Address lookup in Mutt with mu

Mutt is a great little email client. I’ve been using it on a daily basis since ca. 2007, and have never looked back.

Somehow every time I talk about Mutt with someone who doesn’t know the program, we end up discussing the things it doesn’t do. Many things that people expect from an “email program”, Mutt simply leaves to external programs of the user’s choice. Which happens to be how I like it. This leaves Mutt to concentrate on what really counts: Processing large amounts of email quickly, effectively and with a minimum of pain.

One of the many things Mutt doesn’t do is looking up addresses of your contacts. You can have an external program do that via the query_command variable.The default keybinding for the query command in Mutt is “Q”.

I have just started to use the mu mail indexer (as part of a project to better integrate Mutt with org-mode, of which more some other time.) It has a great little command called “mu cfind”, which returns contacts matching a string. Getting Mutt to use this is really easy. Just put this in your .muttrc:

# looking up addresses with mu cfind
set query_command=”mu cfind ‘%s’”

UPDATE: This sometimes causes problems, see comments. This below works:

# looking up addresses with mu cfind
set query_command=”mu cfind –format=mutt-ab  ‘%s’”

Reload the config (or just restart Mutt), and you’re done. Now you can press Q to search for addresses.

Renault will remotely lock down electric cars

For a long time, cars were a symbol of freedom and independence. No longer. In its  Zoe electric car, car maker Renault apparently has the ability to remotely prevent the battery from charging. And that’s more chilling than it sounds.

When you buy a Renault Zoe, the battery isn’t included. Instead, you sign a rental contract for the battery with the car maker. In a Zoe owner’s forum, user Franko30 reports that the contract contains a clause giving Renault the right to prevent your battery from charging at the end of the rental period. According to an article in Der Spiegel, the company may also do this when you fall behind on paying the rent for the battery.

This means that Renault has some way of remotely controlling the battery charging process. According to the Spiegel article, the Zoe (and most or all other electric cars) collect reams of data on how you use them, and send this data off to the manufacturer without your knowledge. This data tells the company where you are going, when, and how fast, where you charge the battery, and many other things besides. We already knew that Tesla was doing this with its cars since the company’s very public spat with a journalist who reviewed one of their cars for the New York Times. Seeing the same thing in a mass market manufacturer like Renault makes clear just how dangerous this trend is.

This sort of thing fits well into the dystopian picture which Cory Doctorow paints in his 2011 talk “The coming war on General Computation” (which you really must watch, if you haven’t already), where he argues that “we don’t have cars anymore, we have computers we ride in”. The question then becomes who is in control of this computer: You, the manufacturer, or someone else?

If there is a mechanism to remotely control what your car does, some will make use of this mechanism at some point. This could be the manufacturer, shutting down your car as you fall behind on the battery rent because you just lost your job, meaning that it becomes harder for you to find work. It could be the government, compelling the manufacturer to do its bidding. In his forum post, Franko30 predicts that at some point, governments may simply ask car manufacturers to block charging near controversial political events (e.g. a G8 summit), in order to prevent you from participating in demonstrations. Or it could be any random criminal out there, gaining access to this mechanism by bribing a Renault employee.

The only way out of this is to stay away from cars and other computers that you can’t fully control; and to build systems that put users in charge. At the Free Software Foundation Europe, we are empowering and supporting people who build systems where you, the user,  are in control. Please help us with a donation.

 

Some things you can do to secure your communications

Now that we know for a fact that we’re constantly under surveillance, more people are wondering what you can do to protect yourself. Today I wrote down some thoughts in response to a post on the OKFN-discuss mailing list. Here it is, lightly edited.

In order to protect your privacy, it’s important to think about what, exactly, you’re trying to defend against. You’ll also need to decide to what length you want to go to protect your privacy, and the privacy of the people you talk to online.

If you want to avoid a scenario where some large corporation shares your data wholesale with others, whether voluntarily or under force, then the solution is not to give your data to such corporations in the first place.

Here, running your own mail, XMPP etc. servers (or paying someone you trust to do it for you) helps, as does replacing “data hoovers” such as Facebook with decentralised / distributed social networking tools (e.g. diaspora*, identi.ca etc). You’ll also want to replace Skype with something like Jitsi, and Dropbox with something self-hosted such as OwnCloud.

This will make it less convenient for an attacker to get hold of your information, as it’s no longer all stored in a few central places.
Note that many of these programs will not be as polished as their non-free alternatives, so you’ll need to decide whether you prefer shiny toys or privacy.

If you’re trying to defend against someone who might intercept specific sensitive conversations, you’ll want encryption. A lot of email clients (e.g. Thunderbird) let you use GnuPG, the Free Software implementation of the OpenPGP standard. For chat, a number of Free Software clients can handle OTR encryption (which stands for “off the record”).

Such measures will probably keep the contents of your messages private, but not the metadata (who you’re talking to, for how long, from where etc.).

If you’re trying to protect yourself, and the people you communicate with, against attackers who might simply steal or confiscate your computers, you’ll want to encrypt your hard drives. Many GNU/Linux distributions offer this as an option during the install process.

Whatever programs you use for communication and, especially, encryption, you’ll want to make sure that they’re Free Software. Given the things we’ve learned in the past few weeks, it’s probably safe(r) to assume that anything where you can’t look at the source code contains a back door for the government.

As an example, here’s what I do myself. My work for FSFE means that I communicate with lots of people, and handle sensitive data occasionally [1]. My setup is by no means perfect. It’s merely the balance I’ve found between privacy, security and convenience.  YMMV. [2]

  • I store my mail on a server run by a small company, where I know the owners personally. I’m paying them EUR 8 a month for administration, shell access, 2GB server space and other sundries. I trust them because I know them, and because I know where their company’s revenue comes from (from me, and people like me). And because I can go and yell at them if they do something I disagree with.On that server, I’m also running OwnCloud, for easy file storage and sharing.
  • I use GnuPG to encrypt sensitive emails.  My preferred mail client is Mutt, but that’s a detail – others work just as well.
  • For chat, I use FSFE’s XMPP servers, and those of the company mentioned above. For social networking, I use identi.ca (which is currently shifting to a new platform, so I’m not sure how well it’ll work a week from now.)
  • I encrypt the hard drives on my desktop and my laptop. This is easy to do when I install a new operating system, and is probably the simplest thing on this list.
  • I run my searches through DuckDuckGo rather than Google. It’s still a centralised service, but at least that way my search data doesn’t get linked with everything else I do around the Internet. (DuckDuckGo has a Firefox plugin which is pretty convenient.) FSFE’s website search uses YaCy, which is a distributed search engine.

Note that all these measures are purely defensive. They don’t make the problem of surveillance go away. They just slightly reduce your risk of suffering from the problems associated with surveillance. So there’s one more point I’d like to add to the list:

  • I participate in politics. Together with many other people and groups, we’re trying to build a society where surveillance will be the exception rather than the norm. Technology can provide us with useful tools, and can shelter us a bit while we do this work. But it won’t do the job for us.

Footnotes

[1] I’m talking about sensitive as in “if this leaks, it’d be trouble and bad press” rather than “OMG there’s a SWAT team coming through the window”.

[2] Views on what’s an appropriate level of security differ widely. Some people will think I’m paranoid. Some will think I’m horribly sloppy.

Your input needed: Questions for panel w/ Eben Moglen, RMS, 4 MEPs

On July 9 at the Libre Software Meeting / RMLL in Brussels, we’re organising a big panel discussion on “Technology, Power and
Freedom
“.

After the news about wide-ranging communications surveillance we’ve heard in recent weeks, this topic is arguably even more pressing than it was before. But we want to look at the long term:

What do we need to change in politics and technology today to build a better world tomorrow?

For this discussion we’re bringing some of the Free Software movement’s leading minds together with the people who represent us in the European Parliament. We’re extremely happy to have a list of first-rate participants:

  •   Eben Moglen (Columbia University / Software Freedom Law Center)
  •   Richard M Stallman (FSF)
  •   Judith Sargentini (MEP Greens/EFA)
  •   Marc Tarabella (MEP S&D – tbc)
  •   Nils Torvalds (MEP ALDE)
  •   Ioannis A. Tsoukalas (MEP EPP)

I’d like your input: What should we ask these people? What are your most urgent questions on technology and politics?

Please post your questions in the comments. We’ll gather them and get them to Brussels.

European Parliament calls for action against surveillance

The European Parliament has called upon the Commission and public bodies across Europe to help citizens protect themselves from surveillance. Free Software (referred to here as “open source”) plays a key role in this effort:

The European Parliament:

[...]

29. Urges the Commission and Member States to devise appropriate measures to promote, develop and manufacture European encryption technology and software and above all to support projects aimed at developing user-friendly open-source encryption software;

30. Calls on the Commission and Member States to promote software projects whose source text is made public (open-source software), as this is the only way of guaranteeing that no backdoors are built into programmes;

31. Calls on the Commission to lay down a standard for the level of security of e-mail software packages, placing those packages whose source code has not been made public in the ‘least reliable’ category;

32. Calls on the European institutions and the public administrations of the Member States systematically to encrypt e-mails, so that ultimately encryption becomes the norm;

33. Calls on the Community institutions and the public administrations of the Member States to provide training for their staff and make their staff familiar with new encryption technologies and techniques by means of the necessary practical training and courses;

Good stuff. Too bad it’s twelve years old.

This was how the European Parliament reacted to the revelations that Europeans (and everyone else, for that matter) were being spied upon through the ECHELON system.

The measures which the Parliament proposes are still valid. Unfortunately, I don’t see much public support for user-friendly Free Software encryption systems, or Free Software projects in general. If the Commission has gotten round to laying down a standard for the level of security for e-mail software, I haven’t heard about it (that’s entirely possible). Systematic email encryption in the public sector isn’t happening on any significant scale, and I haven’t had many public servants tell me how they’ve been trained in the use of encryption technologies.

Still, if the EP decides to have a resolution on PRISM and its ilk, they could do worse than look at the Parliament’s own ECHELON text.

Friday folly: EP requires proprietary software to register for workshop [Update]

There’s a great workshop coming up at the European Parliament, on “Legal aspects of Free Software”. The official link is rather understated, but the speakers are first class [Update" here's the preliminary agenda]. They include Eben Moglen, economist and Free Software researcher Rishab Ghosh, FSFE’s very own Carlo Piana, and the project lead for Munich’s migration to Free Software, Jutta Kreyss. The workshop will take place on July 9 in Brussels, coinciding with RMLL, so a great many Free Software people will be in town.

So far, so good, and I’m very glad this event is taking place. Of course I want to be there, and registration is required. And to register, you need what? Adobe Acrobat.

*facepalm*

Fortunately, you can also register by mail. I’ve done so, and used the opportunity to raise some concerns about what this choice of procedure means for the EP’s relation to Europe’s citizens. In case you want to come for the workshop, and if you share these concerns, feel free to re-use whatever you see fit of the points below.

UPDATE: I’ve been assured by the people who have been working for about a year to make this workshop happen that they’ve actually tested the sign-up form in a number of Free Software PDF readers, and that they’re going above and beyond their obligations in making sure that people can also register by mail. So the blame for this doesn’t fall with the EP staffers running the sign-up process, who have apparently done the best the can, but rather with the people in charge of the EP’s overall software environment (and those setting their priorities). The problem just becomes more apparent because this particular workshop deals with Free Software.

 

Dear Madam, Sir,

I would like to register for the

JURI Workshop on LEGAL ASPECTS OF FREE AND OPEN SOURCE
SOFTWARE

taking place in the EP on July 9. Please find my registration data
below.

The workshop program is highly promising, with great speakers who
are leading experts in their field.

However, I would like to express my severe disappointment at your
decision to require would-be participants to sign up using Adobe
Acrobat. This choice means that in order to participate, I would
have to purchase and install non-free software on my computer,
which might not even work on my operating system.

The European Parliament must set itself the highest possible
standards for transparency and citizen participation. In this
instance, it has clearly failed to do so.

If I were to recommend a more suitable procedure for handling
registrations in an efficient manner, I would suggest setting up a
simple web form. This is easy, efficient, and is done frequently
at a wide range of institutions, including the European
Commission. I would expect the EP’s IT department to make
available such a tool available to all parliament staff; if this
is not already the case, I recommend requesting it from them.

As regards PDF files, you might be interested in the website
PDFreaders.org

http://pdfreaders.org/

which lists Free Software [1] PDF readers for the most widely used
operating systems.

Requiring people to use non-free software in order to
participate in the Parliament’s activities erects unnecessary
barriers between European citizens and their institutions. I urge
you to help reduce those barriers, rather than making them
stronger.

My registration data is as follows:
[...]

Best regards,

Karsten

 

[1] Free as in freedom, not price.

 

Quick list: Problems for Free Software in Romania

I’m Bucharest this weekend for the Coliberator conference, organised by FSFE associate organisation Ceata. In one of my talks, I presented FSFE, and talked about things we can work on together.

In the discussion that followed, we collected problems that Free Software is facing in Romania. It’s a rough-and-ready list of points, collected on a public Etherpad – if you have more, please add them, and give me a ping in the comments. (Just keep it limited to Romania, please.)

  • afraid of Free Software
    • afraid of change
    • afraid of having to learn something new
  • companies pressuring politicians to avoid change
  • user organisations afraid of lack of support
  • corruption
    • can’t make hidden deals with Free Software companies as easily
  • Lack of collaboration between activists and groups
  • Users are unfamiliar with Free Software programs
  • hardware sometimes doesn’t support Free Software
  • Too little Free Software use in education system
  • Education system doesn’t emphasize Free Software well enough
    • Asset: Free Software used for training at Bucharest Politechnical Institute
    • Asset: some courses on GNU/Linux use at University of Bucharest
  • Misconception that Free Software is more buggy than proprietary software
    • caused by the fact that we don’t hide problems
  • Government forces people to use non-free software
    • MS Windows reqired for end-of-high school exams
    • Flash widely used in education – platform
    • government is contractually obliged to use non-free software through their hardware contracts
  • Office suite: People blame Free Software programs for lack of compatibility
  • Getting unlicensed proprietary software is much easier than using proprietary software
    • and people consider proprietary software to be more professional

Sure, it’s a long list of problems, and most of them are issues that we know well from other countries. The good news is that the list also contains some very specific issues, such as the Flash-based education platform. These things present a clear target, and may well be footholds on the steep climb to solving the other, less well-defined problems.

European Parliament to report on own use of Free Software

For the second time, the European Parliament has asked its internal administration to prepare a full report on how the Parliament uses and develops Free Software. Our friends over at EPFSUG have been pushing hard for this for a long time, and we at FSFE have helped where we could:

48. Requests for the second time, after the first request relating to the discharge procedure was made in 2010, a full report on how Parliament’s Free Software projects have developed with regards to use and users in Parliament, citizen interaction and procurement activities; invites for the second time to investigate, in a full study, Parliament’s obligations under Rule 103 of its Rules of Procedure with regard to Free Software and Open Standards; regrets that Free Software and Open Source solutions are not more widely used in the Parliament’s IT infrastructure;

In the slow-moving world of EU administrative processes, a report on the Parliament’s use of Free Software would provide an important reference point for efforts to make European policy makers more aware of Free Software.

So far, the Parliament is moving in the right direction, but at a snail’s pace. In March, we saw the release as Free Software of an internal tool for drafting and tracking legislation.

Open issues

At the same time, more fundamental problems remain unadressed. The Parliament still offers staffers non-free software for private use, fully expecting them to breach the terms of use of those programs.

The Parliament has also failed to make any progress on breaking free from its lock-in to proprietary vendors. It acquires most of its desktop and software through contracts made by the European Commission. The Commission, in turn, awards those contracts without a competitive tendering process to proprietary software makers and resellers.

The report which the Parliament has now requested from its own administration would represent an important bit of introspection. While not sufficient, this is a necessary condition for improvement.

Data portability in the eHealth sector – #DFD2013

Keynote delivered at the European Parliament, Brussels, 2013-03-27

Document Freedom Day is an annual campaign to build awareness for Open Standards and interoperability. Over 50 events are taking place today around the world around this date, from Nicaragua to Taiwan to Ghana.

Open Standards and interoperability help to put us in control of the technology we use. When it comes to electronic health systems, some questions have already been answered for us.  It’s clear that healthcare in future will rely ever more heavily on computers and databases.

But other questions don’t have an answer yet. What will these computers do, exactly? What data will these databases contain? And who will control them?  These are the questions that policy makers need to answer. The shape of tomorrow’s world will depend on the answers they give.

Healthcare is a key service that citizens expect a modern, civilised state to provide. As we’re discussing data protection and data portability, healthcare is perhaps the most difficult field. That’s because electronic medical records hold information on you that is very personal, even intimate.

Your patient record can tell others how long you are likely to live; whether you can have children; and how productive you’re likely to be as a worker.

This information greatly influences how others relate to you, and the choices you can make. Medical confidentiality is like privacy, only more so.  Will an insurance company take you on if you have a pre-existing condition?  Will your bank ask you to submit a copy of your medical record before processing your mortgage application?

How does an eHealth system have to be designed so that it protects such sensitive information, and yet makes it available to the right people at the right time?  Here are some fundamental considerations as we’re setting out to answer this question.

The fundamental design principle of an eHealth system must be that individuals have ultimate control over their data. Not the state, not health insurers, not other intermediaries. This will be challenging. But without this basic principle, it’s impossible to design an eHealth system that respects people’s freedom.

Second, individuals must be able to choose who they trust with their data. They must be able to freely choose between data service providers, just like today we choose an email provider whom we trust, and who provides the sort of service that we like.

They must be able to switch between services, and take their data with them.  Making data portable like this will only be possible with Open Standards – standards that anyone can implement without restrictions.

Third, the system needs to be open and transparent. Anyone with the appropriate certification should be able to set up a data service provider.  For this to work, the system must rely on Free Software and open interfaces.

Free Software allows everyone to understand how the system works, and make sure it’s secure. Open interfaces enable healthy competition within the system. Incidentally, OpenMRS, a widely used Free Software medical record system already in use in many countries, received a Free Software award yesterday.

This is a very different approach from the centralised model that some states have used.  Large collections of data always attract unwelcome attention. It is impossible to guarantee that they will not be abused in future.  The solution is not to create them in the first place. Instead, let’s create a decentralised system of service providers, flanked by strong regulation and supervision.

As we discuss how to build electronic health systems, let’s keep some fundamental considerations in mind: Privacy, data portability and transparency will be crucial to building systems that work for European citizens rather than against them.

EC hits Microsoft with EUR 561 million fine over web browsers

Microsoft just can’t avoid getting into trouble with competition watchdogs.

Today, the European Commission slapped the company with a fine of EUR 561 million (ca. USD 731 million) for breaching a 2009 settlement over the bundling of Internet Explorer with Windows. Under this agreement, Microsoft promised to display a “browser choice” screen on Windows installs in Europe, inviting users to choose other browsers besides the company’s own program.

At FSFE we were cautiously optimistic at the time. We were glad that the European Commission had taken on this issue at all, but we also pointed out that regulators would have to keep a close watch to make sure the browser choice screen was having the intended effect:

It is now up to the users to take advantage of the choice they are offered. Gerloff reminds the EC that it will constantly need to monitor the success of the ‘ballot screen’. “Microsoft is a convicted monopolist and has broken countless promises in the past,” he says. “We urge the European Commission to keep a sharp eye on how well this measure plays out in practice.”

After initially displaying the choice screen in new installs, Microsoft stopped doing so after a while. It claimed that this was due to a technical glitch which had simply gone unnoticed. For more than a year.

Sure. Why would anyone at a company of Microsoft’s size feel the need to keep an eye on such minor details as antitrust settlements?

Joaquín Almunia, the EC’s competition chief, was clearly not amused. In a statement on the fine, he said:

The lack of compliance is, as a matter of principle, a serious breach of EU law itself.

If companies agree to offer commitments which then become legally binding, they must do what they have committed to do or face the consequences – namely, the imposition of sanctions.

I hope this decision will make companies think twice before they even think of intentionally breaching their obligations or even of neglecting their duty to ensure strict compliance.

Faced with a blatant breach of the agreed settlement, the Commission had no choice but to act decisively. The alternative of doing nothing, or imposing a minimal token fine, would have made European competition regulators look like paper tigers.

As Microsoft has now, again, learned to its cost, the EC demands to be taken seriously on such things.

Yet while large in absolute terms, the fine amounts to 1% of the company’s revenue in 2012. There is a danger that companies of this size see regulatory interference as a mere cost of doing business, rather than as an impulse to mend their ways. To achieve this, more forceful measures may be necessary, such as excluding offenders from public procurement for a limited amount of time.