually important enough to break the flow of what other people are learning and getting out of this conversation. Kind of like I think we in Wikimedia world will say “This might be bikeshedding but -”. It’s a way of seeing that this rule actually has soaked in.

So far, so good. But what happens when someone fails to stick to these rules?

I think it’s also important to note, well, how do these rules get enforced? Well, all of us felt empowered to say to anyone else, quickly and a bit nonchalantly, “Hey, that was a well-actually,” or “That’s kind of feigned surprise, don’t you think?” And the other person said sorry, and moved on. I can’t tell you how freeing it felt that first week, to say “I don’t know” a million times. Because I had been trained not to display ignorance for fear of being told I didn’t belong.  [...]

If you don’t understand why something you did broke the rules, you don’t ask the person who corrected you. You ask a facilitator. You ask someone who’s paid to do that emotional labor, and you don’t bring everyone else’s work to a screeching halt. This might sound a little bit foreign to some of us right now. Being able to ask someone to stop doing the thing that’s harming everyone else’s work and knowing that it will actually stop and that there’s someone else who’s paid to do that emotional labor who will take care of any conversation that needs to happen.

Within FSFE, we put a lot of importance on keeping conversations polite and productive. We already rely quite a bit on FSFE’s staffers and other experienced list moderators to sort out conflicts. However, a lot of our rules are implicit. Sumana’s talk makes some of them explicit, and suggests some useful new approaches we should try.


We’re all Gmail users now – Pt. 2

The other day I wrote about how even if you don’t use Gmail, Google still ends up with access to a lot of your personal conversations. My own analysis was pretty poor imitation of the interesting work done by Benjamin Mako Hill. Where he used Python and R, I just fumbled around with Mutt’s limit patterns. Due to the different methodology, our figures weren’t really comparable.

Now I took the time to actually run Mako’s scripts. It turned out to be easier than I thought. The archives I analysed contain data starting in the first half of 2009, but anything before 2010 is patchy. I changed my mail setup at the start of 2010, and most of the mail from before then isn’t included in this analysis.

Email since 2010: All mail vs mail handled by Google
Number of mails, overall and from Google

This shows us the absolute number of mails I’ve received and replied to. It tells me that my mail volume is fairly constant over the long term, but that my mail load can oscillate wildly on a weekly basis. And it tells you when I was on vacation these past years.

The share of mail that goes through Google’s servers is pretty low. But how low?

Share of mail going through Google's servers

Between 10% and 15%, that’s how low. As Mako (and me) would expect, Google is somewhat more involved in conversations that I carry on actively (Email with Replies) than in the overall set of email I’ve received. This is because there’s lots of spam and auto-generated mail in the “All Mail” category, and most of it doesn’t go through Google’s servers.

I have no idea what causes the slight uptick in Google’s share among mails I’ve replied to after mid-2013.

Hugo Roy has run Mako’s scripts, and his Google share moves between 25% and 50%. The results that I obtained from Mutt’s limit patterns match the output of Mako’s scripts pretty closely, by the way.


What can we learn from this? A large share of my contacts doesn’t rely on Google for email service. That’s good news.

On the other hand, Edward Snowden telling us that the NSA and its buddies are after our mail apparently hasn’t dissuaded people from using a provider they know is being tapped. Or at least, it hasn’t really increased the number of my contacts who avoid using Google for mail.

Finally, looking at the figures from Mako and Hugo alongside mine, your privacy against the large web companies (and against the spies who hoover up the data they store) largely depends on your environment. If you work in a place where lots of people rely on Google for mail service, your data will end up on the company’s servers. If, on the other hand, your employer and your friends rely on their own servers, or on smaller providers, you have a much better shot at protecting your privacy.

Taking control of your own systems is the easy bit. Persuading everyone around you to do the same is harder, but has a bigger impact.



We’re all Gmail users now

Is your privacy important to you? And if so, are you running your own mail server? Good. But if your concern is to keep Google’s tentacles out of your personal conversations, that’s not enough.

Benjamin Mako Hill published a fine project he undertook over the weekend. He wrote a bunch of scripts to check how much of the mail in his archives had gone through Google’s servers.

The answer: About 57% of the mails in his inbox had been delivered by Google. That’s still a conservative calculation, and it’s pretty depressing for someone who goes to the length he does to keep his data private.

Mako’s work inspired me to do the same. It was late and I was tired, so instead of futzing around with Python and R, I decided to simply use the tool I had available anyway, and rely on Mutt’s limit patterns. The archives I analysed go back to September 2009 – not quite as comprehensive as Mako’s own, but still significant.

I used a pretty simple limit pattern:

Limit to messages matching: ~h

which translates to “show me all messages that have the string ‘’ somewhere  in the header”.

Out of 140,819 messages, 15,746 matched the pattern. That’s 11.18% – much lower than Mako’s share. Why is this?

Besides the fact that I run my own mail server, the reason is probably that most of my email concerns my work as FSFE’s president. I exchange a lot of mail with FSFE’s staff and volunteers, most of whom use addresses. These addresses are just a redirect that people can point anywhere they like (hey, if you want one, you can become a Fellow, and support FSFE’s work!).

A few people use them to point to Gmail, but most apparently don’t. A lot of the people I routinely exchange mail with run their own mail server, or host their mail with a small provider. (I assure you that there aren’t a lot of Hotmail users in FSFE.)

The figures above don’t include most public mailing lists that I subscribe to. So I took a look at those, too. Here, I was expecting the share of mail that passed through Google’s servers to be higher. It turns out that the opposite is true: From January 2012 to today, I received 46,163 messages in this folder. Of these, 2,547 have the string “” somewhere in their headers – that’s just 5.52%.

I’m happy to admit that I’m not entirely sure about the methodology. Feel free to criticise and suggest improvements in the comments!

The upshot is that yes, hosting your own server – or keeping your mail somewhere other than the big web service companies – is an important component in reducing your data exhaust. But the size of that reduction depends on the providers used by the people you usually talk to. Privacy, as Eben Moglen highlights, is an ecological issue.

What share of your mail goes through Google’s servers? Post your figures in the comments.

W3C: Who’s working on DRM in HTML5?

Our intern Michele Marrali just had a look at the companies who are participating in the W3C discussion about making DRM a part of the HTML5 standard – something that’s a horrible idea if you care about security and freedom. Here’s what he found:

Google – US
Netflix – US
Sony – JPN
Adobe – US
Microsoft – US
Pierre Sandflow Consulting – US
Apple – US
Nicta – AU
Verimatrix -  US
PacketVideo – US
Huawei – China
Telecom Paristech – EU academic institution
irdeto – NL
Comcast – (NBC, Universal, etc) US
Yandex – RU

So that means there’s at least one company from Europe involved in the discussion – right?

Oh, wait. irdeto is a subsidiary of Naspers, a global publishing company based in South Africa.

That brings the number of European businesses involved in the discussion to zero. Zilch. Nada.

Interesting times: Speaking about Free Software in Istanbul

On March 29, I had the pleasure of giving a talk at the annual conference of the Turkish GNU/Linux Users Association in Istanbul, Turkey. This was a pretty interesting time to speak about freedom and technology.

Local elections were scheduled across the country for the following day. The government had blocked both YouTube and Twitter. This largely had the effect of teaching Turkish Internet users about VPN, DNS and Tor. Tor usage numbers in Turkey doubled during the week leading up to my talk.

In my talk, I discussed the relationship between technology and power. The same technology that we are using to liberate ourselves is being used by states and corporations to monitor and control us.

In a nutshell, the spies are largely doing what they were trained to do. It’s the politicians – and therefore, in democracies, us as citizens – who have failed to limit the spies’ invasion of our privacy.

In combination with what Bruce Schneier has appropriately labelled “the public-private surveillance partnership“, this means that our privacy is under threat. Having privacy is essential to our ability to freely decide how we want to live our lives.

Number of Tor users in Turkey doubles during Twitter block

I concluded that in order to live in freedom, we need to recover ways of reading without being watched, and decentralise the locations where we store our data. We need to make laws that strengthen our privacy, and further develop the technical tools such as encryption that make those laws effective. These same tools will also give us cover while we  undertake all these efforts.

(All this is something I’m planning to write up as an essay as soon as I get the time. Hah.)

The audience reaction was pretty strong, as you could expect from a young, educated, technically minded group where people are clearly fearing for their country’s future. Many of the people in the room had probably been protesting on Taksim square in 2013, and were acutely aware that that future depends on them.

One of the details from my talk even made it into the national press the next day. I had mentioned that Turkey is probably using a border control IT system that it received as a gift from the United States – on condition that Turkey shares the data on who enters and leaves the country with the US government. Seeing this plastered across the front page on election day was an interesting experience.

And finally, thanks to the very inspiring Nermin Canik for being a great host!

Comments on UK government’s consultation on document standards

The UK is currently inviting comments on the standards it should use for “sharing or collaborating with government documents”. Among other things, the government proposes to make ODF the sole standard for office-type documents.

FSFE has submitted its comments on this proposal, which we believe is very positive. Just now, in the final hours of the process, Microsoft has submitted a lengthy comment, urging the government to include OOXML in its list of standards.

We have filed a short response to Microsoft’s submission. While it should appear on the consultation page shortly, I’m publishing it here right now.

If you, too, believe that the UK government should in future rely on Open Standards alone, please hurry up and file comments of your own.

The lengthy discussion Microsoft offers here essentially boils down to a single demand: That the UK government should in future rely on OOXML simply because it’s what Microsoft’s products support.

This claim is diametrally opposed to the significant efforts that the UK government has recently made to break free from vendor lock-in and stop the IT procurement gravy train, and to the progress that it has made in this direction. Microsoft’s claim also ignores the great extent of preparation which has gone into this proposal, and the thorough analysis of user needs which the government has conducted, and on which the present proposal is based.

Competition takes place on top of standards, not between them. OOXML fails the UK government’s Open Standards definition, in that it is clearly dependent on a single supplier: Microsoft itself.

Whenever a government breaks out of the status quo, and takes bold action to improve matters for the long term, it is easy to manufacture fear, uncertainty, and doubt. We would hope that Microsoft will instead embrace competition, and ensure that all its office products work well with ODF. The company could then rely on the strengths of its product portfolio, rather than on the lock-in strategies that have made it the target of competition regulators around the world.

We are confident that when assessing Microsoft’s response, the UK government will keep the question of “cui bono?” firmly in mind.

UK government sets “red lines” on wasteful IT contracts

While working on FSFE’s response to the UK government’s consultation on using Open Standards by default for government documents, I noticed something that I had apparently overlooked during the busy days ahead of FOSDEM. On Jan 24, the UK government published a few principles for future government IT contracts.
They’re quite clear, quite brief, and quite powerful:

  •     no IT contract will be allowed over £100 million in value –  unless there is an exceptional reason to do so, smaller contracts mean competition from the widest possible range of suppliers
  •     companies with a contract for service provision will not be allowed to provide system integration in the same part of government
  •     there will be no automatic contract extensions; the government won’t extend existing contracts unless there is a compelling case
  •     new hosting contracts will not last for more than 2 years

Regarding the first one: 100 million GBP may seem quite a lot. OTOH, the UK government apparently has several IT contracts worth
over a billion pounds each, so this is a significant improvement.

If other governments – and especially the European Commission – followed this approach, that would mean a lot of progress.

Free speech, crypto, and Free Software

On Document Freedom Day (March 26), FSFE and the Greens/EFA group in the European Parliament are organising an event in the European Parliament to discuss how cryptography can help us break the grip of the surveillance state.

The draft program looks amazing. We’ll have Werner Koch (of GnuPG fame, and one of FSFE’s founders), Karen O’Donoghue (Internet Society), French journalist Amaelle Guitton, and Swedish IT security expert Joachim Strömbergson.

Free speech is a human right, and a cornerstone of any democratic society. To enable communication, it is important that documents can be opened and read by the people who are meant to receive them. In today’s world, it is equally important that we have the ability to ensure that documents are read /only/ by the people meant to receive them, to prevent a scenario where both censorship and self-censorship degrade the ability of citizens to speak freely to each other, develop new ideas, and drive the progress of our society.

If encryption tools are to be considered trustworthy, their workings must be fully transparent. The encryption programs themselves need to be Free Software, so that anyone can independently assess how they work, and verify that they do not contain any defects or back doors.

The encryption methods are perhaps even more crucial. Encryption can only work with Open Standards. Cryptography as a field is developing rapidly, and the topic has long been far too complex for any single person to comprehend it fully. The best way of dealing with this complexity is to standardise cryptographic methods.

Such standards need to be created in a process that is open to public participation and assessment; collaborative; and fully transparent. In other fields of technology, closed, proprietary methods are merely an inefficient approach. In cryptography, such methods mean that the tools relying on them cannot be audited, and are therefore considered untrustworthy. In addition, the lack of independent review of the methods used frequently leads to poor-quality programs and systems.

Open Standards in the field of encryption, on the other hand, mean that cryptographic tools can rely on widely accepted methods which have been extensively reviewed, criticised, and validated by experts in the field. If those encryption tools are distributed as Free Software, the tools themselves can be efficiently audited. This is not only essential to ensuring that the tools do not contain any critical mistakes or back doors. It also opens those tools up to an ongoing process of improvement.

Registration for the March 26 event will open soon.


#IloveFS: The humble downloader that could

There are lots of reasons to love Free Software. The stack of little games that comes pre-packaged with most GNU/Linux distributions. The way it makes you feel empowered rather than constrained. How it has taught an entire generation to see sharing knowledge as the normal thing to do, not as the exception.

And all those handy little tools it provides, right there at your fingertips. Like wget. This little program, part of the GNU project that aims to create a free operating system, downloads stuff. Nothing more, nothing less. Fire up a command line, type “wget” plus the URL of the file you want to download, and off you go. In its simplicity, you can compare wget (and its cousin curl) to a screwdriver. Regardless of what it is that you’re working on, you’ll want one around.

Information is power. wget’s specialty is to move information from one place to another with great efficiency and speed. Add the “-r” option to you command line, and wget will happily copy to your computer whatever files it can find on the target server.

Reports say [Warning: the article isn't very good] that it was this humdrum sysadmin tool that Edward Snowden used to collect a stash of internal NSA files documenting the agency’s aggressive, and frequently illegal, surveillance programs. And it was this tool that Chelsea Manning used to collect the documents she handed over to WikiLeak, documenting illegal killings, torture, and much bumbling by the US government in Iraq and elsewhere.

Only last week, a French journalist was fined for downloading a batch of files that a French government agency had made available on its servers, without realising that they were accessible to the general public. Perhaps information really wants to be free, and wget opens the doors of its cages.

As we fight for our freedom, and against surveillance, censorship and oppression, simple tools like wget may be some of our best weapons.

Three things to do on The Day We Fight Back

Today is “the day we fight back” against mass surveillance, and here at FSFE we’re proud to be part of the struggle.

Mass surveillance is a huge problem. Governments are spying on you, endangering the very fabric of democracy. Corporations are asking you to deal away your privacy for a little convenience, with much the same effect.

Mass surveillance is also a hard problem to solve. Essentially, we are up against a very human fear of dangers hidden somewhere in the dark. We’re being told that surveillance will protect us.

Our task is to make everyone understand that surveillance not only fails at protecting us. It also makes everyone worse off in the long run. Difficult, but we have to start somewhere.

So here are three humble suggestions for small steps you can take to secure a democratic future for our societies:

  1. Make your web browsing more secure by installing the HTTPS Everywhere extension in your browser. This will make it much harder for potential snoopers to intercept your connection with the web sites you look at, and will help to protect any data you send there.
  2. Generate a GPG key, and start using it to encrypt your data – especially your email. (There’s help on the web.)
  3. Write to one or more of your political representatives. Explain that you are deeply concerned about mass surveillance, and ask them to help end the practice. Be polite, brief and clear.

See, that wasn’t so hard. You have not only made yourself a little more secure, you have also helped others to improve their privacy, and have contributed to driving political change. Thank you!

Here’s a fourth thing you can do: Support FSFE by joining the Fellowship. FSFE is dedicated to working for freedom in the digital society. We need your help to carry this struggle forward in the years to come.