If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
What if there was a way for a business to transform any conduct it disliked into a felony, harnessing the power of the state to threaten anyone who acted in a way that displeased the company with a long prison sentence and six-figure fines?
Surprise! That actually exists! It's called Section 1201 of the Digital Millennium Copyright Act, the "anticircumvention" clause, which establishes five-year sentences and $500k fines for anyone who bypasses an "effective access control" for a copyrighted work.
Let's unpack that: every digital product has a "copyrighted work" at its core, because software is copyrighted. Digital systems are intrinsically very flexible: just overwrite, augment, or delete part of the software that powers the device or product, and you change how the product works. You can alter your browser to block ads; or alter your Android phone to run a privacy-respecting OS like Graphene; or alter your printer to accept generic ink, rather than checking each cartridge to confirm that it's the original manufacturer's product.
However, if the device is designed to prevent this – if it has an "access control" that restricts your ability to change the software – then DMCA 1201 makes those modifications into crimes. The act of providing someone with a tool to change how their own property works ("trafficking in circumvention devices") is a felony.
But there's a tiny saving grace here: for DMCA 1201 to kick in, the "access control" must be "effective." What's "effective?" There's the rub: no one knows.
The penalties for getting crosswise with DMCA 1201 are so grotendous that very few people have tried to litigate any of its contours. Whenever the issue comes up, defendants settle, or fold, or disappear. Despite the fact that DMCA 1201 has been with us for more than a quarter of a century, and despite the fact that the activities it restricts are so far-reaching, there's precious little case law clarifying Congress's vague statutory language.
When it comes to "effectiveness" in access controls, the jurisprudence is especially thin. As far as I know, there's just one case that addressed the issue, and boy was it a weird one. Back in 2000, a "colorful" guy named Johnny Deep founded a Napster-alike service that piggybacked on the AOL Instant Messenger network. He called his service "Aimster." When AOL threatened him with a trademark suit, he claimed that Aimster was his daughter Amiee's AOL handle, and that the service was named for her. Then he changed the service's name to Madster, claiming that it was also named after his daughter. At the time, a lot of people assumed he was BSing, but I just found his obituary and it turns out his daughter's name was, indeed, "Amiee (Madeline) Deep":
Aimster was one of the many services that the record industry tried to shut down, both by filing suit against the company and by flooding it with takedown notices demanding that individual tracks be removed. Deep responded by "encoding" all of the track names on his network in pig-Latin. Then he claimed that by "decoding" the files (by moving the last letter of the track name to the first position), the record industry was "bypassing an effective access control for a copyrighted work" and thus violating DMCA 1201:
The court didn't buy this. The judge ruled that pig Latin isn't an "effective access control." Since then, we've known that at least some access controls aren't "effective" but we haven't had any clarity on where "effectiveness" starts. After all, there's a certain circularity to the whole idea of "effective" access controls: if a rival engineer can figure out how to get around an access control, can we really call it "effective?" Surely, the fact that someone figured out how to circumvent your access control is proof that it's not effective (at least when it comes to that person).
All this may strike you as weird inside baseball, and that's not entirely wrong, but there's one unresolved "effectiveness" question that has some very high stakes indeed: is Youtube's javascript-based obfuscation an "effective access control?"
Youtube, of course, is the internet's monopoly video platform, with a commanding majority of video streams. It was acquired by Google in 2006 for $1.65b. At the time, the service was hemorrhaging money and mired in brutal litigation, but it had one virtue that made it worth nine figures: people liked it. Specifically, people liked it in a way they didn't like Google Video, which was one of the many, many, many failed internally developed Google products that tanked, and was replaced by a product developed by a company that Google bought, because Google sucks at developing products. They're not Willy Wonka's idea factory – they're Rich Uncle Pennybags, buying up other kids' toys:
Google operationalized Youtube and built it up to the world's most structurally important video platform. Along the way, Google added some javascript that was intended to block people from "downloading" its videos. I put "downloading" in scare-quotes because "streaming" is a consensus hallucination: there is no way for your computer to display a video that resides on a distant server without downloading it – the internet is not made up of a cunning series of paper-towel rolls and mirrors that convey photons to your screen without sending you the bits that make up the file. "Streaming" is just "downloading" with the "save file" button removed.
In this case, the "save file" button is removed by some javascript on every Youtube page. This isn't hard to bypass: there are dozens of "stream-ripping" sites that let you save any video that's accessible on Youtube. I use these all the time – indeed, I used one last week to gank the video of my speech in Ottawa so I could upload it to my own Youtube channel:
Now, all of this violates Youtube's terms of service, which means that someone who downloads a stream for an otherwise lawful purpose (like I did) is still hypothetically at risk of being punished by Google. We're relying on Google to be reasonable about all this, which, admittedly, isn't the best bet, historically. But at least the field of people who can attack us is limited to this one company.
That's good, because there's zillions of people who rely on stream-rippers, and many of them are Youtube's most popular creators. Youtube singlehandedly revived the form of the "video essay," popularizing it in many guises, from "reaction videos" to full-fledged, in-depth documentaries that make extensive use of clips to illuminate, dispute, and expand on the messages of other Youtube videos.
These kinds of videos are allowed under US copyright law. American copyright law has a broad set of limitation and exceptions, which include "fair use," an expansive set of affirmative rights to access and use copyrighted works, even against the wishes of the copyright's proprietor. As the Supreme Court stated in Eldred, the only way copyright (a government-backed restriction on who can say certain words) can be reconciled with the First Amendment (a ban on government restrictions on speech) is through fair use, the "escape valve" for free expression embedded in copyright:
https://en.wikipedia.org/wiki/Eldred_v._Ashcroft
Which is to say that including clips from a video you're criticizing in your own video is canonical fair use. What else is fair use? Well, it's "fact intensive," which is a lawyer's way of saying, "it depends." One thing that is 100% true, though, is that fair use is not limited to the "four factors" enumerated in the statute and anyone who claims otherwise has no idea what they're talking about and can be safely ignored:
Now, fair use or not, there are plenty of people who get angry about their videos being clipped for critical treatment in other videos, because lots of people hate being criticized. This is precisely why fair use exists: if you had to secure someone's permission before you were allowed to criticize them, critical speech would be limited to takedowns of stoics and masochists.
This means that the subjects of video essays can't rely on copyright to silence their critics. They also can't use the fact that those critics violated Youtube's terms of service by clipping their videos, because only Youtube has standing to ask a court to uphold its terms of service, and Youtube has (wisely) steered clear of embroiling itself in fights between critics and the people they criticize.
But that hasn't stopped the subjects of criticism from seeking legal avenues to silence their critics. In a case called Cordova v. Huneault, the proprietor of "Denver Metro Audits" is suing the proprietor of "Frauditor Troll Channel" for clipping the former's videos for "reaction videos."
One of the plaintiff's claims here is that the defendant violated Section 1201 of the DMCA by saving videos from Youtube. They argue that Youtube's javascript obfuscator (a "rolling cipher") is an "effective access control" under the statute. Magistrate Judge Virginia K DeMarchi (Northern District of California) agreed with the plaintiff:
Remember, DMCA 1201 applies whether or not you infringe someone's copyright. It is a blanket prohibition on the circumvention of any "effective access control" for any copyrighted work, even when no one's rights are being violated. It's a way to transform otherwise lawful conduct into a felony. It's what Jay Freeman calls "Felony contempt of business model."
If the higher court upholds this magistrate judge's ruling, then all clipping becomes a crime, and the subjects of criticism will have a ready tool to silence any critic. This obliterates fair use, wipes it off the statute-book. It welds shut copyright's escape valve for free expression.
Now, it's true that the US Copyright Office holds hearings every three years where it grants exemptions to DMCA 1201, and it has indeed granted an exemption for ripping video for critical and educational purposes. But this process is deceptive! The exemptions that the Copyright Office grants are "use exemptions" – they allow you to "make the use." However, they are not "tools exemptions" – they do not give you permission to acquire or share the tool needed to make the use:
Which means that you are allowed to rip a stream, but you're not allowed to use a stream-ripping service. If Youtube's rolling cipher is an "effective access control" then all of those stream-ripping services are wildly illegal, felonies carrying a five-year sentence and a $500k fine for a first offense under DMCA 1201.
Under the US Copyright Office's exemption process, if you want to make a reaction video, then you, personally must create your own stream-ripper. You are not allowed to discuss how to do this with anyone else, and you can't share your stream-ripper with anyone else, and if you do, you've committed a felony.
So this is a catastrophic ruling. If it stands, it will make the production of video essays, reaction videos, and other critical videos into a legal minefield, by giving everyone whose video is clipped and criticized a means to threaten their critics with long prison sentences, fair use be damned. The only people who will safely be able to make this kind of critical video are skilled programmers who can personally defeat Youtube's "rolling cipher." And unlike claims about stream-ripping violating Youtube's terms of service – which can only be brought by Youtube – DMCA 1201 claims can be brought by anyone whose videos get clipped and criticized.
Is Youtube's rolling cipher an "effective access control?" Well, I don't know how to bypass it, but there are dozens of services that have independently figured out how to get around it. That seems like good evidence that the access control is not "effective."
When the DMCA was enacted in 1998, this is exactly the kind of thing experts warned would happen:
And here we are, more than a quarter-century later, living in the prison of lawmakers' reckless disregard for evidence and expertise, a world where criticism can be converted into a felony. It's long past time we get rid of this stupid, stupid law:
If you build it (and it works), Trump will come (and take it)
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Crises precipitate change: Trump's incontinent belligerence spurred the world to long-overdue action on "digital sovereignty," as people woke up to the stark realization that a handful of Trump-aligned giant tech firms could shut down their governments, companies and households at the click of a mouse.
This has been a long, long time coming. Long before Trump, the Snowden revelations made it clear that the US government had weaponized its position as the world's IT export powerhouse and the interchange hub for the world's transoceanic fiber links, and was actively spying on everyone – allies and foes, presidents and plebs – to attain geopolitical and commercial advantages for America. Even after that stark reminder, the world continued to putter along, knowing that the US had planted demolition charges in its digital infrastructure, but praying that the "rules-based international order" would stop America from pushing the button.
Now, more than a decade into the Trump era, the world is finally confronting the reality that they need to get the hell off of American IT, and transition to open, transparent and verifiable alternatives for their administrative tools, telecoms infrastructure and embedded systems for agriculture, industry and transportation. And not a moment too soon:
But building the post-American internet is easier said than done. There remain huge, unresolved questions about the best way to proceed.
One thing is clear: we will need new systems: the aforementioned open, transparent, verifiable code and hardware. That's a huge project, but the good news is that it benefits tremendously from scale, which means that as countries, businesses and households switch to the post-American internet, there will be ever more resources to devote to building, maintaining and improving this project. That's how scientific endeavors work: they're global collaborations that allow multiple parties to simultaneously attack the problems from many angles at once. Think of the global effort to sequence, understand, and produce vaccines for Covid 19.
Developing the code and hardware for the post-American internet scales beautifully, making it unique among the many tasks posed by the post-American world. Other untrustworthy US platforms – such as the dollar, or the fiber links that make interconnection in the USA – are hampered by scale. The fact that hundreds of countries use the dollar and rely on US fiber connections makes replacing them harder, not easier:
Building the post-American internet isn't easy, but there's a clear set of construction plans. What's far less clear is how we transition to the post-American internet. How do people, organizations and governments that currently have their data locked up in US Big Tech silos get it off their platforms and onto new, open, transparent, verifiable successors? Literally: how do you move the data from the old system to the new one, preserving things like edit/view permissions, edit histories, and other complex data-structures that often have high-stakes attached to them (for example, many organizations and governments are legally required to maintain strict view/edit permissions for sensitive data, and must preserve the histories of their documents).
On top of that, there's all the systems that we use to talk to one another: media services from Instagram to Tiktok to Youtube; chat services from iMessage to Discord. It's easy enough to build alternatives to these services – indeed, they already exist, though they may require additional engineering to scale them up for hundreds of millions or billions of users – but that's only half the battle. What do we do about the literal billions of people who are already using the American systems?
This is where the big divisions appear. In one camp, you have the "if you build it, they will come" school, who say that all we need to do is make our services so obviously superior to the legacy services that America has exported around the world and people will just switch. This is a very seductive argument. After all, the American systems are visibly, painfully defective: riddled with surveillance and ads, powered by terrible algorithms, plagued by moderation failures.
But waiting for people to recognize the superiority of your alternatives and jumping ship is a dead end. It completely misapprehends the reason that users are still on legacy social media and other platforms. People don't use Instagram because they love Mark Zuckerberg; they use it because they love their friends more than they hate Mark Zuckerberg:
What's more, Zuckerberg knows this. He knows that users of his service are hamstrung by the "collective action problem" of getting the people who matter to you to agree on when it's time to leave a service, and on which service is a safe haven to flee to:
The reason Zuckerberg knows this is that he had to contend with it at the dawn of Facebook, when the majority of social media users were locked into an obviously inferior legacy platform called Myspace. Zuckerberg promised Myspace users a superior social media experience where they wouldn't be spied on or bombarded with ads:
Zuckerberg knew that wouldn't be enough. No one was going to leave Myspace for Facebook and hang out in splendid isolation, smugly re-reading Facebook's world-beating privacy policy while waiting for their dopey friends to wise up and leave Myspace to come and join them.
No: Zuckerberg gave the Myspace refugees a bot, which would accept your Myspace login and password and then impersonate you to Myspace's servers several times per day, scraping all the content waiting for you in your Myspace feed and flowing it into your Facebook feed. You could reply to it there and the bot would push it out to Myspace. You could eat your cake and have it too: use Facebook, but communicate with the people who were still on Myspace.
This is called "adversarial interoperability" and it was once the norm, but the companies that rose to power by "moving fast and breaking things" went on to secure legal protections to prevent anyone from doing unto them as they had done unto their own predecessors:
The harder it is for people to leave a platform, the worse the platform can treat them without paying the penalty of losing users. This is the source of enshittification: when a company can move value from its users and customers to itself without risking their departure, it does.
People stay on bad platforms because the value they provide to one another is greater than the costs the platform extracts from them. That means that when you see people stuck on a very bad platform – like Twitter, Instagram or Facebook – you should infer that what they get there from the people that matter to them is really important to them. They stick to platforms because that's where they meet with people who share their rare disease, because that's where they find the customers or audiences that they rely on to make rent; because that's the only place they can find the people they left behind when they emigrated.
Now, it's entirely possible – likely, even – that legacy social media platforms will grow so terrible that people will leave and jettison those social connections that mean so much to them. This is not a good outcome. Those communities, once shattered, will likely never re-form. There will be permanent, irretrievable losses incurred by their members:
"If you build it, they will come" is a trap. Technologists and their users who don't understand the pernicious nature of the collective active problem trap themselves. They build obviously superior technical platforms and then gnash their teeth as the rest of the world fails to make the leap.
All too often, users' frustration at the failure of new services to slay the inferior legacy services curdles, and users and designers of new technologies decide that the people who won't join them are somehow themselves defective. It doesn't take long to find a corner of the Fediverse or Bluesky where Facebook and Twitter users are being condemned as morally suspect for staying on zuckermuskian media. They are damned for loving Zuckerberg and Musk, rather than empathized with for loving each other more than they hate the oligarchs who've trapped them. They're condemned as emotionally stunted "attention whores" who hang out on big platforms to get "dopamine" (or some other pseudoscientific reward), which is easier than grappling with the fact that legacy social media pays their bills, and tolerating Zuckerberg or Musk is preferable to getting evicted.
Worst of all, condemning users of legacy technology as moral failures leads you to oppose efforts to get those users out of harm's way and onto modern platforms. Think of the outcry at Meta's Threads taking steps to federate with Mastodon. There are good reasons to worry about this – the best one being that it might allow Meta to (illegally) suck up Mastodon users' data and store and process it. But the majority of the opposition to Threads integration with Mastodon wasn't about Threads' management – it was about Threads' users. It posited a certain kind of moral defective who would use a Zuckerberg-controlled platform in the 2020s and insisted that those people would ruin Mastodon by bringing over their illegitimate social practices.
I've made no secret of where I come down in this debate: the owners of legacy social media are my enemy, but the users of those platforms are my comrades, and I want to help them get shut of legacy social media as quickly and painlessly as possible.
What's more, there's a way to make this happen! The same adversarial interoperability that served Zuckerberg so well when he was draining users off of Myspace could be used today to evacuate all of Meta's platforms. We could use a combination of on-device bridging, scraping and other guerrilla tactics to create "alt clients" that let you interact with people on Mastodon and the legacy platforms in one context, so that you can leave the bad services but keep the good people in your life.
The major barrier to this isn't technological. Despite the boasts of these companies to world-beating engineering prowess, the reality that people (often teenagers) keep successfully finding and exploiting vulnerabilities in the "impregnable" platforms, in order to build successful alt clients:
The thing that eventually sees off these alt clients isn't Big Tech's technical countermeasures – it's legal risk. A global system of "anticircumvention" laws makes the kinds of basic reverse-engineering associated with building and maintaining using adversarial interoperability radioactively illegal. These laws didn't appear out of thin air, either: the US Trade Representative pressured all of America's trading partners into passing them:
Which brings me back to crises precipitating change. Trump has staged an unscheduled, sudden, midair disassembly of the global system of trade, whacking tariffs on every country in the world, even in defiance of the Supreme Court:
https://www.bbc.co.uk/news/articles/cd6zn3ly22yo
Ironically, this has only helped make the case for adversarial interoperability. Trump is using tech companies to attack his geopolitical rivals, ordering Microsoft to shut down both the International Criminal Court and a Brazilian high court in retaliation for their pursuit of the criminal dictators Benjamin Netanyahu and Jair Bolsonaro. This means that Trump has violated the quid pro quo deal for keeping anticircumvention law on your statute books, and he has made the case for killing anticircumvention as quickly as possible in order to escape American tech platforms before they are weaponized against you:
I've been talking about this for more than a year now, and I must say, the reception has been better than I dared dream. I think that – for the first time in my adult life – we are on the verge of creating a new, good, billionaire-proof internet:
But there's one objection that keeps coming up: "What if this makes Trump mad?" Or, more specifically, "What if this makes Trump more mad, so instead of hitting us with a 10% tariff, it's a 1,000% tariff?
This came up earlier this week, when I gave a remote keynote for the Fedimtl conference, and an audience member said that he thought we should just focus on building good new platforms, rather than risking Trump's ire. In my response, I recited the arguments I've raised in this piece.
But yesterday, I saw a news item that made me realize there was one more argument I should have made, but missed. It was a Reuters story about Trump ordering American diplomats to fight against "data sovereignty" policies around the world:
The news comes from a leaked diplomatic cable, and it's a reminder that Trump's goal is to maintain American dominance of the world's technology and to prevent the formation of a post-American internet altogether. Worrying that Trump will hit you with more tariffs if you legalize jailbreaking assumes that the thing that would upset Trump is that you broke the rules.
That's not what makes Trump angry.
What makes Trump angry is losing.
Say you focus exclusively on building superior platforms. Say by some miracle that everyone you care about somehow overcomes the collective action problems and high switching costs and leaves behind US Big Tech services and comes to your new, federated, cleantech, post-American alternative.
Do you think that Trump will observe this collapse in the fortunes of the most important corporations in his coalition and shrug and say, "Well, I guess I lost fair and square; better luck next time?"
Hell, no. We already know what Trump does when his corporate allies lose to a superior foreign rival – Trump steals the rival's service and gives it to one of his cronies. That's literally what he last month, to Tiktok:
The fear of harsh retaliation for any country that dares to be a Disenshittification Nation is based on the premise that Trump is motivated by a commitment to fairness. He's not: Trump is motivated by a desire to dominate. Anything that threatens the dominance of the companies that take his orders is fair game, and he will retaliate in any way he can.
I'm coming to COLORADO! Catch me in DENVER on Jan 22 at The Tattered Cover<, and in COLORADO SPRINGS from Jan 23–25 where I'm the Guest of Honor at COSine. Then I'll be in OTTAWA on Jan 28 at Perfect Books and in TORONTO with Tim Wu on Jan 30.
Samantha: This town has a weird smell that you're all probably used to…but I'm not.
Mrs Krabappel: It'll take you about six weeks, dear.
-The Simpsons, "Bart's Friend Falls in Love," S3E23, May 7, 1992
We are living through weird times, and they've persisted for so long that you probably don't even notice it. But these times are not normal.
Now, I realize that this covers a lot of ground, and without detracting from all the other ways in which the world is weird and bad, I want to focus on one specific and pervasive and awful way in which this world is not normal, in part because this abnormality has a defined cause, a precise start date, and an obvious, actionable remedy.
6 years, 5 months and 22 days after Fox aired "Bart's Friend Falls in Love," Bill Clinton signed a new bill into law: the Digital Millennium Copyright Act of 1998 (DMCA).
Under Section 1201 of the DMCA, it's a felony to modify your own property in ways that the manufacturer disapproves of, even if your modifications accomplish some totally innocuous, legal, and socially beneficial goal. Not a little felony, either: DMCA 1201 provides for a five year sentence and a $500,000 fine for a first offense.
Back when the DMCA was being debated, its proponents insisted that their critics were overreacting. They pointed to the legal barriers to invoking DMCA 1201, and insisted that these new restrictions would only apply to a few marginal products in narrow ways that the average person would never even notice.
But that was obvious nonsense, obvious even in 1998, and far more obvious today, more than a quarter-century on. In order for a manufacturer to criminalize modifications to your own property, they have to satisfy two criteria: first, they must sell you a device with a computer in it; and second, they must design that computer with an "access control" that you have to work around in order to make a modification.
For example, say your toaster requires that you scan your bread before it will toast it, to make sure that you're only using a special, expensive kind of bread that kicks back a royalty to the manufacturer. If the embedded computer that does the scanning ships from the factory with a program that is supposed to prevent you from turning off the scanning step, then it is a felony to modify your toaster to work with "unauthorized bread":
If this sounds outlandish, then a) You definitely didn't walk the floor at CES last week, where there were a zillion "cooking robots" that required proprietary feedstock; and b) You haven't really thought hard about your iPhone (which will not allow you to install software of your choosing):
But back in 1998, computers – even the kind of low-powered computers that you'd embed in an appliance – were expensive and relatively rare. No longer! Today, manufacturers source powerful "System on a Chip" (SoC) processors at prices ranging from $0.25 to $8. These are full-fledged computers, easily capable of running an "access control" that satisfies DMCA 1201.
Likewise, in 1998, "access controls" (also called "DRM," "technical protection measures," etc) were a rarity in the field. That was because computer scientists broadly viewed these measures as useless. A determined adversary could always find a way around an access control, and they could package up that break as a software tool and costlessly, instantaneously distribute it over the internet to everyone in the world who wanted to do something that an access control impeded. Access controls were a stupid waste of engineering resources and a source of needless complexity and brittleness:
But – as critics pointed out in 1998 – chips were obviously going to get much cheaper, and if the US Congress made it a felony to bypass an access control, then every kind of manufacturer would be tempted to add some cheap SoCs to their products so they could add access controls and thereby felonize any uses of their products that cut into their profits. Basically, the DMCA offered manufacturers a bargain: add a dollar or two to the bill of materials for your product, and in return, the US government will imprison any competitors who offer your customers a "complementary good" that improves on it.
It's even worse than this: another thing that was obvious in 1998 was that once a manufacturer added a chip to a device, they would probably also figure out a way to connect it to the internet. Once that device is connected to the internet, the manufacturer can push software updates to it at will, which will be installed without user intervention. What's more, by using an access control in connection with that over-the-air update mechanism, the manufacturer can make it a felony to block its updates.
Which means that a manufacturer can sell you a device and then mandatorily update it at a later date to take away its functionality, and then sell that functionality back to you as a "subscription":
Here's what this all means: any manufacturer who devotes a small amount of engineering work and incurs a small hardware expense can extinguish private property rights altogether.
What do I mean by private property? Well, we can look to Blackstone's 1753 treatise:
The right of property; or that sole and despotic dominion which one man claims and exercises over the external things of the world, in total exclusion of the right of any other individual in the universe.
You can't own your iPhone. If you take your iPhone to Apple and they tell you that it is beyond repair, you have to throw it away. If the repair your phone needs involves "parts pairing" (where a new part won't be recognized until an Apple technician "initializes" it through a DMCA-protected access control), then it's a felony to get that phone fixed somewhere else. If Apple tells you your phone is no longer supported because they've updated their OS, then it's a felony to wipe the phone and put a different OS on it (because installing a new OS involves bypassing an "access control" in the phone's bootloader). If Apple tells you that you can't have a piece of software – like ICE Block, an app that warns you if there are nearby ICE killers who might shoot you in the head through your windshield, which Apple has barred from its App Store on the grounds that ICE is a "protected class" – then you can't install it, because installing software that isn't delivered via the App Store involves bypassing an "access control" that checks software to ensure that it's authorized (just like the toaster with its unauthorized bread).
It's not just iPhones: versions of this play out in your medical implants (hearing aid, insulin pump, etc); appliances (stoves, fridges, washing machines); cars and ebikes; set-top boxes and game consoles; ebooks and streaming videos; small appliances (toothbrushes, TVs, speakers), and more.
Increasingly, things that you actually own are the exception, not the rule.
And this is not normal. The end of ownership represents an overturn of a foundation of modern civilization. The fact that the only "people" who can truly own something are the transhuman, immortal colony organisms we call "Limited Liability Corporations" is an absolutely surreal reversal of the normal order of things.
It's a reversal with deep implications: for one thing, it means that you can't protect yourself from raids on your private data or ready cash by adding privacy blockers to your device, which would make it impossible for airlines or ecommerce sites to guess about how rich/desperate you are before quoting you a "personalized price":
It also means you can't stop your device from leaking information about your movements, or even your conversations – Microsoft has announced that it will gather all of your private communications and ship them to its servers for use by "agentic AI":
https://www.youtube.com/watch?v=0ANECpNdt-4
Microsoft has also confirmed that it provides US authorities with warrantless, secret access to your data:
This is deeply abnormal. Sure, greedy corporate control freaks weren't invented in the 21st century, but the laws that let those sociopaths put you in prison for failing to arrange your affairs to their benefit – and your own detriment – are.
But because computers got faster and cheaper over decades, the end of ownership has had an incremental rollout, and we've barely noticed that it's happened. Sure, we get irritated when our garage-door opener suddenly requires us to look at seven ads every time we use the app that makes it open or close:
But societally, we haven't connected that incident to this wider phenomenon. It stinks here, but we're all used to it.
It's not normal to buy a book and then not be able to lend it, sell it, or give it away. Lending, selling and giving away books is older than copyright. It's older than publishing. It's older than printing. It's older than paper. It is fucking weird (and also terrible) (obviously) that there's a new kind of very popular book that you can go to prison for lending, selling or giving away.
We're just a few cycles away from a pair of shoes that can figure out which shoelaces you're using, or a dishwasher that can block you from using third-party dishes:
It's not normal, and it has profound implications for our security, our privacy, and our society. It makes us easy pickings for corporate vampires who drain our wallets through the gadgets and tools we rely on. It makes us easy pickings for fascists and authoritarians who ally themselves with corporate vampires by promising them tax breaks in exchange for collusion in the destruction of a free society.
I know that these problems are more important than whether or not we think this is normal. But still. It. Is. Just. Not. Normal.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
I'm on a 20+ city book tour for my new novel PICKS AND SHOVELS. Catch me in PITTSBURGH in TOMORROW (May 15) at WHITE WHALE BOOKS, and in PDX on Jun 20 at BARNES AND NOBLE with BUNNIE HUANG. More tour dates (London, Manchester) here.
Something's very different in tech. Once upon a time, every bad choice by tech companies – taking away features, locking out mods or plugins, nerfing the API – was countered, nearly instantaneously, by someone writing a program that overrode that choice.
Bad clients would be muscled aside by third-party clients. Locked bootloaders would be hacked and replaced. Code that confirmed you were using OEM parts, consumables or adapters would be found and nuked from orbit. Weak APIs would be replaced with muscular, unofficial APIs built out of unstoppable scrapers running on headless machines in some data-center. Every time some tech company erected a 10-foot enshittifying fence, someone would show up with an 11-foot disenshittifying ladder.
Those 11-foot ladders represented the power of interoperability, the inescapable bounty of the Turing-complete, universal von Neumann machine, which, by definition, is capable of running every valid program. Specifically, they represented the power of adversarial interoperability – when someone modifies a technology against its manufacturer's wishes. Adversarial interoperability is the origin story of today's tech giants, from Microsoft to Apple to Google:
But adversarial interop has been in steady decline for the past quarter-century. These big companies moved fast and broke things, but no one is returning the favor. If you ask the companies what changed, they'll just smirk and say that they're better at security than the incumbents they disrupted. The reason no one's hacked up a third-party iOS App Store is that Apple's security team is just so fucking 1337 that no one can break their shit.
I think this is nonsense. I think that what's really going on is that we've made it possible for companies to design their technologies in such a way that any attempt at adversarial interop is illegal.
"Anticircumvention" laws like Section 1201 of the 1998 Digital Millennium Copyright Act make bypassing any kind of digital lock (AKA "Digital Rights Management" or "DRM") very illegal. Under DMCA, just talking about how to remove a digital lock can land you in prison for 5 years. I tell the story of this law's passage in "Understood: Who Broke the Internet," my new podcast series for the CBC:
For a quarter century, tech companies have aggressively lobbied and litigated to expand the scope of anticircumvention laws. At the same time, companies have come up with a million ways to wrap their products in digital locks that are a crime to break.
Digital locks let Chamberlain, a garage-door opener monopolist block all third-party garage-door apps. Then, Chamberlain stuck ads in its app, so you have to watch an ad to open your garage-door:
These companies built 11-foot ladders to get over their competitors' 10-foot walls, and then they kicked the ladder away. Once they were secure atop their walls, they committed enshittifying sins their fallen adversaries could only dream of.
I've been campaigning to abolish anticircumvention laws for the past quarter-century, and I've noticed a curious pattern. Whenever these companies stand to lose their legal protections, they freak out and spend vast fortunes to keep those protections intact. That's weird, because it strongly implies that their locks don't work. A lock that works works, whether or not it's illegal to break that lock. The reason Signal encryption works is that it's working encryption. The legal status of breaking Signal's encryption has nothing to do with whether it works. If Signal's encryption was full of technical flaws but it was illegal to point those flaws out, you'd be crazy to trust Signal.
Signal does get involved in legal fights, of course, but the fights it gets into are ones that require Signal to introduce defects in its encryption – not fights over whether it is legal to disclose flaws in Signal or exploit them:
But tech companies that rely on digital locks manifestly act like their locks don't work and they know it. When the tech and content giants bullied the W3C into building DRM into 2 billion users' browsers, they categorically rejected any proposal to limit their ability to destroy the lives of people who broke that DRM, even if it was only to add accessibility or privacy to video:
The thing is, if the lock works, you don't need the legal right to destroy the lives of people who find its flaws, because it works.
Do digital locks work? Can they work? I think the answer to both questions is a resounding no. The design theory of a digital lock is that I can provide you with an encrypted file that your computer has the keys to. Your computer will access those keys to decrypt or sign a file, but only under the circumstances that I have specified. Like, you can install an app when it comes from my app store, but not when it comes from a third party. Or you can play back a video in one kind of browser window, but not in another one. For this to work, your computer has to hide a cryptographic key from you, inside a device you own and control. As I pointed out more than a decade ago, this is a fool's errand:
After all, you or I might not have the knowledge and resources to uncover the keys' hiding place, but someone does. Maybe that someone is a person looking to go into business selling your customers the disenshittifying plugin that unfucks the thing you deliberately broke. Maybe it's a hacker-tinkerer, pursuing an intellectual challenge. Maybe it's a bored grad student with a free weekend, an electron-tunneling microscope, and a seminar full of undergrads looking for a project.
The point is that hiding secrets in devices that belong to your adversaries is very bad security practice. No matter how good a bank safe is, the bank keeps it in its vault – not in the bank-robber's basement workshop.
For a hiding-secrets-in-your-adversaries'-device plan to work, the manufacturer has to make zero mistakes. The adversary – a competitor, a tinkerer, a grad student – only has to find one mistake and exploit it. This is a bedrock of security theory: attackers have an inescapable advantage.
So I think that DRM doesn't work. I think DRM is a legal construct, not a technical one. I think DRM is a kind of magic Saran Wrap that manufacturers can wrap around their products, and, in so doing, make it a literal jailable offense to use those products in otherwise legal ways that their shareholders don't like. As Jay Freeman put it, using DRM creates a new law called "Felony Contempt of Business Model." It's a law that has never been passed by any legislature, but is nevertheless enforceable.
In the 25 years I've been fighting anticircumvention laws, I've spoken to many government officials from all over the world about the opportunity that repealing their anticircumvention laws represents. After all, Apple makes $100b/year by gouging app makers for 30 cents on ever dollar. Allow your domestic tech sector to sell the tools to jailbreak iPhones and install third party app stores, and you can convert Apple's $100b/year to a $100m/year business for one of your own companies, and the other $999,900,000,000 will be returned to the world's iPhone owners as a consumer surplus.
But every time I pitched this, I got the same answer: "The US Trade Representative forced us to pass this law, and threatened us with tariffs if we didn't pass it." Happy Liberation Day, people – every country in the world is now liberated from the only reason to keep this stupid-ass law on their books:
One of the questions I've been getting repeatedly from policy wonks, activists and officials is, "Is it even possible to jailbreak modern devices?" They want to know if companies like Apple, Tesla, Google, Microsoft, and John Deere have created unbreakable digital locks. Obviously, this is an important question, because if these locks are impregnable, then getting rid of the law won't deliver the promised benefits.
It's true that there aren't as many jailbreaks as we used to see. When a big project like Nextcloud – which is staffed up with extremely accomplished and skilled engineers – gets screwed over by Google's app store, they issue a press-release, not a patch:
These hacks are incredibly ambitious! How ambitious? How about a class break for every version of iOS as well as an unpatchable hardware attack on 8 years' worth of Apple bootloaders?
Now, maybe it's the case at all the world's best hackers are posting free code under pseudonyms. Maybe all the code wizards working for venture backed tech companies that stand to make millions through clever reverse engineering are just not as mad skilled as teenagers who want an ad-free Insta and that's why they've never replicated the feat.
Or maybe it's because teenagers and anonymous hackers are just about the only people willing to risk a $500,000 fine and 5-year prison sentence. In other words, maybe the thing that protects DRM is law, not code. After all, when Polish security researchers revealed the existence of secret digital locks that the train manufacturer Newag used to rip off train operators for millions of euros, Newag dragged them into court:
Tech companies are the most self-mythologizing industry on the planet, beating out even the pharma sector in boasting about their prowess and good corporate citizenship. They swear that they've made a functional digital lock…but they sure act like the only thing those locks do is let them sue people who reveal their workings.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
I'm on a tour with my new book Enshittification: catch me next in San Francisco, Portland and Seattle! Full schedule here.
Remember when we were all worried that Huawei had filled our telecoms infrastructure with listening devices and killswitches? It sure would be dangerous if a corporation beholden to a brutal autocrat became structurally essential to your country's continued operations, huh?
In other, unrelated news, earlier this month, Trump's DoJ ordered Apple and Google to remove apps that allowed users to report ICE's roving gangs of masked thugs, who have kidnapped thousands of our neighbors and sent them to black sites:
Apple and Google capitulated. Apple also capitulated to Trump by removing apps that collect hand-verified, double-checked videos of ICE violence. Apple declared ICE's thugs to be a "protected class" that may not be disparaged in apps available to Apple's customers:
Of course, iPhones can (technically) run apps that Apple doesn't want you to run. All you have to do is "jailbreak" your phone and install an independent app store. Just one problem: the US Trade Rep bullied every country in the world into banning jailbreaking, meaning that if Trump (a man who never met a grievance that was too petty to pursue) orders Tim Cook (a man who never found a boot he wouldn't lick) to remove apps from your country's app store, you won't be able to get those apps from anyone else:
Now, you could get your government to order Apple to open up its platform to third-party app stores, but they will not comply – instead, they'll drown your country in spurious legal threats:
Of course, Google's no better. Not only do they capitulate to every demand from Trump, but they're also locking down Android so that you'll no longer be allowed to install apps unless Google approves of them (meaning that Trump now has a de facto veto over your Android apps):
For decades, China hawks have accused Chinese tech giants of being puppeteered by the Chinese state, vehicles for projecting Chinese state power around the world. Meanwhile, the Chinese state has declared war on its tech companies, treating them as competitors, not instruments:
When it comes to US foreign policy, every accusation is a confession. Snowden showed us how the US tech giants were being used to wiretap virtually every person alive for the US government. More than a decade later, Microsoft has been forced to admit that they will still allow Trump's lackeys to plunder Europeans' data, even if that data is stored on servers in the EU:
Microsoft is definitely a means for the US to project its power around the world. When Trump denounced Karim Khan, the Chief Prosecutor of the International Criminal Court, for indicting Netanyahu for genocide, Microsoft obliged by nuking Khan's email, documents, calendar and contacts:
This is exactly the kind of thing Trump's toadies warned us would happen if we let Huawei into our countries. Every accusation is a confession.
But it's worse than that. The very worst-case speculative scenario for Huawei-as-Chinese-Trojan-horse is infinitely better than the non-speculative, real ways in which the US has killswitched and bugged the world's devices.
Take CALEA, a Clinton-era law that requires all network switches to be equipped with law-enforcement back-doors that allow anyone who holds the right credential to take over the switch and listen in, block, or spoof its data. Virtually every network switch manufactured is CALEA-compliant, which is how the NSA was able to listen in on the Greek Prime Minister's phone calls to gain competitive advantage for the competing Salt Lake City Olympic bid:
CALEA backdoors are a single point of failure for the world's networking systems. Nominally, CALEA backdoors are under US control, but the reality is that lots of hackers have exploited CALEA to attack governments and corporations, inside the US and abroad. Remember Salt Typhoon, the worst-ever hacking attack on US government agencies and large corporations? The Salt Typhoon hackers used CALEA as their entry point into those networks:
US monopolists – within Trump's coercive reach – control so many of the world's critical systems. Take John Deere, the ag-tech monopolist that supplies the majority of the world's tractors. By design, those tractors do not allow the farmers who own them to alter their software. That's so John Deere can force farmers to use Deere's own technicians for repairs, and so that Deere can extract soil data from farmers' tractors to sell into the global futures market.
A tractor is a networked computer in a fancy, expensive case filled with whirling blades, and at any time, Deere can reach into any tractor and permanently immobilize it. Remember when Russian looters stole those Ukrainian tractors and took them to Chechnya, only to have Deere remotely brick their loot, turning the tractors into multi-ton paperweights? A lot of us cheered that high-tech comeuppance, but when you consider that Donald Trump could order Deere to do this to all the tractors, on his whim, this gets a lot more sinister:
Any government thinking about the future of geopolitics in an era of Trump's mad king fascism should be thinking about how to flash those tractors – and phones, and games consoles, and medical implants, and ventilators – with free and open software that is under its owner's control. The problem is that every country in the world has signed up to America's ban on jailbreaking.
In the EU, it's Article 6 of the Copyright Directive. In Mexico, it's the IP chapter of the USMCA. If Central America, it's via CAFTA. In Australia, it's the US-Australia Free Trade Agreement. In Canada, it's 2012's Bill C-11, which bans Canadian farmers from fixing their own tractors, Canadian drivers from taking their cars to a mechanic of their choosing, and Canadian iPhone and games console owners from choosing to buy their software from a Canadian store:
These anti-jailbreaking laws were designed as a tool of economic extraction, a way to protect American tech companies' sky-high fees and rampant privacy invasions by making it illegal, everywhere, for anyone to alter how these devices work without the manufacturer's permission.
But today, these laws have created clusters of deep-seated infrastructural vulnerabilities that reach into all our digital devices and services, including the digital devices that harvest our crops, supply oxygen to our lungs, or tell us when Trump's masked shock-troops are hunting people in our vicinity.
It's well past time for a post-American internet. Every device and every service should be designed so that the people who use them have the final say over how they work. Manufacturers' back doors and digital locks that prevent us from updating our devices with software of our choosing were never a good idea. Today, they're a catastrophe.
The world signed up to these laws because the US threatened them with tariffs if they didn't do as they were told. Well, happy Liberation Day, everyone. The US told the world to pass America's tech laws or face American tariffs.
When someone threatens to burn down your house unless you do as you're told, and then they burn your house down anyway, you don't have to keep doing what they told you.
When Putin invaded Ukraine, he inadvertently pushed the EU to accelerate its solarization efforts, to escape their reliance on Russian gas, and now Europe is a decade ahead of schedule in meeting its zero-emissions goals:
Today, another mad dictator is threatening the world's infrastructure. For the rest of the world to escape dictators' demands, they will have to accelerate their independence from American tech – not just Russian gas. A post-American internet starts with abandoning the laws that give US companies – and therefore Trump – a veto over how your technology works.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
I'm on a tour with my new book Enshittification: catch me next in Los Angeles, Calgary and San Francisco! Full schedule here.
Even though he's the darkest of clouds, Trump has some deeply weird silver linings, formed out of a combination of his self-owning isolationism and blunt aggression.
In my quarter-century as a digital activist, I've had cause to work in more than 30 countries. Wherever I went, I'd meet with policymakers about the rules they should be thinking about in order to make their technology work better for their countries. Every single time, they'd agree politely with me, but insist that making any kind of tech-improving rules was impossible, because the US trade representative would kick their teeth in if they tried.
For all of this century, the USTR has been one of the greatest global impediments to a better world, hopping from country to country, demanding policies that would protect American tech firms from foreign competitors – especially the kind of competitor who would improve on American tech products by protecting users' privacy, consumer rights or labor rights while they used them.
The most glaring example of this are "anticircumvention laws." Under these laws, it's illegal to modify any technology that has any kind of anti-modification defenses. In other words, if the manufacturer draws a kind of virtual dotted line around part of the product's software and labels it, "Do not look inside this box," then it becomes illegal to do so, even if you're trying to do something that's otherwise legal.
That means that if your printer is designed to reject generic ink, you can't change the code that verifies the ink cartridge. There's no law that says, "You have to buy your ink from the same company that sold you your printer," but if HP adds any kind of anti-modification measure to its ink-checking code, then disabling that code becomes a serious crime.
Now, these laws are obviously an invitation to mischief. They are used to prevent independent repair of everything from tractors to cars to phones to games consoles to ventilators. They're used to stop you from blocking ads or surveillance on your phone or "smart" TV. They keep you locked into manufacturers' app stores, payment systems and other add-ons, which means that you are constantly being ripped off with junk fees, and you can't install the software of your choosing, including software that will help you avoid being kidnapped by masked thugs and sent to a secret torture prison:
The US passed the first of these laws in 1998, when Bill Clinton signed the Digital Millennium Copyright Act. As the ink was still drying on Clinton's signature, the US trade rep started racing around the world, demanding that America's trading partners adopt their own version of the law:
As these laws were adopted around the world, US tech giants were given carte blanche to extract more money and data from their global users. American users were getting ripped off too, of course (they were the first victims of Big Tech), but at least the US stock market reaped the benefit of Big Tech's incredibly lucrative scams. But for America's trading partners, anticircumvention was an entirely losing proposition: their people got ripped off for their data and their money, and their tech companies couldn't go into business selling products to disenshittify America's cash-and-data extraction machines.
So why did America's trading partners agree to anticircumvention law? Well, that was down to the tender ministrations of the US trade rep. Countries that didn't pass anticircumvention were threatened with US tariffs.
I used to occasionally guest-lecture at an international relations grad program at the Central European University in Budapest, and one summer, I had a student who had served as the information minister to a Central American country while the US was negotiating the Central American Free Trade Agreement (CAFTA). This student described getting a phone call from their country's chief negotiator who said, "I know you told me not to budge on anticircumvention, but the USTR tells me that if we don't give them this, they will block our agricultural exports. I'm sorry." Country by country, the world fell into line.
When someone tells you, "You'd better do what I say or I'm going to burn your house down," and then they burn your house down, you'd be an absolute sucker if you kept up your part of the bargain.
I find it absolutely bizarre that the USTR spent decades racing around the world, getting every country on earth to sign up to "America First" policies by threatening them with tariffs, and then Trump actually imposed the tariffs anyway, which has opened up the space for every country to get rid of those America First policies.
Of course, that's not all Trump has done. He's also made it abundantly clear that he considers America's (former) allies to be geopolitical and economic competitors, and that US tech is one of the primary weapons he will use to wage war on the world. He got Canadian Prime Minister Mark Carney to cave on taxing Big Tech, which means that they'll be able to go on cheating on their taxes, while Canadian companies won't be able to, which means Canada's tech sector will never be able to compete:
https://www.bbc.com/news/articles/cd0vv2pe7ydo
Trump has also ordered the EU to scrap its new tech antitrust laws, the Digital Markets Act and the Digital Services Act, which aim to open up space for European competitors to US tech:
But more than that, Trump and US tech have teamed up to attack and deplatform public officials that Trump has beef with. Take Karim Khan, chief prosecutor of the International Criminal Court in the Hague. Khan swore out a criminal complaint and arrest warrant for the génocidaire Benjamin Netanyahu, and Trump sanctioned Khan. Then, Microsoft cut off Khan's access to his account, nuking his email, calendar, address book and files:
For officials all over the world, the message couldn't be clearer: Trump sees you as the enemy, and he will use American tech companies to cut you off at the knees if you don't roll over for him.
Enter the Eurostack. This is an initiative from the EU that seeks to fund and deploy open source equivalents to the platforms that the European public, its businesses and its governments are currently locked into:
Thus far, Eurostack's focus has been on building those Made-in-the-EU alternatives to the US tech stack, and on financing data-center rollout. But very shortly, Eurostack advocates are going to hit a wall.
Escaping from US Big Tech isn't merely a matter of having another service to move your data and interactions to. You also have to have a way to transition from the old, US service to the new Eurostack equivalent.
No government ministry, no business, no individual is going to manually copy-and-paste thousands (or millions) of documents out of Microsoft, Apple or Google's cloud into the Eurostack. No one is going to individually move all the edit histories, email chains, and file permissions over. These files and data-structures are essential to the people who created them, and they often contain sensitive information and compliance data that is illegal to delete.
Sure, the EU could try to order American Big Tech companies to create export tools so that Europeans can easily retrieve their data in formats that can be faithfully imported into Eurostack services, but we can already see how that will play out.
Last year's Digital Markets Act contains a modest set of "interoperability" requirements that require big US companies like Apple to open up their platforms to rival app stores and payment processors. Apple's monopoly over iPhone apps is a big deal – it lets the company structure the market for software in Europe, without any accountability or limits, and Apple extracts a 30% tax on every euro that changes hands via an iOS app. Globally, Apple makes more than $100b/year from this "app tax."
When the EU passed a law aimed at halting this racket, Apple lost its mind. First, they proposed a "solution" to this that was so onerous and tortured that it was a kind of sick joke:
Now, Apple has filed 18 legal challenges to any interoperability mandate under the DMA:
https://eur-lex.europa.eu/eli/C/2025/5213/oj/eng
If this is how an American tech company responds to a small-potatoes order to give Europeans more choice over how they use their own devices and data, imagine what these US giants will do if the EU orders them to open up their platforms so people can leave altogether!
The only plausible path from US Big Tech to the Eurostack runs straight through anticircumvention. The EU needs to repeal Article 6 of the Copyright Directive, a law it passed at the behest of the US Trade Representative, to protect the rent-extraction tactics of American tech companies. We need to make it legal for European technologists to reverse-engineer the American tech platforms' websites and apps so that Europeans can get their data out of America's tech silos and into open, sovereign, privacy-respecting, consumer rights-preserving, worker-protecting Eurostack versions.
Building the Eurostack without thinking about migration tools is a recipe for disappointment. It's like building housing for East Germans…in West Berlin, without sparing a thought for how those East Germans are going to get to the new apartment blocks.
The good news is, there's no reason to keep Article 6 of the Copyright Directive on the books. The law has always been a wreck. It's one of the primary barriers to Right to Repair: companies now build devices with "access controls" on their parts. Even after you install a new part into a device, it won't start working until the manufacturer's representative unlocks it (for a hefty fee). Under anticircumvention laws like EUCD Article 6, it's illegal to bypass these locks.
What's more, the digital locks that EUCD 6 protects are almost all to be found in American products. Only a handful of EU manufacturers rely on these, and they use them to in terrible ways. Volkswagen used the fact that it was illegal to reverse-engineer its engines to disguise the fact that it was cheating on its emissions tests, and the resulting "Dieselgate" scandal killed thousands of Europeans:
Newag, a Polish train manufacturer, boobytraps the trains they sell. When these trains sense that they have been taken to a competitor's train-yard for maintenance, they render themselves inoperable. Newag then charges thousands of euros to remotely "repair" their own sabotage. When this was revealed by a team of independent security researchers, Newag used claims under EUCD 6 in an attempt to intimidate them into silence:
Mercedes won't let you unlock your new car's full acceleration capability unless you pay them a monthly subscription fee, and any mechanic who tries to bypass this and give you your whole engine's capability violates EUCD 6. BMW won't let you use the feature that auto-dims your high-beams when there's oncoming traffic, and once again, that can't be fixed by another company because of EUCD 6:
Any business that relies on EUCD 6 is garbage and should be killed with fire. The global champions of this legal sabotage are all American, but the EU companies that copied their business models are also trash and the EU should be terminating them with extreme prejudice.
It's pretty remarkable that we've forgotten about the kind of reverse-engineering that EUCD 6 bans. This used to be totally normal. Providing tools to move data from one system to another – without permission from your old vendor – is a completely legitimate business.
The only reason we forgot that this stuff existed is that the US trade rep spent 25 years lobotomizing us all, threatening us with tariffs if we dared to do anything that disrupted American Big Tech. With those companies, it's always "disruption for thee, never for me."
In a few short months, Trump has sown the seeds of the destruction of one of the most world's pernicious "America First" systems. Now, it's in the EU's power to send it to a long-overdue grave.
"Mr Cook, Mr Nadella, Mr Ellison, Mr Pichai – tear down that wall!"
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Hey, German-speakers! Through a very weird set of circumstances, I ended up owning the rights to the German audiobook of my bestselling 2022 cryptocurrency heist technothriller Red Team Blues and now I'm selling DRM-free audio and ebooks, along with the paperback (all in German and English) on a Kickstarter that runs until August 11.
As much as I admire the techlash, I have some serious reservations. I worry that there's some pretty useful tech babies that we are at risk of throwing away with the bathwater.
For starters, there's the idea of "intermediary liability," which is the degree to which online services are held liable for the harms their users inflict on each other. Lots of people want to make Meta, Google and other tech giants liable for their users' actions, such as harassment and disinformation. These people are doubtless well-intentioned, but boy have they failed to pay attention to what happens when we create these liability rules.
Historically, the most important intermediary liability law is Section 230 of the Communications Decency Act. Despite the fact that this law is only 27 words long, it is among the most badly understood aspects of tech policy, worldwide:
CDA 230 says that platforms aren't required to police their users' speech. If a user libels another user, or harasses them, or threatens them, that's between the users, who can sue each other, but not the platform (CDA 230 only relates to civil liability; it has no bearing on the ability of platforms to be held criminally liable for their users' actions).
Importantly, CDA 230 also says that if a platform does intervene to prevent one user from harming another, that doesn't mean they have to intervene in every such case. There's a good historical reason for this: back in the paleolithic era, Prodigy, a commercial online service, was sued after they stepped in to protect some users from other users' bad actions. The suit argued that once they'd set the precedent that they were going to police user conduct, they acquired an obligation to police every instance of bad user conduct. In response, Prodigy – and its competitors – stopped moderating altogether:
No one who's used big online services would say that the CDA 230 world is a great one – but it's provably a vastly better world than the world we get when we take away 230's protections.
Yes, provably.
In 2018, Donald Trump signed SESTA/FOSTA into law. This is a (supposedly) narrow exception to CDA 230 that makes platforms civilly liable when they are used in connection with sex trafficking:
Obviously, sex trafficking is a terrible crime (and again, CDA 230 has never affected a platform's criminal liability for sex trafficking, only civil liability). None of the people who spoke out against SESTA/FOSTA did so because they wanted to protect sex traffickers.
Rather, the opposition to SESTA/FOSTA was motivated by concern over the collateral damage that would ensue, and those concerns have been entirely borne out. Opponents of SESTA/FOSTA predicted that platforms would be unable or unwilling to distinguish between consensual sex work and trafficking, and that they would simply sweep all consensual sex work off of their platforms.
That's exactly what happened. Not only did the spaces where sex workers advertised and booked their work disappear, but so did the private "bad date" forums where sex workers helped one another steer clear of dangerous clients. Sex work moved back into the streets, and with it came a revival of pimping – a scourge that had been all but killed off by the use of online platforms by sex workers to find work and stay safe:
To the extent that sex work survives online, it has been relegated to a few fringe services that have no competitors and exploit their captive audience of sex workers to rake in massive fees for sub-par services. Meanwhile, the forcible relocation of sex work from searchable, visible online spaces to the streets has made it significantly harder for law enforcement to detect and interdict actual sex trafficking:
That's the evidence for what happens when you make intermediaries liable for their users' conduct. Far from being a gift to Big Tech, protections from intermediary liability primarily benefit smaller online spaces, which can't afford the high compliance costs of spying on and controlling their users, unlike, say, Facebook, which is why Mark Zuckerberg wants to get rid of CDA 230:
Every Fediverse host depends on limitation on intermediary liability. So does anyone who hosts one of the new, federated Bluesky relays:
https://whtwnd.com/bnewbold.net/3lo7a2a4qxg2l
SESTA/FOSTA isn't the only experimental evidence we have for what happens when we kill CDA 230-like protections. In the UK, the Online Safety Act imposes a duty on people who provide online speech forums to monitor and police their users' words. The immediate effect of this was to kill off many small business and hobbyist forums. Now, even large, multinational corporations are killing off their forums and relocating them to Facebook, where there's the budget and resources to conduct the surveillance and control required by the Act:
Moving every independent speech forum to Facebook is a funny way of punishing Big Tech. Fundamentally, the lesson here is that we can't fix Big Tech by making it use its power more wisely – the only way to fix Big Tech is to get rid of it, to make it smaller, to take away its power.
That's a lesson we keep missing. Take age verification laws: these require all online forums to exercise total control over their users, because they require platforms to know who a user is, to associate that user with every interaction, and, finally, to verify the user's age. But you can't verify a user's age unless you know which user is at the other end of an online connection. This affects every user, not just kids, because the only way to prove you're an adult is to prove that you're not a kid.
Age verification and intermediary liability are measures that are diametrically opposed to the mission of making Big Tech weaker. These measures only work if Big Tech stays all-powerful, and they devastate independent online alternatives to Big Tech. What's more, they cut directly against efforts to make it easier for users to leave Big Tech, through interoperable gateways that make it possible for users who depart an online platform to stay in touch with the people who stay behind:
https://www.eff.org/interoperablefacebook
These interoperability mandates figure heavily in modern anti-Big Tech laws like the EU's DMA and DSA, but they cannot peacefully coexist with stricter liabilty and age verification rules. A platform simply cannot identify, monitor and control users and allow users to leave their platform while maintaining contact with their friends who stay.
These efforts to force Big Tech to behave don't just undermine interoperability mandates, they also kill off "adversarial interoperability," the principle that a user of a technology should be allowed to reverse-engineer and modify it, for example, to block ads or tracking, to sideload apps or extract their data or to monitor a platform's moderation failures:
When Big Tech does adversarial interoperability, they call it "move fast and break things," and that's another baby the techlash stands ready to throw out with the bathwater. There's nothing wrong per se with a technologist changing how a device or service works without permission from its maker. Every ad-blocker does that. So do accountability tools that scrape Facebook to document its failures to police paid political disinformation:
Moving fast and breaking things is fine, depending on whose things you're breaking. For example, I want every Tesla owner to be able to walk into any mechanic's shop and unlock all the subscription features and software upgrades, without paying a dime to Elon Musk:
And I want every person who uses a powered wheelchair to be able to alter its handling characteristics and other digital features without waiting months and paying through the nose to one of two private-equity backed duopolists:
Adversarial interoperability means that you and I don't need to convince tech bros to give us what we want: we can just take it – from them.
That's important, because if there's one thing that tech companies keep proving, over and over again, it's that they don't give a shit what we want. Think of how they're force-feeding us AI (and how nice it would be to subscribe to a service run by adversarial interoperators who would automatically block every accursed AI popup in every app and service and device you use):
Or, more prosaically, how much mobile phone design has congealed around a monolithic design that has no room for a clicky little keyboard – something I first saw demoed 23 years ago:
It turns out that we don't have to take that shit lying down. Like Prometheus, we can steal our clicky keyboards and 3mm headphone jacks back from the tech gods. That's exactly what the Q25 Pro does: it's a mobile phone that is built inside the housing of a Research in Motion Blackberry Classic Q20, with a modern processor and camera, and a recent version of Android:
https://linkapus.com/products/q25-pro-full-device
It's a project from Zinwa Technologies, led by a young Chinese hacker named Zinwa who explained the gadget's design in detail on a recent installment of Returning Retro:
https://www.youtube.com/watch?v=lOrKsVKAbGA
Zinwa explains how he grew up with Blackberries (and also Chinese clones of Blackberries) and never learned to enjoy a modern distraction rectangle. So, as all good hackers do when they get an itch, he scratched it. He realized that there was an essentially infinite supply of old Blackberry housings sitting around in drawers or making their slow, inexorable way to an e-waste dump, where they would leach out poisonous ooze forever, and that, rather than spending $200K+ to design a chassis for a new phone, he could just create a motherboard around a modern processor with a recent-model screen, all sized to occupy exactly the same space that the original Q20 board fit in.
The new device supports 4G/LTE networks and Android 13. It has an SD card slot, USB C, and NFC on-board, as well as the classic Blackberry keyboard and yes, a 3mm headphone jack. Zinwa is launching with a small batch of conversion kits for hardware hackers who want to try their hand at a retro-restoration, with fully assembled units to follow.
Now, this isn't for everyone, but there's a huge community of people who are very excited about it indeed:
Mostafa, who sent me a tip about this project, writes:
After using [a Blackberry-like phone] for 3 years now, the form-factor is perfect for healthy phone usage habits. I’ve found the physical keyboard/small screen combo to be an optimal solution to the problem having a simultaneously infinitely useful tool/infinitely novel toy in your pocket at all times – maximize the tool factor, minimize the toy. This concept has spawned a rich community around it.
If you want to be a part of that community, you can hang out on their Discord:
https://discord.com/invite/D2P7UqFdXz
The point here isn't merely that Zinwa is doing something very cool that meets the needs of a group of people who Big Tech doesn't give a shit about (though he is doing that): it's that anyone should be able to do this to any technology. That includes Zinwa's Q25: in his interview with Returning Retro, Zinwa waffles a little about whether the Q25 will have an open bootloader, which would allow other hackers to replace the OS with one that's been modded to their heart's delight. Whether or not you get to modify the tech you use to suit you better has nothing to do with whether it came from someone with good or bad intentions – you should have that right, no matter what, because it's your technology and you should be in charge of it.
This is the spirit of small tech: tech that communities bend to suit their needs. Just as CDA 230 primarily benefits small groups who are underserved or abused by Big Tech, the right to change your tech primarily helps marginalized groups. Marginalized groups have always relied on adapting their tech, because their needs rarely get taken into consideration by design teams at tech companies:
The world is full of "outdated" technology that has been replaced with enshittified versions. A robust right to tinker means that we can divert this superior, well-built technology from landfills, by retrofitting it with modern guts that keep it up to date with the good things that have emerged since it was built, while discarding all the garbage that came along with it.
Take the Thinkpad X220, one of the greatest computers ever made:
https://btxx.org/posts/x220/
As Brad at btxx wrote in 2023, the X220 is built like a tank, had every port under the sun, supported compact lightweight batteries and massive external ones, sported one of the greatest keyboards ever to grace a laptop, and had an open bootloader, making it a dream to run Linux on. It was incredibly easy to repair and maintain, too (I once swapped a keyboard on one of these one-handed while holding my infant daughter in my other hand).
I would love to have an X220 with a modern processor, a shit-ton of RAM, and and updated screen. There's no way I'm ever going to build it, but there's probably a couple thousand people like me who would pay, say, $2500 each for these retrofits. For some enterprising hardware hacker, that's a pretty good year's wages, and a project that could launch a reputation and future projects.
Thinkpads went steeply downhill after the X220, so much so that I abandoned them altogether, after more than a decade of annual hardware purchases, switching to the wonderful, repairable Framework:
The fact that Lenovo – the current owner of the Thinkpad line – just sucks at making computers is no reason for those X220s to go to the landfill. Someone could – and should – move fast and break Lenovo.
For more than 20 years, we have tried to make tech better by "holding tech to account," trying to make giant tech companies wield their power more responsibly. This has been a total failure, which has done nothing but strengthen tech companies, making them both too big to jail and too big to care. A better tech future isn't one in which today's tech companies behave better, it's one in which their bad behavior doesn't matter because they no longer have any power over us.
To bring that future into being, we have to take away tech power, not try and direct it in positive ways. We need to design our policy around evacuating tech platforms, not fixing them. We need to encourage moving fast and breaking (Big Tech's) things. The problem with the world isn't that the wrong tech bosses weild vast power over the lives of billions of people – it's that anyone has that power.
Support me this summer in the Clarion Write-A-Thon and help raise money for the Clarion Science Fiction and Fantasy Writers' Workshop! This summer, I'm writing The Reverse-Centaur's Guide to AI, a short book for Farrar, Straus and Giroux that explains how to be an effective AI critic.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Antiusurpation and the road to disenshittification
THIS WEEKEND (November 8-10), I'll be in TUCSON, AZ: I'm the GUEST OF HONOR at the TUSCON SCIENCE FICTION CONVENTION.
Nineties kids had a good reason to be excited about the internet's promise of disintermediation: the gatekeepers who controlled our access to culture, politics, and opportunity were crooked as hell, and besides, they sucked.
For a second there, we really did get a lot of disintermediation, which created a big, weird, diverse pluralistic space for all kinds of voices, ideas, identities, hobbies, businesses and movements. Lots of these were either deeply objectionable or really stupid, or both, but there was also so much cool stuff on the old, good internet.
Then, after about ten seconds of sheer joy, we got all-new gatekeepers, who were at least as bad, and even more powerful, than the old ones. The net became Tom Eastman's "Five giant websites, each filled with screenshots of the other four." Culture, politics, finance, news, and especially power have been gathered into the hands of unaccountable, greedy, and often cruel intermediaries.
Oh, also, we had an election.
This isn't an election post. I have many thoughts about the election, but they're still these big, unformed blobs of anger, fear and sorrow. Experience teaches me that the only way to get past this is to just let all that bad stuff sit for a while and offgas its most noxious compounds, so that I can handle it safely and figure out what to do with it.
While I wait that out, I'm just getting the job done. Chop wood, carry water. I've got a book to write, Enshittification, for Farar, Straus, Giroux's MCD Books, and it's very nearly done:
Compartmentalizing my anxieties and plowing that energy into productive work isn't necessarily the healthiest coping strategy, but it's not the worst, either. It's how I wrote nine books during the covid lockdowns.
And sometimes, when you're not staring directly at something, you get past the tunnel vision that makes it impossible to see its edges, fracture lines, and weak points.
So I'm working on the book. It's a book about platforms, because enshittification is a phenomenon that is most visible and toxic on platforms. Platforms are intermediaries, who connect buyers and sellers, creators and audiences, workers and employers, politicians and voters, activists and crowds, as well as families, communities, and would-be romantic partners.
There's a reason we keep reinventing these intermediaries: they're useful. Like, it's technically possible for a writer to also be their own editor, printer, distributor, promoter and sales-force:
But without middlemen, those are the only writers we'll get. The set of all writers who have something to say that I want to read is much larger than the set of all writers who are capable of running their own publishing operation.
The problem isn't middlemen: the problem is powerful middlemen. When an intermediary gets powerful enough to usurp the relationship between the parties on either side of the transaction, everything turns to shit:
A dating service that faces pressure from competition, regulation, interoperability and a committed workforce will try as hard as it can to help you find Your Person. A dating service that buys up all its competitors, cows its workforce, captures its regulators and harnesses IP law to block interoperators will redesign its service so that you keep paying forever, and never find love:
Multiply this a millionfold, in every sector of our complex, high-tech world where we necessarily rely on skilled intermediaries to handle technical aspects of our lives that we can't – or shouldn't – manage ourselves. That world is beholden to predators who screw us and screw us and screw us, jacking up our rents:
(Maybe this is a post about the election after all?)
The difference between a helpmeet and a parasite is power. If we want to enjoy the benefits of intermediaries without the risks, we need policies that keep middlemen weak. That's the opposite of the system we have now.
Take interoperability and IP law. Interoperability (basically, plugging new things into existing things) is a really powerful check against powerful middlemen. If you rely on an ad-exchange to fund your newsgathering and they start ripping you off, then an interoperable system that lets you use a different exchange will not only end the rip off – it'll make it less likely to happen in the first place because the ad-tech platform will be afraid of losing your business:
Interoperability means that when Amazon rips off audiobook authors to the tune of $100m, those authors can pull their books from Amazon and sell them elsewhere and know that their listeners can move their libraries over to a different app:
But interoperability has been in retreat for 40 years, as IP law has expanded to criminalize otherwise normal activities, so that middlemen can use IP rights to protect themselves from their end-users and business customers:
https://locusmag.com/2020/09/cory-doctorow-ip/
That's what I mean when I say that "IP" is "any law that lets a business reach beyond its own walls and control the actions of its customers, competitors and critics."
For example, there's a pernicious law 1998 US law that I write about all the time, Section 1201 of the Digital Millennium Copyright Act, the "anticircumvention law." This is a law that felonizes tampering with copyright locks, even if you are the creator of the undelying work.
So Amazon – the owner of the monopoly audiobook platform Audible – puts a mandatory copyright lock around every audiobook they sell. I, as an author who writes, finances and narrates the audiobook, can't provide you, my customer, with a tool to remove that lock. If I do so, I face criminal sanctions: a five year prison sentence and a $500,000 fine for a first offense:
In other words: if I let you take my own copyrighted work out of Amazon's app, I commit a felony, with penalties that are far stiffer than the penalties you would face if you were to simply pirate that audiobook. The penalties for you shoplifting the audiobook on CD at a truck-stop are lower than the penalties the author and publisher of the book would face if they simply gave you a tool to de-Amazon the file. Indeed, even if you hijacked the truck that delivered the CDs, you'd probably be looking at a shorter sentence.
This is a law that is purpose-built to encourage intermediaries to usurp the relationship between buyers and sellers, creators and audiences. It's a charter for parasitism and predation.
But as bad as that is, there's another aspect of DMCA 1201 that's even worse: the exemptions process.
You might have read recently about the Copyright Office "freeing the McFlurry" by granting a DMCA 1201 exemption for companies that want to reverse-engineer the error-codes from McDonald's finicky, unreliable frozen custard machines:
Under DMCA 1201, the Copyright Office hears petitions for these exemptions every three years. If they judge that anticircumvention law is interfering with some legitimate activity, the statute empowers them to grant an exemption.
When the DMCA passed in 1998 (and when the US Trade Rep pressured other world governments into passing nearly identical laws in the decades that followed), this exemptions process was billed as a "pressure valve" that would prevent abuses of anticircumvention law.
But this was a cynical trick. The way the law is structured, the Copyright Office can only grant "use" exemptions, but not "tools" exemptions. So if you are granted the right to move Audible audiobooks into a third-party app, you are personally required to figure out how to do that. You have to dump the machine code of the Audible app, decompile it, scan it for vulnerabilities, and bootstrap your own jailbreaking program to take Audible wrapper off the file.
No one is allowed to help you with this. You aren't allowed to discuss any of this publicly, or share a tool that you make with anyone else. Doing any of this is a potential felony.
In other words, DMCA 1201 gives intermediaries power over you, but bans you from asking an intermediary to help you escape another abusive middleman.
This is the exact opposite of how intermediary law should work. We should have rules that ban intermediaries from exercising undue power over the parties they serve, and we should have rules empowering intermediaries to erode the advantage of powerful intermediaries.
The fact that the Copyright Office grants you an exemption to anticircumvention law means nothing unless you can delegate that right to an intermediary who can exercise it on your behalf.
A world without publishing intermediaries is one in which the only writers who thrive are the ones capable of being publishers, too, and that's a tiny fraction of all the writers with something to say.
A world without interoperability intermediaries is one in which the only platform users who thrive are also skilled reverse-engineering ninja hackers – and that's an infinitesimal fraction of the platform users who would benefit from interoperabilty.
Let this be your north star in evaluating platform regulation proposals. Platform regulation should weaken intermediaries' powers over their users, and strengthen their power over other middlemen.
Put in this light, it's easy to see why the ill-informed calls to abolish Section 230 of the Communications Decency Act (which makes platform users, not platforms, responsible for most unlawful speech) are so misguided:
If we require platforms to surveil all user speech and block anything that might violate any law, we give the largest, most powerful platforms a permanent advantage over smaller, better platforms, run by co-ops, hobbyists, nonprofits local governments, and startups. The big platforms have the capital to rig up massive, automated surveillance and censorship systems, and the only alternatives that can spring up have to be just as big and powerful as the Big Tech platforms we're so desperate to escape:
This is especially grave given the current political current, where fascist politicians are threatening platforms with brutal punishments for failing to censor disfavored political views.
Anyone who tells you that "it's only censorship when the government does it" is badly confused. It's only a First Amendment violation when the government does it, sure – but censorship has always relied on intermediaries. From the Inquisition to the Comics Code, government censors were only able to do their jobs because powerful middlemen, fearing state punishments, blocked anything that might cross the line, censoring far beyond the material actually prohibited by the law:
We live in a world of powerful, corrupt middlemen. From payments to real-estate, from job-search to romance, there's a legion of parasites masquerading as helpmeets, burying their greedy mouthparts into our tender flesh:
But intermediaries aren't the problem. You shouldn't have to stand up your own payment processor, or learn the ins and outs of real-estate law, or start your own single's bar. The problem is power, not intermediation.
As we set out to build a new, good internet (with a lot less help from the US government than seemed likely as recently as last week), let's remember that lesson: the point isn't disintermediation, it's weak intermediation.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
