Eric Rescorla is a man who speaks frankly about internet security. You might have guessed that from the name of his consultancy – RTFM – an acronym politely translated as “read the friendly manual”… except that it’s usually not politely translated. He’s the co-designer of secure HTTP, and now works on security issues with Skype.

In a conversation about cyberwarfare at Princeton, his assertion – “The internet is still too secure” – raises a few eyebrows. But his key message – “things could be a lot worse” – is a useful counterpoint to the rhetoric of cyberwarfare that Dr. Lin explores, and helps show the tensions between the computer security community and the defense community (not to mention with the human rights community.)

Rescorla asserts the following:

We have nearly unbreakable crypto primitives.
AES resists all practical attacks, RSA isn’t quite as strong as we’d like – but there is good new stuff in the pipeline, and there’s been significant progress made on addressing collisions in SHA-1. “There is no serious concern we’re going to run out of crypto any time soon.” The problem instead is getting the new stuff into use – we’re not using the strong stuff that we already have.

We think we know how to build secure protocols.
There’s been no basic change in security design since 2000. We’ve got good protocols for data object security (S/MIME, PGP), for stream security (SSL/TLS, SSH), for packet security (IPsec, STLS) and for authentication (Kerberos). Our work isn’t on deploying new protocols – it’s on addressing flaws in existing implementations – updating to newer hash functions after MD5/SHA-1 attacks, for instance. And it’s on gluing together existing protocols, none of which have really changed since 2004.

We can’t build systems that are reliably secure.
Good implementations are hard. We recently saw an attack on OpenSSL where a single “record of death” can crash the whole system. Debian managed to break their psuedorandom number generator, which meant that Debian keys were highly predictable and crackable with a table of only 32,000 keys. This probably affected 1% of internet connected machines.

This is just the security critical code. As Steven Bellovin at Columbia has pointed out, “Software has bugs. Security software has security relevant bugs.” And we’re bad at finding these bugs – audits are time consuming and there’s no evidence that they significantly affect the discovery rate for bugs. And affected implementations are slow to go away.

User practice is appaling.

Users are careless. They install random software from untrusted sources. They ignore our carefully constructed messages designed to prevent man in the middle attacks. And crypto doesn’t do much for you if your system’s been compromised.

Things could be a lot worse.

Despite all this, things aren’t so bad. Why is computer security so poor despite twenty years of work on the topic? We’ve been working on personal security for 10,000 years – why aren’t human beings invulnerable? Security people always think about the worst case scenario, but the actual attacks we experience are fairly primitive.

The Debian PRNG bug is about as bad as it gets, but there was no evidence of practical attacks in the field. You can mount a DOS on the whole internet pretty easily – publish bogus BGP routes, as Pakistani ISPs did while trying to block YouTube. As a practical matter, we can almost always get to YouTube. The internet shouldn’t work, but it does. Perhaps the question we need to be asking ourselves is “What’s a rational level of paranoia?”

Dr. Herbert Lin of the National Academies led a team to develop a study of cybersecurity and cyberattack for the MacArthur foundation. The report, “Cyberattack Capabilities“, is the first major unclassified look at cyberattack capabilities, Lin tells us.

Lin tells us that too little attention is being paid to offensive aspects of cybersecurity. We understand “passive defenses” like anti-virus software, intrusion detection software and law enforcement strategies. But we don’t know much about our policy on cyberattacks because most of that information is classified.

What could we – and “we” means US defense forces (I think) – do if we wished to launch cyberattacks? We could deploy a set of remote attacks – virii, denial of service attacks, active penetration over the internet. We could also mount “close access” attacks based on compromising 3rd party suppliers of hardware or software – for instance, we could persuade a US anti-virus software manufacturer to eliminate a particular viral signature so we could attack using that virus. And we could engage in social operations, tricking or bribing network operators to gain access to systems.

Lin notes that “attack and expolitation are technically very similar” and, in fact, may be indistinguishable to the attacked party – in other words, it’s unclear whether someone’s trying to steal your credit card number or affect you for military or political reasons.

He quotes Admiral Mike McConnell as saying, “We’re losing the cyberwar”, and suggesting that we can win it by deploying an aggresive strategy to warn and assess when we’re being attacked. Lin points out that it’s hard to know when a cyberattack is in progress and very hard to attribute them. It’s unclear why an attack is taking place, and while we tend to think we know why an attack is going on, we’re often wrong. He quotes an unnamed DOJ official who says that we are “often wrong, but never in doubt” about why we’re under cyberattack.

If we’re interested in pre-empting cyber attack, “you need to be in the other guy’s networks.” But that may mean breaking into the home computers of US citizens. To the extent that cloud computing crosses national borders, perhaps we’re attacking computers in multiple jurisdictions. Lin wonders whether a more authenticated internet will actually help us to pre-empt attack. And he reminds us that US Strategic Command asserts authorization to conduct “active threat neutralization” – i.e., logging into your machine to stop an attack in progress.

Conducting effective forensics might require multiple intrusions to determine what’s actually happened. We need to consider what’s possible or effective in terms of retalliation – rules of war suggest that we’re entitled to a response in self-defense to prevent similar attacks.

Dr. Lin notes that it’s not a violation of international law to collect intelligence abroad. It’s possible to engage in covert action as regulated by US statute. And there’s an array of possible responses the US could launch in response to cyberattack (Lin pauses to note that he’s not advocating any of these) – we could attack enemy air defenses, hack their voting machines to influence an election, conduct campaigns of cyberexploitation to spy within those nations. Given all this, aren’t nations entitled to fear the consequences of a “free and open” internet? Might they reasonably choose to tighten national control over the internet?

Cyberoperations might threaten the private sector. We could imagine an attacker going after civilian infrastructure and targeting major US corporations. The Geneva Convention allows the targetting of dual-purpose infrastructure as part of a military activity – 90-95% of military communications are carried over civilian links, and military bases are heavily dependent on civilian electrical infrastructure, and we could expect those networks to be attacked in the case of cyberwarfare.

Essential to this discussion is the question of “what’s a use of force?” Is it a distributed denial of service attack? The destruction of data? Just the repeated probing of networks? Could the simple insistence of free access to information be regarded as a threat to national soverignty?

Dr. Lin asserts that there is “no legal way to stop an ongoing attack”. Relying on law enforcement to stop an attack isn’t a realistic strategy – the response will happen in months, not in minutes.

He closes by noting that a network environment conducive to warfighting “may not be an environment that we recognize as free and secure.” He invites us to participate in a series of research papers that discuss strategies for dissuading adversaries from launching cyberattacks, and the civil liberty implications thereof.

I cam away from Dr. Lin’s presentation unsure of whether he was channeling the thinking he hears in defense department circles or whether he was advocating an understanding of cyberwarfare in this frame. I asked him a question about the VPSKeys attack on Vietnamese dissidents and got an unsatisfying answer: “that’s not cyberwar.” But I spent some time talking to Dr. Lin after his presentation and got a clearer picture – yes, he believes that cyberwar exists. But his definition is a very tight and precise one – cyberwar is a digital component to a broader attack in a conflict between states. Or, it’s a digital attack between states that causes real, serious physical or economic harm, directly or indirectly. Much of what gets discussed as cyberwar doesn’t rise to this standard, and Dr. Lin shares my concern that cyberwar is overhyped. However, he sees the importance of raising these issues in a defense context and thinking through the implications – if we’re going to assert a right of response to cyberattack, we need to be able to answer questions of what constitutes force and who’s exerting that force.

Alec Ross, Hillary Clinton’s senior advisor for innovation and advocate for “21st century statecraft” is the opening speaker at Princeton University’s CITP’s conference on Internet Security and Internet Freedom. In introducing him, Steve Schultze notes that Ross has noted that “if Paul Revere were riding now, he would have tweeted,” rather than yelling out his message. Schultze points out that this was a wise choice: “If he used Google Buzz, he might have inadvertently revealed the identity of the Sons of Liberty.”

Ross is the co-founder of digital divide organization One Economy and now serves as the resident “tech guru” in Hillary Clinton’s state department. Generously acknowledging that some of the best thinking about internet freedom is being done by people at Princeton like Rebecca MacKinnon, Alec says he’s interested in looking at the big picture rather than offering specific policy prescriptions.

And by big picture, Alec means loking back to Egyptian civilization to consider the history of conflicts between open and closed states. He argues that “the 20th century marked by conflict between left and right, while the 21st century will be marked by conflict between open and closed.” In 3rd century BC in Alexandria, a society that was open to dissent and religious pluralism produced innovations in geometry and anatomy, and created a conducive working environment for scholars like Euclid and Archimedes. Five hundred years later, when Roman emperor Caracalla visited the city and found himself parodied in visual satire, he closed the society in a dramatic fashion, killing 20,000 young men (those of arms-bearing age and younger). That closure of society was a precursor of the “dark ages” under the Holy Roman Empire and the Catholic Church.

During the European dark ages, we saw a flourishing of scholarship in Baghdad, the Islamic Golden Age, enabled by the Koranic injunction (which Ross repeats, for emphasis): “The ink of a scholar is more holy than the blood of a martyr.”

The dark ages were the product of intelelctual and spiritual hegemony caused by control of access to text. Control of books, including the Bible, were the source of intellectual and political hegemony, until the invention of the printing press. The rise of the press coincided with the inquest of Gallileo, the “last gasp of a closed theocracy.”

Fast forwarding to today, Ross terms 2009 “a bad year for internet freedom,” perhaps the worst on record. From the closure of the Internet in Uighur regions of China to the crackdown on online dissent in Iran after the Green Movement demonstrations, we’ve seen internet freedom move backwards. In the face of this environment, Secretary Clinton is articulating an agenda that’s moving the idea of a single, connected, unfragmented internet from the periphery of policy issues to the very center of the conversation.

Ross urges us to reject a narrative of internet freedom that centers solely on “one country, one company, one strategy”: China, Google, and proxies and circumvention. While these topics are “catnip for the press”, the lead to an oversimplified version of the field. Yes, Ross says, we disagree with China on this topic, but we need tofocus on North Africa, the Levant, Australia, the rest of Asia as well. More than anything else, we should focus on nations just coming online in a big way. Many of these nations are “on the fence” – they see the possibility of “turning the internet into an intranet” – as China is doing – and we need to urge them not to go in this dimension.

Yes, Google is deeply involved with issues of internet freedom. But we need to be similarly concerned with blogging spaces that aren’t American, which are native, organic to different countries. And we can’t frame this in terms of American corporate interests versus foreign authoritarian powers – it’s an oversimplification. And we need to cast a wider net for solutions beyond proxy and circumvention technologies. Ross tells us that State is funding, will fund and will increase funding for circumvention tools. But we need a broader set of responses including training, support to grassroots organizations, bloggers, and protecting people who are less technologically savvy. Ross doesn’t see a silver bullet – a technology that “fixes” internet censorship – coming any time soon.

Addressing cyberutopianism, Ross tells us “Nobody believes in the power of the internet more than me.” But we “can’t sprinkle the internet on a problem and expect grow up to be healthy, wealthy and wise.” Instead, we have to recognize that the internet is one piece of a much broader ecosystem. And we need to understand that governments can use these tools for repression – the Iranian government learned very quickly how to turn the internet to their purposes in the wake of the green movement protests.

That complexity aside, Ross believes that demographics are destiny, Youth are demanding digital media and market forces will eventually force the hand of oppressive governments. In a five to fifteen year time horizon, we’ll see a more open internet and more open societies… and this may not always be a smooth and easy transition.

• Recap: TEDxVolcano | Dare Mighty Things – The Blog of Entrepreneur & Social Entrepreneur Ryan Allis
  Notes from a spontaneously organized TED conference in London, caused by smart folks grounded by the Icelandic volcano eruption.
  (tags: TED volcano conference twitter spontaneous travel virtual)
• Politically Motivated Attacks Could Force Enterprises To Reshape Defenses – hacktivism/Security – DarkReading
  DDoS story focuses on opt-in attacks, less on botnet attacks. Interested in which is more pervasive, dangerous
  (tags: ddos freespeech censorship)
• J-Lab | Publications
  Jan Schaffer and J-Lab take a very thorough look at the news media environment in Philly and recommend solutions based around online community media
  (tags: journalism community collaboration philadelphia hyperlocal philly media j-lab schaffer)

What’s infrastructure?

Colleagues at the Berkman Center have spent a lot of intellectual energy on this question lately. We’ve been lucky enough to have Christian Sandvig, communications scholar and technology critic, with us this past year, and he’s convened a group dedicated to the discussion, dissection and understanding of the infrastructures that make our contemporary world possible.

I, for reasons of a transportation infrastructure that makes it expensive, environmentally irresponsible and inconvenient to commute the 300 miles round trip to Boston more than a couple of times a month, haven’t been part of Christian’s infrastructure group. And so I don’t know whether my definition of infrastructure is wrong, derivative or merely flip:

Infrastructure is the stuff we ignore until it breaks. Then it’s the stuff we’re stunned to discover we’re dependent on.

I wrote about this idea fifteen months ago as I tried to figure out an apparent paradox – the very existence of some infrastructures make us feel more connected to the rest of the globe, even if we seldom use that infrastructure to make non-local connections. I ended up suggesting that we start making maps of how traffic flows on top of infrastructures and contrast these to the maps of the infrastructure themselves, and that we pay very close attention when infrastructures break, because we learn more from dysfunction and failure than from their transparent success.

So the eruption of the Eyjafjallajökull volcano and the resultant closure of northern European airspace seems like a great time to think about air travel.

At least six Twitter friends were stranded in different corners of Europe on trips interrupted by volcanic ash. They’re a good-humored bunch, despite what’s obviously a frustrating situation. One friend took extraordinary measures (including a 24-hour bus ride) to get from one corner of the continent to the other to give a speech. Another did his best to enjoy an involuntary trebling in length of his Barcelona holiday. All were, I think, reassured by the social permission that comes from a natural disaster – it’s hard to be angry with someone for missing a professional commitment when they’re blocked from travel by the mighty god Vulcan. It’s starting to sound a little bit like a hemispheric snow day – perhaps the best example of this was the TEDxVolcano conference, organized in less than 24 hours to take advantage of the fact that a lot of very smart people were stranded between gigs in London and willing to get together and live-stream a conversation.

The immediate consequences of airspace closure are clear. People were stranded on the wrong continent for quite some time. Perishable commodities – fresh flowers, produce, some pharma – were in short supply and their producers lost revenue. Airlines lost revenue, and will probably lose more even after the disaster, as nightmare stories of being stuck in Europe or North America tend to interfere with summer vacation fantasies.

As Jeff Jarvis noted, airlines aren’t really networks. They have a lot of trouble reconfiguring to cope with partial system failure. It would be great if everyone could have hopped on the train from the Netherlands, Barcelona and Berlin and converged in Rome, where flights could run around the clock to ferry stranded travellers to the US. That’s how internet engineers would try to address the problem. My guess is that Rome’s airspace is already pretty congested and can’t double or triple the number of flights that land at FCO… while most internet infrastructure is built to sustain peaks of activity that dwarf everyday traffic, which makes this sort of rerouting possible. And, unlike well-architected data networks, there’s not a ton of redundancy built into airline networks. Hundreds of smaller airlines use Heathrow as their main hub for international traffic. Qatar wasn’t directly affected by the ash cloud, but much of their travel hubs through London and the disruption likely had some financial impacts.

What’s interesting to me is what will happen if the airspace closure wasn’t a one-time thing. As many commentators have observed, it will be bad for airlines, good for trains, ocean liners and videoconferencing companies. But I wonder whether the changes won’t be more subtle and pervasive.

Because the infrastructure of international air travel is generally so reliable, we assume that physical presence over long distances is constrained primarily by time and money. A conference organizer in London invites me to speak at an event – she’s conscious that I’ll say no unless she pays for the airfare, and usually works to make the request for my time as modest as possible. Because we both assume that air travel almost always works, we can agree on a plan that would have seemed absolutely ludicrious even a generation ago – I’ll fly in Thursday night, speak Friday morning and head back early on Saturday, spending less than 24 hours on the ground. (Yes, I’m scheduled to do this in June. Yes, I understand how ludicrious this is.)

Visualization of CO2 impacts of volcanic eruption, aerospace closure from Information Is Beautiful.

It’s possible that Eyjafjallajökull could change this. If a 24 hour trip to London has a significant risk of becoming a 5 day trip to London, the calculus changes. As much as frequent travellers gripe about delays and cancellations, they’re pretty infrequent, and mass delays like the ones currently being experienced are downright rare. If they become commonplace, I personally would expect to say no to travel lots more often and do a lot more appearances via Skype and videoconferencing.

When the price of gas shot past $4 a gallon in the US, people started selling off their large SUVs and buying hybrids. Almost every organization I work with has a policy that they’re going to start travelling less, using more telepresence and trying to minimize their environmental impact. But I haven’t seen those policies actually change behaviors – I still get asked to travel far more than I get asked to appear via Skype video. Getting stranded, and the threat of possible future stranding could be an impetus towards actually changing our behavior as regards how we hold meetings, conferences and other events. And perhaps we’d actually get better at doing virtual events.

I gave a talk at MIT earlier this month that reminded me both how powerful and how limiting videoconferencing is. I moderated a panel in an auditorium at MIT with a live audience, but all my guests appeared over Skype. When we initially set up the room, there was no way for me to see the monitor where our guest speakers appeared. I found that so disconcerting that I ended up moving the monitor and repositioning my chair, so I could make “eye contact” with the panelists. They, however, couldn’t see me… though they could see Chris Csikzentmihayli, who was managing the feeds. More than one of the participants sent a note expressing their happiness with the event, but commenting on the challenge of not being able to see a moderator. Obviously, we’ll do better next time, putting an iSight camera on my face and perhaps another on the audience.

But the mechanics of the panel aren’t the problem – it’s the social contact that falls off in virtual events. As much fun as my conversations with panelists were, the unexpected, serendipitous connections were the ones I made with a Nigerian science journalist and an Iranian hacker in the bar after the panel. I suspect that tools like Twitter could make these virtual events a lot more social than they’ve been in the past, but it’s very hard to imagine getting the same level of informal interaction that we have in real life

Or maybe we haven’t tried hard enough. If travel between North America and Europe becomes difficult or impossible – i.e., if the infrastructure we usually ignore forces us to pay attention to the challenges of physically convening meetings – maybe we’ll force ourselves to get better at being virtual. I put this question to a group of friends who’ve organized a number of conferences and got some good suggestion: perhaps we could set up terminals running Skype in the venue, so that the audience could crowd around and ask speakers questions after the formal presentation? Perhaps we combine this phase of the event with a cocktail hour, where the speakers are encouraged to open a beer and continue the conversation with whoever comes by to talk to the screen. (One friend insists that there’s nothing more depressing than drinking alone and suggests that whoever presents remotely assemble her own audience, even if it’s an audience of one, to root her on and celebrate alongside.)

What happens when infrastructure’s no longer reliable? If it’s no longer invisible, do we start questioning our dependence on it? Is that what we need to motivate us to look for different solutions?

Harry Dugmore of Rhodes University is working on a pioneering project to provide news and information into urban neighborhoods in South Africa via mobile phones. The project – Lindaba Ziyafika (the news is coming) – is designed to create and distribute news in the context of the “techno-social flux” that South Africa is experiencing.

South Africa has low but improving broadband access, growing from a low base. But there’s rapid uptake of cellphones – almost 100% of families have access to them. The phones are getting faster and smarter and an increasing number have access to the internet. But costs of internet access in general are absurdly high.

Africa, as a whole, suffers from low journalism density. (Actually, South Africa probably doesn’t – it appears to have a journalist to citizen ratio like the US, but there are countries like Ethiopia where there’s one journalist to 100,000 citizens.) As a result, Dugmore believes that user-generated content needs to play a huge role.

The situation is changing quickly. The major constraint on African internet expansion – undersea internet cables – are being built at a ferocious rate – in the next year or two, the capacity will be 400x what it was in 2007. This isn’t neccesarily changing the prices for bandwidth – South Africa just got uncapped ADSL broadband… but at prices no one can afford: $30-40 a month, which is impossibly high in a country where many people live on $2 a day.

Internet penetration in South Africa is around 8% via fixed broadband, behind Egypt and Nigeria. But cellphone penetration is growing like crazy – only 200,000 people had cellphones when the nation became independent and Mandela took the presidency. Now there are 34 million users, and there are more SIM cards in use than there are South African citizens. That’s because people want to avoid interconnect fees – they carry multiple SIM cards and negotiate with each other for the least expensive calls. (He tells us that everyone is waiting for Chinese phones that allow you to insert multiple SIM cards and do this negotiation via software, not hardware.) By
2012, 600m people will have mobile phone access across the continent. Dugmore argues that there’s a strong correlation between democratic governance and places where people have mobile phone access. (I want to run the numbers on this – I’m not sure this is as strong a correlation as he thinks.)

So how do you create informed communities in a sustainable way, taking advantage of this changing technical and social environment. You need to focus on mobiles, and you need to get more audience generated inputs. For Dugmore and his team, this has meant training citizen journalists and offering them incentives to participate. It also means using SMS and instant messages to supply news and information. Finally, it means accepting the “news will find me” culture that characterizes a digital age.

The journalists behind the Lindaba Ziyafika project are largely unemployed adults in their early 20s. They’re producing content that’s ending up in the 140 year old newspaper that serves Grahamstown. The content is distributed first via online media – SMS, messages through systems like MXit (an incredibly clever hack that uses the cheaper data connectivity available on African cellphones to evade the huge expenses of SMS messages), Twitter and Facebook. Facebook is now the most used site in South Africa, and Twitter is the 9th.

As such, Lindaba Ziyafika is based around Nika, a new workflow system for newspapers, which incorporates Facebook, SMS, IM as input and outputs into the newsroom. It’s a content management system that accepts the idea that mobile phones are the first platform for distribution and print the last.

What can we learn from the project? Making citizen media work in poor countries requires:
- heavy training and some cash incentives for participants
- mobile news first, print second
- embrace of mobile-friendly platforms

In the long run, revenue may come from time-sensitive advertising – coupons that expire quickly, requiring users to watch closely and act fact – 50% off bananas at the local market… now 49%, now 48%. They’re just starting to implement this and waiting to see what comes next.

Moving across the UTexas campus, I’m now at the International Symposium on Online Journalism, hosted by my friend Rosental Alves. The presenters I’ve seen so far are primarily academic researchers conducting experiments to increase the understanding of the relationship between online and offline journalism. Tomorrow includes more practicioners and may have something of a different tone. (I think I’m here more as a practicioner than as an academic, but at this point, in this crazy month, who knows?)

Joshua Braun, a PhD student in communications at Cornell, is studying the adoption of blogging software by network news sites. He traces this trend back to 2002, when ABC News started “The Note” and MSNBC started “Cosmic Log”. As news organizations started these new sites, they talked about “unprecedented transparency” about news decisions of the network – CBS’s new blog promised (somewhat disturbingly) “personal, intimate contact with news consumers”.

If the promise of these blogs was more transparency and interactivity, the results have been disappointing. “There’s been no lifting of the veil,” he tells us. Instead, they’re just new venues for broadcasting video repurposed from their channels.

As such, “what journalists do with blogs is different from what the rest of us do with it.” One of his interview subjects tells him, “I don’t know what a blog is now,” except that they seem to enable less formal speech. Some value blogs because they allow for faster publication of news – one informant tells him “we put stories in blog form to keep up.”

Braun suggests that we’re seeing a publicly presented finished product, produced through an idealized procedure, but readers have very little ability to actually examine the deliberations that go into production. (He offers a comparison to jury trials, which he sees as similarly idealized and practically opaque.) The “stage management” of comments through moderation might be necessary for a medium to maintain credibility, but it’s hardly transparent. He asks, “Should we be critical of this enclosure, or recognize that it’s essential for journalism?”

Pinar Gurleyen and Perrin Ogun Emre have been carrying out research on Turkish media and the emergence of blogs as a space for journalism. They point out that the Turkisn media is controlled by four major groups since the end of the state monopoly on broadcasting in the late 1990s. A recent economic crisis has caused these media giants to lay off many journalists, and some journalists have responded by starting websites and, more recently, by starting blogs.

They believe there are roughly 1 million Turkish bloggers, but it’s unclear which are bloggers. The researchers see the spaces of blogging and journalism as deeply different – they posit a democratic deficit that arises from ownership structures and wonder whether bloggers can create a paradigm shift for greater justice.

They interviewed nine journalists who’ve embraced blogs and used them for five years or longer. Two work in alternative media, and seven for mainstream programs or publications. They were interviewed on their motivations for blogging, the differences between conventional media and blogs in terms of content and workflow and their thoughts on liberatory potential of blogs.

The journalists they spoke to saw blogs as little more than an online platform to reuse original material produced for mainstream media, forming online porfolios or dossiers. While they saw the lack of editorial control as a benefit, they didn’t identify as members of the blogging community but as professionals, they rejected the informal tone of the blogosphere, and sometimes rejected user-created content like comments. Whatever these journalists were doing, it was different from Turkish blogging as we know it.

Nagwa A. Salam Fahmy, professor of journalism in the Mass Communication Department at Ain Shams University in Cairo looks at Egyptian blogs to study one of the most difficult phenomena in communications to document: agenda-cutting. Agenda-cutting occurs when a news story isn’t reported because powerful forces – government, corporate or otherwise – prevent its publication through influence, threats or direct intervention. It’s a pretty common occurance in Egypt, where the country has been under “emergency rule” since 1981, giving the government powers to restrict freedoms of the press. But it’s hard to document – how do you study news stories that never emerged?

Fahmy posits that blogs – which are plentiful in Egypt and often politically active – represent an alternative space to fight the government’s restrictions on flow of information. Of the 160,000 blogs in the country, she focused on a particularly fascinating one - Wael Abbas’s “Al Wa’y El Masry“. Abbas is an important Egyptian human rights activist who’s experienced police harrasment for his work, and his blog is often able to break stories that don’t make it into mainstream media.

Fahmy studies whether blogs are able to report stories that are restricted by the government and asks whether readers will see these stories as credible. She further wonders whether the comment threads around these stories can emerge as spaces for public debate. Her interest is based on the fact that no laws govern blogging in Egypt, and that blogs like Abbas’s include detailed descriptions of street protests and video footage. She believes that spaces like Abbas’s blog can serve to inject stories into mainstream media as well as – potentialy – covering stories that are cut from the news agenda.

Her analysis revealed seven stories on the blog that didn’t receive media coverage. Four focused on torture and police abuse, and another cluster were on the tapping of the phones of a key opposition political figure. She found evidence that readers found these stories very credible, but she was disappointed by the possibility of using the comments for debate, noting “the language is very vulgar”. Overall, she’s hopeful that this reveals the possibility that blogs can function as an alternative space in an otherwise closed media environment.

(I follow Egyptian media as closely as I can with my lack of Arabic, and I know Wael, so I was particularly interested in this talk. I just skimmed Fahmy’s paper which is excellent, and doubly impressive as this is the first time she’s written an academic work in English.)

Norwegian media scholar Arne Krumsvik offers an analysis of Norwegian online newspapers. Before jumping into his research, he needs to explain that Norwegians are a bit different than Americans when it comes to media. The country’s got the second highest newspaper consumption in the world, behind only Japan, and possibly the highest online penetration. In Norwegians 50 and under, 90% use the internet daily, and in 35 and under, 90% use mobile data services daily. Norway’s media environment encourages freedom of expression and public debate, and provides press subsidy and public support for newspaper production to encourage debate.

It’s no surprise then that Norwegians started a serious online (only?) newspaper in 1996. Krumsvik studies how online and offline editions of newspapers are regarded by Norwegians of different ages. Both are regarded as very important by readers, regardless of age. But online editions are regarded as more important for people who reported they valued freedom of expression heavily. Oddly, the more a group spends on producing online content, the more skeptical readers appear to be. But while user skepticism increases with production cost, journalist skepticism of the value of online products is high across the board. And editors report that they hate moderating user activities, and would favor much heavier moderation. (Users who favor online editions for their freedom of expression uses don’t favor such moderation.)

His conclusion – there’s a serious disconnect between online media producers and users, and the main motivation for most online publishing is image – appearing to be open and participatory, even if the publication resents the activity.

I’m at the LBJ School of Public Affairs at the University of Texas at Austin today. There’s a conference on financial transparency in Texas, featuring some excellent student work on making Texas’s finances on the local and state level more open and accessible.

The students presenting work offer an excellent model for how a state might pursue financial transparency. They suggest that:
- Data must be public, which equals being online
- The release of that data must be timely and user-friendly, which means accessible formats
- Data needs to follow the money, to allow citizens to monitor all aspects of allocation and spending
- Tranparent information must lead towards public participation

They offer these proposed payoffs to this sort of transparency:
- Efficiency – having data open and online means more efficient inter- and intra-agency cooperation
- Innovation – open data means that independent individuals, organizations and groups can use, remix and reformat in interesting ways
- Increased accountability, as citizens can review
- Increased participation – citizens can become more involved in government decisions through access to this data

The students propose centralizing information that’s scattered across dozens of existing websites into a one-stop shop, analagous to Alabama’s Open.Alabama.Gov site. This site could also make it possible to map spending, like Maryland’s site tracking the stimulus. It would include information in .CSV format, as the Texas comptroller’s office is currently doing.

They recognize the need to move beyond releasing data to energizing the community, and reference Sunlight Foundation‘s model that identifies a wide range of groups who could get energized by access to information. But they believe that there’s a need for educating the public, using something like North Carolina’s Budgeting 101 website, letting citizens understand the basics of how the budget works.

It’s not enough to do this work at the state level, the students argue. It needs to happen at the local level, with local governments publishing budgets, check registers and financial reports. The fight now is about formats – it’s not sufficient to release this as PDFs – it needs to be in sortable, searchable data. And not every group is equally open – while the Texas legislature is quite open, the appropriations process is not – the students recommend opening a set of appropriations documents, including the markup and decision documents, acknowledging the difficulty of releasing documents that are changing in real-time as negotiations take place.

They suggest that governments face four main challenges:
- The difficulty of working with outdated, incompatible software
- Limits to technical, financial and human resources capacity
- The perception that there’s risk from citizens misunderstanding the data released
- The lack of incentives and requirements to force governments to participate in this process

In the hopes of making this easier, the students are working with the UT Computer Science department to build a template that local governments could use to release their information. It’s encouraging to see such in-depth thinking about both the mechanics of and rationale for opening government financial data – here’s hoping the students are able to have an influence on the future of this movement within Texas.

It’s likely that these LBJ school students will have an ally in Victor Gonzales, the CTO for the Comptroller of Public Accounts. Gonzales explains the role of the comptrollers office – it’s the state’s monitor of revenue and spending, and the state’s purchaser. It’s also the main accountant for the state, and processes over a hundred billion dollars in checks and electronic fund transfers. As such, they’re very well positioned to provide a window into the state’s finances.

Gonzales has been building systems that allow citizens, groups and legislators track expenditure, drilling down to the check register level by agency, payee and object of expense. Putting this information online has already led to $10 million in savings – he gives the example of discovering how much money the state was spending on copier toner, and deciding to negotiate a new contract to get a better deal from a central supplier.

His principle in building these systems – start small and keep them simple. When he took the position, his first question was “what could we do by the end of the week?” Turned out, they were able to release information from their own shop and set a precedent for the rest of the government. The project is no longer so simple – it’s quite powerful, with a site called “Where the Money Goes“, which allows deep exploration of government spending, and will soon be complemented with a site called “Where the Money Comes From”.

He closes with a great story: looking at accounts published online, the comptroller’s office discovered that a government department had bought a goat. For a little while, they worried that someone was eating cabrito for lunch at government expense. Turns out the goat was for scientific research. Score another victory for transparency.

My impressions of Monday’s meeting at the Bush Institue are somewhat pointillistic – I’ve ended up having interviews and conversations throughout that have kept me from blogging the blow by blow. And personal events have meant that this summary isn’t posted until 48 hours after the end of the conference. Still, there were fascinating ideas expressed, so here’s my set of impressions, rather than a narrative of the latter half of the day:

- Dr. Jeffrey Gedmin, president of Radio Free Europe/Radio Liberty, gave a talk that expressed healthy skepticism about the power of the internet for social change. His best line – “With Twitter, you can start a revolution, but it doesn’t teach you how to govern”, or to build the institutions you’ll need once you’ve taken power. He concludes that the Internet deserves two cheers, not three, arguing “it’s still all about the content”.

(You might expect me to take up the typical internet versus old media argument and defend the honor of our interactive media. But I agree with him that we need to use new media to build participatory public spaces, not just to try to lead revolutionary movements… and I’m deeply skeptical that these tools are really all that useful for leading rebellions.)

- Ernesto Hernandez Busto, a Cuban dissident and blogger living in Barcelona, notes that citizen media’s value in his country is reportorial, not organizational. Stories like the death of patients in mental hospitals through freezing to death would never have been reported in state-controlled media – to the extent that the internet creates an alternative media space, it’s the most important space for journalism.

- Rodrigo Diamante is trying to turn his struggle against the Venezuelan government into a broader movement with “Un Mundo Sin Mordasa” – a world without censorship. Diamante sees constraints on television and other media in Venezuela as signaling a possible movement towards internet censorship. It’s a neat example of a proactive, not reactive, movement to online filtering, as Venezuela isn’t currently controlling net traffic. And it’s intriguing to think about whether Venezuelan and Cuban dissidents could collaborate.

- Oleg Kozlovsky, an activist with the Oborona youth movement, gives possibly the bleakest vision of online repression. He explains that Russian bloggers are increasingly facing arrest, usually charged with “extremism”. The control over traditional media has led opposition voices to the online space, but that space may be increasingly controlled through traditional application of force.

- Arash Kamangir, appearing under his “nom de blog”, has been very open about his open questions about appearing at this event. He asked his blog readers whether they thought it was a good idea for him to appear at the George W. Bush Institute – roughly 40% of his readers urged him not to attend; 20% said he should attend but demand no preconditions, while 40% encouraged him to simply come and represent himself. In the same spirit of challenging some of the framings offered today, he reminds us “you can’t export revolution or democracy either.”

- Oscar Morales, an organizer of the Million Voces Contra Las FARC is now a fellow at the Bush institute. His laudable success in bringing millions of people into the street on February 4, 2008 is namechecked by virtually everyone who takes the stage (myself included.) He’s asked a great question – “Did marching actually influence the FARC? Would marching influence Al Qaeda?” He ducks the second question (understandably) and makes the case that the march was important for the morale for prisoners of the FARC held in the jungle, who were allowed to listen to the radio. This expression of solidarity and support is very important to Morales, and there’s an undercurrent throughout the conference of the importance of public displays of support for dissidence, even if that support doesn’t have a direct path to change.

- Dr. Peter Ackerman of the International Center on Nonviolent Conflict doesn’t address Morales’s statements on solidarity, but he offers a tough challege for those of us who celebrate social media for change: technology needs to follow strategy. If a movement doesn’t have a strategy for creating change, they’re unlikely to find a way to use technology effectively to build a lasting movement.

- David Keyes, co-founder of the new Cyberdissidents.org project, explains his agenda: he wants to make dissidents very famous. He’s worked closely with Russian refusenik and later Israeli politician Natan Sharansky, and took as a lesson from Sharansky’s work and life that dissidents who aren’t known suffer in silence, while those who are famous have their struggles publicized and escape some harm. He suggests that social movements like the April 6 movement in Egypt need to be less about the movement, and more about individual actors.

(Commenting on Keyes and the new organization, one of my correspondents wondered if the people Cyberdissidents is featuring want to be featured. It’s possible that being celebrated by a service associated with a right-wing Israeli leader could be dangerous for activists, leading either to more government persecution or to suspicion from fellow dissidents. I had breakfast with Keyes on Monday and came away with the impression that he was a very smart, well-intentioned guy working on a project that has a very different valueset than my projects do – specifically, he’s interested in amplifying a subset of middle eastern dissidents who espouse a specific philosophy of democracy, open governance and a rejection of violence, while projects like Global Voices focus on amplifying all voices, taking care that our platform not become a space for incitement to violence. But I thought this pushback on Keyes’s work is a concerning one, and I look forward to asking friends in the middle east – some of whom are currently featured on the site – what they think.)

- Adrian Hong, noted North Korean activist, asks a question none of us can answer: “What happens if Iran had turned off the internet” in the wake of the green revolution protests? The importance of this question for North Korea is incredibly clear, and none of us have a good answer for him.

- Daniel Baer, the deputy assistant secretary of the bureau of democracy, human rights and labor at the State Department (who memorably quipped that your importance at State is inversely proportional to the length of your title) did a great job of identifying the underlying tensions in this field:
- Do we value privacy over security, or vice versa? Sharing versus property? Freedom of expression, versus the capacity to express and incite hate? His takeaway – the tech is new, the values are old, and old in the sense that Article XIX of the universal declaration of human rights is old.

A final, personal takeaway: I had some misgivings about speaking at the George W. Bush Institute. I didn’t support the Bush presidency, I recognized the irony of a conference about undermining government surveillance hosted by a president who sharply increased US surveillance of domestic communications, and I worry about a framing of internet freedom that suggests that freedom can be exported. I’m really glad I came. The people I met were smart, engaged, willing to teach, learn and accept critique. I felt like 80% of the conversation of the day could have happened in an event held by a group with a sharply different political stance, like my friends at Open Society Institue, and the 20% which was different was fascinating as well. I’m grateful for the opportunity and for the warm reception Hal and I received from kind and thoughtful hosts. Monday’s meeting was a great reminder that it’s worth seeking out smart people you disagree with and looking for common ground – hope to do more of that sort of work.

Freedom House, a seventy-year old organization, founded by Wendell Willkie and Eleanor Roosevelt, is now focusing on measuring freedom in online spaces. Christopher Walker and Robert Guerra are representing the organization at the George W. Bush Institute meeting on cyberdissidents, and Chris Walker begins by asking broad questions about trends in global freedom. He explains that we hoped to see a move towards increased freedom in the wake of the end of the Cold War. Furthermore, we’d expected to see technical advances propelling freedom in a positive direction. And we did, for the first decade after the Cold War.

This progress has slowed in the second decade after the Cold War. And we’re forced to question our assumptions. One is that economic growth leads to greater freedom. Walker tells us that authoritarian states are increasingly part of the global trading system. They’re eager to engage commercilly, but that greater economic growth isn’t translating into greater political freedom.

We also tend to assume that globalization is leading towards greater freedom. And there’s certainly more information reaching China and Russia than in cold war days. Walker quotes Perry Link, and says, “One shouldn’t confuse diversity with liberalization or liberalism.” Because censorship can manage and guide news of political consequence, the abundance of media enabled by globalization doesn’t always equal freedom.

Finally, Walker argues, we tend to believe that the internet will equal greater freedom. But as countries embrace the internet, they often censor other media – television and radio networks in Russia are increasingly controlled by the state, which means that “the internet emerges as the principal alternative to media hegemony.” In other words, the internet might lead towards more freedom, but it might be in a climate of decreasing media freedom.

In the last few years, we’re learning enough that Walker is able to offer some new assumptions:

- Controlling everything (as a government) is neither essential nor desirable. There are so many ways for information to get into a closed society today that it’s not the goal of a government to stop information slow – the goal is to slow it down and make that flow awkward.

- Censorship can be commercialized. As Rebecca MacKinnon’s work in China makes clear, censorship is carried out by commercial actors like ISPs, not just by the “internet police”

- Authoritarianism 2.0 allows participatory repression. Here Walker references the 50 cent party, a group of pro-government voices in China who flood citizen media.

Robert Guerra joins the conversation to offer Freedom House’s state of the art on internet freedom. He prefers the term “net freedom”, which includes control over mobile phones, which he argues (correctly) are more important than the internet in most countries.

Freedom House’s work on net freedom looks at these questions:
- What techniques are used to control and censor online content?
- What are the main threats to the internet and digital media freedom?
- What are the positive trends in use of technologies?

To evaluate “freedom on the net“, Guerra tells us that Freedom House has looked at infrastructure availability, cost issues, limits to putting content online, and questions of whether content will be protected as free speech. FH surveyed 15 countries, including two in each region and a mix of developed and developing nations. They term Iran, China, Tunisia and Cuba as not free, Brazil, the UK, South Africa and Estonia as free, and the other countries in the set as partially free. One encouraging aspect is the fact that some young democracies – Estonia and South Africa – are recognizable as highly free.

In general, the internet appears to provide a more open space than the traditional media space. This difference, Guerra notes, is most notable in partially free countries. Guerra points to an array of civic activism success stories – facebook activists in Egupt, use of Twitter for political change in Moldova (an odd example, as the idea of “Twitter revolution” in Moldova has been roundly debunked), reporting of election violence in Kenya, the use of “sneakernets” in Cuba to share information. These success stories lead the press and commentators to consider internet access as a panacea. But countries are smart – they realize that they need to control this new space. And, as such, Freedom House reports some level of censorship in 11 of 15 countries and blogger arrests in 6 of 15 countries. He notes that participatory media – web 2.0 sites and SMS text messaging – are often the first services to be taken offline.

Guerra offers recommendations to support net freedom:
- We should apply values of freedom of expression and freedom of virtual association to the online world
- We should support legislation like GOFA to prevent the transfer of technology to repressive regimes
- We should consider using tools like the foreign corrupt practices act to prosecute companies when they release information to repressive regimes, as Yahoo! did with Shi Tao.
- We should monitor if situations around net freedom getting better or worse.