If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
What if there was a way for a business to transform any conduct it disliked into a felony, harnessing the power of the state to threaten anyone who acted in a way that displeased the company with a long prison sentence and six-figure fines?
Surprise! That actually exists! It's called Section 1201 of the Digital Millennium Copyright Act, the "anticircumvention" clause, which establishes five-year sentences and $500k fines for anyone who bypasses an "effective access control" for a copyrighted work.
Let's unpack that: every digital product has a "copyrighted work" at its core, because software is copyrighted. Digital systems are intrinsically very flexible: just overwrite, augment, or delete part of the software that powers the device or product, and you change how the product works. You can alter your browser to block ads; or alter your Android phone to run a privacy-respecting OS like Graphene; or alter your printer to accept generic ink, rather than checking each cartridge to confirm that it's the original manufacturer's product.
However, if the device is designed to prevent this – if it has an "access control" that restricts your ability to change the software – then DMCA 1201 makes those modifications into crimes. The act of providing someone with a tool to change how their own property works ("trafficking in circumvention devices") is a felony.
But there's a tiny saving grace here: for DMCA 1201 to kick in, the "access control" must be "effective." What's "effective?" There's the rub: no one knows.
The penalties for getting crosswise with DMCA 1201 are so grotendous that very few people have tried to litigate any of its contours. Whenever the issue comes up, defendants settle, or fold, or disappear. Despite the fact that DMCA 1201 has been with us for more than a quarter of a century, and despite the fact that the activities it restricts are so far-reaching, there's precious little case law clarifying Congress's vague statutory language.
When it comes to "effectiveness" in access controls, the jurisprudence is especially thin. As far as I know, there's just one case that addressed the issue, and boy was it a weird one. Back in 2000, a "colorful" guy named Johnny Deep founded a Napster-alike service that piggybacked on the AOL Instant Messenger network. He called his service "Aimster." When AOL threatened him with a trademark suit, he claimed that Aimster was his daughter Amiee's AOL handle, and that the service was named for her. Then he changed the service's name to Madster, claiming that it was also named after his daughter. At the time, a lot of people assumed he was BSing, but I just found his obituary and it turns out his daughter's name was, indeed, "Amiee (Madeline) Deep":
Aimster was one of the many services that the record industry tried to shut down, both by filing suit against the company and by flooding it with takedown notices demanding that individual tracks be removed. Deep responded by "encoding" all of the track names on his network in pig-Latin. Then he claimed that by "decoding" the files (by moving the last letter of the track name to the first position), the record industry was "bypassing an effective access control for a copyrighted work" and thus violating DMCA 1201:
The court didn't buy this. The judge ruled that pig Latin isn't an "effective access control." Since then, we've known that at least some access controls aren't "effective" but we haven't had any clarity on where "effectiveness" starts. After all, there's a certain circularity to the whole idea of "effective" access controls: if a rival engineer can figure out how to get around an access control, can we really call it "effective?" Surely, the fact that someone figured out how to circumvent your access control is proof that it's not effective (at least when it comes to that person).
All this may strike you as weird inside baseball, and that's not entirely wrong, but there's one unresolved "effectiveness" question that has some very high stakes indeed: is Youtube's javascript-based obfuscation an "effective access control?"
Youtube, of course, is the internet's monopoly video platform, with a commanding majority of video streams. It was acquired by Google in 2006 for $1.65b. At the time, the service was hemorrhaging money and mired in brutal litigation, but it had one virtue that made it worth nine figures: people liked it. Specifically, people liked it in a way they didn't like Google Video, which was one of the many, many, many failed internally developed Google products that tanked, and was replaced by a product developed by a company that Google bought, because Google sucks at developing products. They're not Willy Wonka's idea factory – they're Rich Uncle Pennybags, buying up other kids' toys:
Google operationalized Youtube and built it up to the world's most structurally important video platform. Along the way, Google added some javascript that was intended to block people from "downloading" its videos. I put "downloading" in scare-quotes because "streaming" is a consensus hallucination: there is no way for your computer to display a video that resides on a distant server without downloading it – the internet is not made up of a cunning series of paper-towel rolls and mirrors that convey photons to your screen without sending you the bits that make up the file. "Streaming" is just "downloading" with the "save file" button removed.
In this case, the "save file" button is removed by some javascript on every Youtube page. This isn't hard to bypass: there are dozens of "stream-ripping" sites that let you save any video that's accessible on Youtube. I use these all the time – indeed, I used one last week to gank the video of my speech in Ottawa so I could upload it to my own Youtube channel:
Now, all of this violates Youtube's terms of service, which means that someone who downloads a stream for an otherwise lawful purpose (like I did) is still hypothetically at risk of being punished by Google. We're relying on Google to be reasonable about all this, which, admittedly, isn't the best bet, historically. But at least the field of people who can attack us is limited to this one company.
That's good, because there's zillions of people who rely on stream-rippers, and many of them are Youtube's most popular creators. Youtube singlehandedly revived the form of the "video essay," popularizing it in many guises, from "reaction videos" to full-fledged, in-depth documentaries that make extensive use of clips to illuminate, dispute, and expand on the messages of other Youtube videos.
These kinds of videos are allowed under US copyright law. American copyright law has a broad set of limitation and exceptions, which include "fair use," an expansive set of affirmative rights to access and use copyrighted works, even against the wishes of the copyright's proprietor. As the Supreme Court stated in Eldred, the only way copyright (a government-backed restriction on who can say certain words) can be reconciled with the First Amendment (a ban on government restrictions on speech) is through fair use, the "escape valve" for free expression embedded in copyright:
https://en.wikipedia.org/wiki/Eldred_v._Ashcroft
Which is to say that including clips from a video you're criticizing in your own video is canonical fair use. What else is fair use? Well, it's "fact intensive," which is a lawyer's way of saying, "it depends." One thing that is 100% true, though, is that fair use is not limited to the "four factors" enumerated in the statute and anyone who claims otherwise has no idea what they're talking about and can be safely ignored:
Now, fair use or not, there are plenty of people who get angry about their videos being clipped for critical treatment in other videos, because lots of people hate being criticized. This is precisely why fair use exists: if you had to secure someone's permission before you were allowed to criticize them, critical speech would be limited to takedowns of stoics and masochists.
This means that the subjects of video essays can't rely on copyright to silence their critics. They also can't use the fact that those critics violated Youtube's terms of service by clipping their videos, because only Youtube has standing to ask a court to uphold its terms of service, and Youtube has (wisely) steered clear of embroiling itself in fights between critics and the people they criticize.
But that hasn't stopped the subjects of criticism from seeking legal avenues to silence their critics. In a case called Cordova v. Huneault, the proprietor of "Denver Metro Audits" is suing the proprietor of "Frauditor Troll Channel" for clipping the former's videos for "reaction videos."
One of the plaintiff's claims here is that the defendant violated Section 1201 of the DMCA by saving videos from Youtube. They argue that Youtube's javascript obfuscator (a "rolling cipher") is an "effective access control" under the statute. Magistrate Judge Virginia K DeMarchi (Northern District of California) agreed with the plaintiff:
Remember, DMCA 1201 applies whether or not you infringe someone's copyright. It is a blanket prohibition on the circumvention of any "effective access control" for any copyrighted work, even when no one's rights are being violated. It's a way to transform otherwise lawful conduct into a felony. It's what Jay Freeman calls "Felony contempt of business model."
If the higher court upholds this magistrate judge's ruling, then all clipping becomes a crime, and the subjects of criticism will have a ready tool to silence any critic. This obliterates fair use, wipes it off the statute-book. It welds shut copyright's escape valve for free expression.
Now, it's true that the US Copyright Office holds hearings every three years where it grants exemptions to DMCA 1201, and it has indeed granted an exemption for ripping video for critical and educational purposes. But this process is deceptive! The exemptions that the Copyright Office grants are "use exemptions" – they allow you to "make the use." However, they are not "tools exemptions" – they do not give you permission to acquire or share the tool needed to make the use:
Which means that you are allowed to rip a stream, but you're not allowed to use a stream-ripping service. If Youtube's rolling cipher is an "effective access control" then all of those stream-ripping services are wildly illegal, felonies carrying a five-year sentence and a $500k fine for a first offense under DMCA 1201.
Under the US Copyright Office's exemption process, if you want to make a reaction video, then you, personally must create your own stream-ripper. You are not allowed to discuss how to do this with anyone else, and you can't share your stream-ripper with anyone else, and if you do, you've committed a felony.
So this is a catastrophic ruling. If it stands, it will make the production of video essays, reaction videos, and other critical videos into a legal minefield, by giving everyone whose video is clipped and criticized a means to threaten their critics with long prison sentences, fair use be damned. The only people who will safely be able to make this kind of critical video are skilled programmers who can personally defeat Youtube's "rolling cipher." And unlike claims about stream-ripping violating Youtube's terms of service – which can only be brought by Youtube – DMCA 1201 claims can be brought by anyone whose videos get clipped and criticized.
Is Youtube's rolling cipher an "effective access control?" Well, I don't know how to bypass it, but there are dozens of services that have independently figured out how to get around it. That seems like good evidence that the access control is not "effective."
When the DMCA was enacted in 1998, this is exactly the kind of thing experts warned would happen:
And here we are, more than a quarter-century later, living in the prison of lawmakers' reckless disregard for evidence and expertise, a world where criticism can be converted into a felony. It's long past time we get rid of this stupid, stupid law:
I'm coming to COLORADO! Catch me in DENVER on Jan 22 at The Tattered Cover<, and in COLORADO SPRINGS from Jan 23–25 where I'm the Guest of Honor at COSine. Then I'll be in OTTAWA on Jan 28 at Perfect Books and in TORONTO with Tim Wu on Jan 30.
Samantha: This town has a weird smell that you're all probably used to…but I'm not.
Mrs Krabappel: It'll take you about six weeks, dear.
-The Simpsons, "Bart's Friend Falls in Love," S3E23, May 7, 1992
We are living through weird times, and they've persisted for so long that you probably don't even notice it. But these times are not normal.
Now, I realize that this covers a lot of ground, and without detracting from all the other ways in which the world is weird and bad, I want to focus on one specific and pervasive and awful way in which this world is not normal, in part because this abnormality has a defined cause, a precise start date, and an obvious, actionable remedy.
6 years, 5 months and 22 days after Fox aired "Bart's Friend Falls in Love," Bill Clinton signed a new bill into law: the Digital Millennium Copyright Act of 1998 (DMCA).
Under Section 1201 of the DMCA, it's a felony to modify your own property in ways that the manufacturer disapproves of, even if your modifications accomplish some totally innocuous, legal, and socially beneficial goal. Not a little felony, either: DMCA 1201 provides for a five year sentence and a $500,000 fine for a first offense.
Back when the DMCA was being debated, its proponents insisted that their critics were overreacting. They pointed to the legal barriers to invoking DMCA 1201, and insisted that these new restrictions would only apply to a few marginal products in narrow ways that the average person would never even notice.
But that was obvious nonsense, obvious even in 1998, and far more obvious today, more than a quarter-century on. In order for a manufacturer to criminalize modifications to your own property, they have to satisfy two criteria: first, they must sell you a device with a computer in it; and second, they must design that computer with an "access control" that you have to work around in order to make a modification.
For example, say your toaster requires that you scan your bread before it will toast it, to make sure that you're only using a special, expensive kind of bread that kicks back a royalty to the manufacturer. If the embedded computer that does the scanning ships from the factory with a program that is supposed to prevent you from turning off the scanning step, then it is a felony to modify your toaster to work with "unauthorized bread":
If this sounds outlandish, then a) You definitely didn't walk the floor at CES last week, where there were a zillion "cooking robots" that required proprietary feedstock; and b) You haven't really thought hard about your iPhone (which will not allow you to install software of your choosing):
But back in 1998, computers – even the kind of low-powered computers that you'd embed in an appliance – were expensive and relatively rare. No longer! Today, manufacturers source powerful "System on a Chip" (SoC) processors at prices ranging from $0.25 to $8. These are full-fledged computers, easily capable of running an "access control" that satisfies DMCA 1201.
Likewise, in 1998, "access controls" (also called "DRM," "technical protection measures," etc) were a rarity in the field. That was because computer scientists broadly viewed these measures as useless. A determined adversary could always find a way around an access control, and they could package up that break as a software tool and costlessly, instantaneously distribute it over the internet to everyone in the world who wanted to do something that an access control impeded. Access controls were a stupid waste of engineering resources and a source of needless complexity and brittleness:
But – as critics pointed out in 1998 – chips were obviously going to get much cheaper, and if the US Congress made it a felony to bypass an access control, then every kind of manufacturer would be tempted to add some cheap SoCs to their products so they could add access controls and thereby felonize any uses of their products that cut into their profits. Basically, the DMCA offered manufacturers a bargain: add a dollar or two to the bill of materials for your product, and in return, the US government will imprison any competitors who offer your customers a "complementary good" that improves on it.
It's even worse than this: another thing that was obvious in 1998 was that once a manufacturer added a chip to a device, they would probably also figure out a way to connect it to the internet. Once that device is connected to the internet, the manufacturer can push software updates to it at will, which will be installed without user intervention. What's more, by using an access control in connection with that over-the-air update mechanism, the manufacturer can make it a felony to block its updates.
Which means that a manufacturer can sell you a device and then mandatorily update it at a later date to take away its functionality, and then sell that functionality back to you as a "subscription":
Here's what this all means: any manufacturer who devotes a small amount of engineering work and incurs a small hardware expense can extinguish private property rights altogether.
What do I mean by private property? Well, we can look to Blackstone's 1753 treatise:
The right of property; or that sole and despotic dominion which one man claims and exercises over the external things of the world, in total exclusion of the right of any other individual in the universe.
You can't own your iPhone. If you take your iPhone to Apple and they tell you that it is beyond repair, you have to throw it away. If the repair your phone needs involves "parts pairing" (where a new part won't be recognized until an Apple technician "initializes" it through a DMCA-protected access control), then it's a felony to get that phone fixed somewhere else. If Apple tells you your phone is no longer supported because they've updated their OS, then it's a felony to wipe the phone and put a different OS on it (because installing a new OS involves bypassing an "access control" in the phone's bootloader). If Apple tells you that you can't have a piece of software – like ICE Block, an app that warns you if there are nearby ICE killers who might shoot you in the head through your windshield, which Apple has barred from its App Store on the grounds that ICE is a "protected class" – then you can't install it, because installing software that isn't delivered via the App Store involves bypassing an "access control" that checks software to ensure that it's authorized (just like the toaster with its unauthorized bread).
It's not just iPhones: versions of this play out in your medical implants (hearing aid, insulin pump, etc); appliances (stoves, fridges, washing machines); cars and ebikes; set-top boxes and game consoles; ebooks and streaming videos; small appliances (toothbrushes, TVs, speakers), and more.
Increasingly, things that you actually own are the exception, not the rule.
And this is not normal. The end of ownership represents an overturn of a foundation of modern civilization. The fact that the only "people" who can truly own something are the transhuman, immortal colony organisms we call "Limited Liability Corporations" is an absolutely surreal reversal of the normal order of things.
It's a reversal with deep implications: for one thing, it means that you can't protect yourself from raids on your private data or ready cash by adding privacy blockers to your device, which would make it impossible for airlines or ecommerce sites to guess about how rich/desperate you are before quoting you a "personalized price":
It also means you can't stop your device from leaking information about your movements, or even your conversations – Microsoft has announced that it will gather all of your private communications and ship them to its servers for use by "agentic AI":
https://www.youtube.com/watch?v=0ANECpNdt-4
Microsoft has also confirmed that it provides US authorities with warrantless, secret access to your data:
This is deeply abnormal. Sure, greedy corporate control freaks weren't invented in the 21st century, but the laws that let those sociopaths put you in prison for failing to arrange your affairs to their benefit – and your own detriment – are.
But because computers got faster and cheaper over decades, the end of ownership has had an incremental rollout, and we've barely noticed that it's happened. Sure, we get irritated when our garage-door opener suddenly requires us to look at seven ads every time we use the app that makes it open or close:
But societally, we haven't connected that incident to this wider phenomenon. It stinks here, but we're all used to it.
It's not normal to buy a book and then not be able to lend it, sell it, or give it away. Lending, selling and giving away books is older than copyright. It's older than publishing. It's older than printing. It's older than paper. It is fucking weird (and also terrible) (obviously) that there's a new kind of very popular book that you can go to prison for lending, selling or giving away.
We're just a few cycles away from a pair of shoes that can figure out which shoelaces you're using, or a dishwasher that can block you from using third-party dishes:
It's not normal, and it has profound implications for our security, our privacy, and our society. It makes us easy pickings for corporate vampires who drain our wallets through the gadgets and tools we rely on. It makes us easy pickings for fascists and authoritarians who ally themselves with corporate vampires by promising them tax breaks in exchange for collusion in the destruction of a free society.
I know that these problems are more important than whether or not we think this is normal. But still. It. Is. Just. Not. Normal.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
I'm on a 20+ city book tour for my new novel PICKS AND SHOVELS. Catch me in PITTSBURGH in TOMORROW (May 15) at WHITE WHALE BOOKS, and in PDX on Jun 20 at BARNES AND NOBLE with BUNNIE HUANG. More tour dates (London, Manchester) here.
Something's very different in tech. Once upon a time, every bad choice by tech companies – taking away features, locking out mods or plugins, nerfing the API – was countered, nearly instantaneously, by someone writing a program that overrode that choice.
Bad clients would be muscled aside by third-party clients. Locked bootloaders would be hacked and replaced. Code that confirmed you were using OEM parts, consumables or adapters would be found and nuked from orbit. Weak APIs would be replaced with muscular, unofficial APIs built out of unstoppable scrapers running on headless machines in some data-center. Every time some tech company erected a 10-foot enshittifying fence, someone would show up with an 11-foot disenshittifying ladder.
Those 11-foot ladders represented the power of interoperability, the inescapable bounty of the Turing-complete, universal von Neumann machine, which, by definition, is capable of running every valid program. Specifically, they represented the power of adversarial interoperability – when someone modifies a technology against its manufacturer's wishes. Adversarial interoperability is the origin story of today's tech giants, from Microsoft to Apple to Google:
But adversarial interop has been in steady decline for the past quarter-century. These big companies moved fast and broke things, but no one is returning the favor. If you ask the companies what changed, they'll just smirk and say that they're better at security than the incumbents they disrupted. The reason no one's hacked up a third-party iOS App Store is that Apple's security team is just so fucking 1337 that no one can break their shit.
I think this is nonsense. I think that what's really going on is that we've made it possible for companies to design their technologies in such a way that any attempt at adversarial interop is illegal.
"Anticircumvention" laws like Section 1201 of the 1998 Digital Millennium Copyright Act make bypassing any kind of digital lock (AKA "Digital Rights Management" or "DRM") very illegal. Under DMCA, just talking about how to remove a digital lock can land you in prison for 5 years. I tell the story of this law's passage in "Understood: Who Broke the Internet," my new podcast series for the CBC:
For a quarter century, tech companies have aggressively lobbied and litigated to expand the scope of anticircumvention laws. At the same time, companies have come up with a million ways to wrap their products in digital locks that are a crime to break.
Digital locks let Chamberlain, a garage-door opener monopolist block all third-party garage-door apps. Then, Chamberlain stuck ads in its app, so you have to watch an ad to open your garage-door:
These companies built 11-foot ladders to get over their competitors' 10-foot walls, and then they kicked the ladder away. Once they were secure atop their walls, they committed enshittifying sins their fallen adversaries could only dream of.
I've been campaigning to abolish anticircumvention laws for the past quarter-century, and I've noticed a curious pattern. Whenever these companies stand to lose their legal protections, they freak out and spend vast fortunes to keep those protections intact. That's weird, because it strongly implies that their locks don't work. A lock that works works, whether or not it's illegal to break that lock. The reason Signal encryption works is that it's working encryption. The legal status of breaking Signal's encryption has nothing to do with whether it works. If Signal's encryption was full of technical flaws but it was illegal to point those flaws out, you'd be crazy to trust Signal.
Signal does get involved in legal fights, of course, but the fights it gets into are ones that require Signal to introduce defects in its encryption – not fights over whether it is legal to disclose flaws in Signal or exploit them:
But tech companies that rely on digital locks manifestly act like their locks don't work and they know it. When the tech and content giants bullied the W3C into building DRM into 2 billion users' browsers, they categorically rejected any proposal to limit their ability to destroy the lives of people who broke that DRM, even if it was only to add accessibility or privacy to video:
The thing is, if the lock works, you don't need the legal right to destroy the lives of people who find its flaws, because it works.
Do digital locks work? Can they work? I think the answer to both questions is a resounding no. The design theory of a digital lock is that I can provide you with an encrypted file that your computer has the keys to. Your computer will access those keys to decrypt or sign a file, but only under the circumstances that I have specified. Like, you can install an app when it comes from my app store, but not when it comes from a third party. Or you can play back a video in one kind of browser window, but not in another one. For this to work, your computer has to hide a cryptographic key from you, inside a device you own and control. As I pointed out more than a decade ago, this is a fool's errand:
After all, you or I might not have the knowledge and resources to uncover the keys' hiding place, but someone does. Maybe that someone is a person looking to go into business selling your customers the disenshittifying plugin that unfucks the thing you deliberately broke. Maybe it's a hacker-tinkerer, pursuing an intellectual challenge. Maybe it's a bored grad student with a free weekend, an electron-tunneling microscope, and a seminar full of undergrads looking for a project.
The point is that hiding secrets in devices that belong to your adversaries is very bad security practice. No matter how good a bank safe is, the bank keeps it in its vault – not in the bank-robber's basement workshop.
For a hiding-secrets-in-your-adversaries'-device plan to work, the manufacturer has to make zero mistakes. The adversary – a competitor, a tinkerer, a grad student – only has to find one mistake and exploit it. This is a bedrock of security theory: attackers have an inescapable advantage.
So I think that DRM doesn't work. I think DRM is a legal construct, not a technical one. I think DRM is a kind of magic Saran Wrap that manufacturers can wrap around their products, and, in so doing, make it a literal jailable offense to use those products in otherwise legal ways that their shareholders don't like. As Jay Freeman put it, using DRM creates a new law called "Felony Contempt of Business Model." It's a law that has never been passed by any legislature, but is nevertheless enforceable.
In the 25 years I've been fighting anticircumvention laws, I've spoken to many government officials from all over the world about the opportunity that repealing their anticircumvention laws represents. After all, Apple makes $100b/year by gouging app makers for 30 cents on ever dollar. Allow your domestic tech sector to sell the tools to jailbreak iPhones and install third party app stores, and you can convert Apple's $100b/year to a $100m/year business for one of your own companies, and the other $999,900,000,000 will be returned to the world's iPhone owners as a consumer surplus.
But every time I pitched this, I got the same answer: "The US Trade Representative forced us to pass this law, and threatened us with tariffs if we didn't pass it." Happy Liberation Day, people – every country in the world is now liberated from the only reason to keep this stupid-ass law on their books:
One of the questions I've been getting repeatedly from policy wonks, activists and officials is, "Is it even possible to jailbreak modern devices?" They want to know if companies like Apple, Tesla, Google, Microsoft, and John Deere have created unbreakable digital locks. Obviously, this is an important question, because if these locks are impregnable, then getting rid of the law won't deliver the promised benefits.
It's true that there aren't as many jailbreaks as we used to see. When a big project like Nextcloud – which is staffed up with extremely accomplished and skilled engineers – gets screwed over by Google's app store, they issue a press-release, not a patch:
These hacks are incredibly ambitious! How ambitious? How about a class break for every version of iOS as well as an unpatchable hardware attack on 8 years' worth of Apple bootloaders?
Now, maybe it's the case at all the world's best hackers are posting free code under pseudonyms. Maybe all the code wizards working for venture backed tech companies that stand to make millions through clever reverse engineering are just not as mad skilled as teenagers who want an ad-free Insta and that's why they've never replicated the feat.
Or maybe it's because teenagers and anonymous hackers are just about the only people willing to risk a $500,000 fine and 5-year prison sentence. In other words, maybe the thing that protects DRM is law, not code. After all, when Polish security researchers revealed the existence of secret digital locks that the train manufacturer Newag used to rip off train operators for millions of euros, Newag dragged them into court:
Tech companies are the most self-mythologizing industry on the planet, beating out even the pharma sector in boasting about their prowess and good corporate citizenship. They swear that they've made a functional digital lock…but they sure act like the only thing those locks do is let them sue people who reveal their workings.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
I'm on a tour with my new book Enshittification: catch me next in San Francisco, Portland and Seattle! Full schedule here.
Remember when we were all worried that Huawei had filled our telecoms infrastructure with listening devices and killswitches? It sure would be dangerous if a corporation beholden to a brutal autocrat became structurally essential to your country's continued operations, huh?
In other, unrelated news, earlier this month, Trump's DoJ ordered Apple and Google to remove apps that allowed users to report ICE's roving gangs of masked thugs, who have kidnapped thousands of our neighbors and sent them to black sites:
Apple and Google capitulated. Apple also capitulated to Trump by removing apps that collect hand-verified, double-checked videos of ICE violence. Apple declared ICE's thugs to be a "protected class" that may not be disparaged in apps available to Apple's customers:
Of course, iPhones can (technically) run apps that Apple doesn't want you to run. All you have to do is "jailbreak" your phone and install an independent app store. Just one problem: the US Trade Rep bullied every country in the world into banning jailbreaking, meaning that if Trump (a man who never met a grievance that was too petty to pursue) orders Tim Cook (a man who never found a boot he wouldn't lick) to remove apps from your country's app store, you won't be able to get those apps from anyone else:
Now, you could get your government to order Apple to open up its platform to third-party app stores, but they will not comply – instead, they'll drown your country in spurious legal threats:
Of course, Google's no better. Not only do they capitulate to every demand from Trump, but they're also locking down Android so that you'll no longer be allowed to install apps unless Google approves of them (meaning that Trump now has a de facto veto over your Android apps):
For decades, China hawks have accused Chinese tech giants of being puppeteered by the Chinese state, vehicles for projecting Chinese state power around the world. Meanwhile, the Chinese state has declared war on its tech companies, treating them as competitors, not instruments:
When it comes to US foreign policy, every accusation is a confession. Snowden showed us how the US tech giants were being used to wiretap virtually every person alive for the US government. More than a decade later, Microsoft has been forced to admit that they will still allow Trump's lackeys to plunder Europeans' data, even if that data is stored on servers in the EU:
Microsoft is definitely a means for the US to project its power around the world. When Trump denounced Karim Khan, the Chief Prosecutor of the International Criminal Court, for indicting Netanyahu for genocide, Microsoft obliged by nuking Khan's email, documents, calendar and contacts:
This is exactly the kind of thing Trump's toadies warned us would happen if we let Huawei into our countries. Every accusation is a confession.
But it's worse than that. The very worst-case speculative scenario for Huawei-as-Chinese-Trojan-horse is infinitely better than the non-speculative, real ways in which the US has killswitched and bugged the world's devices.
Take CALEA, a Clinton-era law that requires all network switches to be equipped with law-enforcement back-doors that allow anyone who holds the right credential to take over the switch and listen in, block, or spoof its data. Virtually every network switch manufactured is CALEA-compliant, which is how the NSA was able to listen in on the Greek Prime Minister's phone calls to gain competitive advantage for the competing Salt Lake City Olympic bid:
CALEA backdoors are a single point of failure for the world's networking systems. Nominally, CALEA backdoors are under US control, but the reality is that lots of hackers have exploited CALEA to attack governments and corporations, inside the US and abroad. Remember Salt Typhoon, the worst-ever hacking attack on US government agencies and large corporations? The Salt Typhoon hackers used CALEA as their entry point into those networks:
US monopolists – within Trump's coercive reach – control so many of the world's critical systems. Take John Deere, the ag-tech monopolist that supplies the majority of the world's tractors. By design, those tractors do not allow the farmers who own them to alter their software. That's so John Deere can force farmers to use Deere's own technicians for repairs, and so that Deere can extract soil data from farmers' tractors to sell into the global futures market.
A tractor is a networked computer in a fancy, expensive case filled with whirling blades, and at any time, Deere can reach into any tractor and permanently immobilize it. Remember when Russian looters stole those Ukrainian tractors and took them to Chechnya, only to have Deere remotely brick their loot, turning the tractors into multi-ton paperweights? A lot of us cheered that high-tech comeuppance, but when you consider that Donald Trump could order Deere to do this to all the tractors, on his whim, this gets a lot more sinister:
Any government thinking about the future of geopolitics in an era of Trump's mad king fascism should be thinking about how to flash those tractors – and phones, and games consoles, and medical implants, and ventilators – with free and open software that is under its owner's control. The problem is that every country in the world has signed up to America's ban on jailbreaking.
In the EU, it's Article 6 of the Copyright Directive. In Mexico, it's the IP chapter of the USMCA. If Central America, it's via CAFTA. In Australia, it's the US-Australia Free Trade Agreement. In Canada, it's 2012's Bill C-11, which bans Canadian farmers from fixing their own tractors, Canadian drivers from taking their cars to a mechanic of their choosing, and Canadian iPhone and games console owners from choosing to buy their software from a Canadian store:
These anti-jailbreaking laws were designed as a tool of economic extraction, a way to protect American tech companies' sky-high fees and rampant privacy invasions by making it illegal, everywhere, for anyone to alter how these devices work without the manufacturer's permission.
But today, these laws have created clusters of deep-seated infrastructural vulnerabilities that reach into all our digital devices and services, including the digital devices that harvest our crops, supply oxygen to our lungs, or tell us when Trump's masked shock-troops are hunting people in our vicinity.
It's well past time for a post-American internet. Every device and every service should be designed so that the people who use them have the final say over how they work. Manufacturers' back doors and digital locks that prevent us from updating our devices with software of our choosing were never a good idea. Today, they're a catastrophe.
The world signed up to these laws because the US threatened them with tariffs if they didn't do as they were told. Well, happy Liberation Day, everyone. The US told the world to pass America's tech laws or face American tariffs.
When someone threatens to burn down your house unless you do as you're told, and then they burn your house down anyway, you don't have to keep doing what they told you.
When Putin invaded Ukraine, he inadvertently pushed the EU to accelerate its solarization efforts, to escape their reliance on Russian gas, and now Europe is a decade ahead of schedule in meeting its zero-emissions goals:
Today, another mad dictator is threatening the world's infrastructure. For the rest of the world to escape dictators' demands, they will have to accelerate their independence from American tech – not just Russian gas. A post-American internet starts with abandoning the laws that give US companies – and therefore Trump – a veto over how your technology works.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
I'm on a tour with my new book Enshittification: catch me next in Los Angeles, Calgary and San Francisco! Full schedule here.
Even though he's the darkest of clouds, Trump has some deeply weird silver linings, formed out of a combination of his self-owning isolationism and blunt aggression.
In my quarter-century as a digital activist, I've had cause to work in more than 30 countries. Wherever I went, I'd meet with policymakers about the rules they should be thinking about in order to make their technology work better for their countries. Every single time, they'd agree politely with me, but insist that making any kind of tech-improving rules was impossible, because the US trade representative would kick their teeth in if they tried.
For all of this century, the USTR has been one of the greatest global impediments to a better world, hopping from country to country, demanding policies that would protect American tech firms from foreign competitors – especially the kind of competitor who would improve on American tech products by protecting users' privacy, consumer rights or labor rights while they used them.
The most glaring example of this are "anticircumvention laws." Under these laws, it's illegal to modify any technology that has any kind of anti-modification defenses. In other words, if the manufacturer draws a kind of virtual dotted line around part of the product's software and labels it, "Do not look inside this box," then it becomes illegal to do so, even if you're trying to do something that's otherwise legal.
That means that if your printer is designed to reject generic ink, you can't change the code that verifies the ink cartridge. There's no law that says, "You have to buy your ink from the same company that sold you your printer," but if HP adds any kind of anti-modification measure to its ink-checking code, then disabling that code becomes a serious crime.
Now, these laws are obviously an invitation to mischief. They are used to prevent independent repair of everything from tractors to cars to phones to games consoles to ventilators. They're used to stop you from blocking ads or surveillance on your phone or "smart" TV. They keep you locked into manufacturers' app stores, payment systems and other add-ons, which means that you are constantly being ripped off with junk fees, and you can't install the software of your choosing, including software that will help you avoid being kidnapped by masked thugs and sent to a secret torture prison:
The US passed the first of these laws in 1998, when Bill Clinton signed the Digital Millennium Copyright Act. As the ink was still drying on Clinton's signature, the US trade rep started racing around the world, demanding that America's trading partners adopt their own version of the law:
As these laws were adopted around the world, US tech giants were given carte blanche to extract more money and data from their global users. American users were getting ripped off too, of course (they were the first victims of Big Tech), but at least the US stock market reaped the benefit of Big Tech's incredibly lucrative scams. But for America's trading partners, anticircumvention was an entirely losing proposition: their people got ripped off for their data and their money, and their tech companies couldn't go into business selling products to disenshittify America's cash-and-data extraction machines.
So why did America's trading partners agree to anticircumvention law? Well, that was down to the tender ministrations of the US trade rep. Countries that didn't pass anticircumvention were threatened with US tariffs.
I used to occasionally guest-lecture at an international relations grad program at the Central European University in Budapest, and one summer, I had a student who had served as the information minister to a Central American country while the US was negotiating the Central American Free Trade Agreement (CAFTA). This student described getting a phone call from their country's chief negotiator who said, "I know you told me not to budge on anticircumvention, but the USTR tells me that if we don't give them this, they will block our agricultural exports. I'm sorry." Country by country, the world fell into line.
When someone tells you, "You'd better do what I say or I'm going to burn your house down," and then they burn your house down, you'd be an absolute sucker if you kept up your part of the bargain.
I find it absolutely bizarre that the USTR spent decades racing around the world, getting every country on earth to sign up to "America First" policies by threatening them with tariffs, and then Trump actually imposed the tariffs anyway, which has opened up the space for every country to get rid of those America First policies.
Of course, that's not all Trump has done. He's also made it abundantly clear that he considers America's (former) allies to be geopolitical and economic competitors, and that US tech is one of the primary weapons he will use to wage war on the world. He got Canadian Prime Minister Mark Carney to cave on taxing Big Tech, which means that they'll be able to go on cheating on their taxes, while Canadian companies won't be able to, which means Canada's tech sector will never be able to compete:
https://www.bbc.com/news/articles/cd0vv2pe7ydo
Trump has also ordered the EU to scrap its new tech antitrust laws, the Digital Markets Act and the Digital Services Act, which aim to open up space for European competitors to US tech:
But more than that, Trump and US tech have teamed up to attack and deplatform public officials that Trump has beef with. Take Karim Khan, chief prosecutor of the International Criminal Court in the Hague. Khan swore out a criminal complaint and arrest warrant for the génocidaire Benjamin Netanyahu, and Trump sanctioned Khan. Then, Microsoft cut off Khan's access to his account, nuking his email, calendar, address book and files:
For officials all over the world, the message couldn't be clearer: Trump sees you as the enemy, and he will use American tech companies to cut you off at the knees if you don't roll over for him.
Enter the Eurostack. This is an initiative from the EU that seeks to fund and deploy open source equivalents to the platforms that the European public, its businesses and its governments are currently locked into:
Thus far, Eurostack's focus has been on building those Made-in-the-EU alternatives to the US tech stack, and on financing data-center rollout. But very shortly, Eurostack advocates are going to hit a wall.
Escaping from US Big Tech isn't merely a matter of having another service to move your data and interactions to. You also have to have a way to transition from the old, US service to the new Eurostack equivalent.
No government ministry, no business, no individual is going to manually copy-and-paste thousands (or millions) of documents out of Microsoft, Apple or Google's cloud into the Eurostack. No one is going to individually move all the edit histories, email chains, and file permissions over. These files and data-structures are essential to the people who created them, and they often contain sensitive information and compliance data that is illegal to delete.
Sure, the EU could try to order American Big Tech companies to create export tools so that Europeans can easily retrieve their data in formats that can be faithfully imported into Eurostack services, but we can already see how that will play out.
Last year's Digital Markets Act contains a modest set of "interoperability" requirements that require big US companies like Apple to open up their platforms to rival app stores and payment processors. Apple's monopoly over iPhone apps is a big deal – it lets the company structure the market for software in Europe, without any accountability or limits, and Apple extracts a 30% tax on every euro that changes hands via an iOS app. Globally, Apple makes more than $100b/year from this "app tax."
When the EU passed a law aimed at halting this racket, Apple lost its mind. First, they proposed a "solution" to this that was so onerous and tortured that it was a kind of sick joke:
Now, Apple has filed 18 legal challenges to any interoperability mandate under the DMA:
https://eur-lex.europa.eu/eli/C/2025/5213/oj/eng
If this is how an American tech company responds to a small-potatoes order to give Europeans more choice over how they use their own devices and data, imagine what these US giants will do if the EU orders them to open up their platforms so people can leave altogether!
The only plausible path from US Big Tech to the Eurostack runs straight through anticircumvention. The EU needs to repeal Article 6 of the Copyright Directive, a law it passed at the behest of the US Trade Representative, to protect the rent-extraction tactics of American tech companies. We need to make it legal for European technologists to reverse-engineer the American tech platforms' websites and apps so that Europeans can get their data out of America's tech silos and into open, sovereign, privacy-respecting, consumer rights-preserving, worker-protecting Eurostack versions.
Building the Eurostack without thinking about migration tools is a recipe for disappointment. It's like building housing for East Germans…in West Berlin, without sparing a thought for how those East Germans are going to get to the new apartment blocks.
The good news is, there's no reason to keep Article 6 of the Copyright Directive on the books. The law has always been a wreck. It's one of the primary barriers to Right to Repair: companies now build devices with "access controls" on their parts. Even after you install a new part into a device, it won't start working until the manufacturer's representative unlocks it (for a hefty fee). Under anticircumvention laws like EUCD Article 6, it's illegal to bypass these locks.
What's more, the digital locks that EUCD 6 protects are almost all to be found in American products. Only a handful of EU manufacturers rely on these, and they use them to in terrible ways. Volkswagen used the fact that it was illegal to reverse-engineer its engines to disguise the fact that it was cheating on its emissions tests, and the resulting "Dieselgate" scandal killed thousands of Europeans:
Newag, a Polish train manufacturer, boobytraps the trains they sell. When these trains sense that they have been taken to a competitor's train-yard for maintenance, they render themselves inoperable. Newag then charges thousands of euros to remotely "repair" their own sabotage. When this was revealed by a team of independent security researchers, Newag used claims under EUCD 6 in an attempt to intimidate them into silence:
Mercedes won't let you unlock your new car's full acceleration capability unless you pay them a monthly subscription fee, and any mechanic who tries to bypass this and give you your whole engine's capability violates EUCD 6. BMW won't let you use the feature that auto-dims your high-beams when there's oncoming traffic, and once again, that can't be fixed by another company because of EUCD 6:
Any business that relies on EUCD 6 is garbage and should be killed with fire. The global champions of this legal sabotage are all American, but the EU companies that copied their business models are also trash and the EU should be terminating them with extreme prejudice.
It's pretty remarkable that we've forgotten about the kind of reverse-engineering that EUCD 6 bans. This used to be totally normal. Providing tools to move data from one system to another – without permission from your old vendor – is a completely legitimate business.
The only reason we forgot that this stuff existed is that the US trade rep spent 25 years lobotomizing us all, threatening us with tariffs if we dared to do anything that disrupted American Big Tech. With those companies, it's always "disruption for thee, never for me."
In a few short months, Trump has sown the seeds of the destruction of one of the most world's pernicious "America First" systems. Now, it's in the EU's power to send it to a long-overdue grave.
"Mr Cook, Mr Nadella, Mr Ellison, Mr Pichai – tear down that wall!"
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Canada’s ground-breaking, hamstrung repair and interop laws
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
When the GOP trifecta assumes power in just a few months, they will pass laws, and those laws will be terrible, and they will cast long, long shadows.
This is the story of how another far-right conservative government used its bulletproof majority to pass a wildly unpopular law that continues to stymie progress to this day. It's the story of Canada's Harper Conservative government, and two of its key ministers: Tony Clement and James Moore.
Starting in 1998, the US Trade Rep embarked on a long campaign to force every country in the world to enact a new kind of IP law: an "anticircumvention" law that would criminalize the production and use of tools that allowed people to use their own property in ways that the manufacturer disliked.
This first entered the US statute books with the 1998 passage of the Digital Millennium Copyright Act (DMCA), whose Section 1201 established a new felony for circumventing an "access control." Crucially, DMCA 1201's prohibition on circumvention did not confine itself to protecting copyright.
Circumventing an access control is a felony, even if you never violate copyright law. For example, if you circumvent the access control on your own printer to disable the processes that check to make sure you're using an official HP cartridge, HP can come after you.
You haven't violated any copyright, but the ink-checking code is a copyrighted work, and you had to circumvent a block in order to reach it. Thus, if I provide you a tool to escape HP's ink racket, I commit a felony with penalties of five years in prison and a $500k fine, for a first offense. So it is that HP ink costs more per ounce than the semen of a Kentucky Derby-winning stallion.
This was clearly a bad idea in 1998, though it wasn't clear how bad an idea it was at the time. In 1998, chips were expensive and underpowered. By 2010, a chip that cost less than a dollar could easily implement a DMCA-triggering access control, and manufacturers of all kinds were adding superfluous chips to everything from engine parts to smart lightbulbs whose sole purpose was to transform modification into felonies. This is what Jay Freeman calls "felony contempt of business-model."
So when the Harper government set out to import US-style anticircumvention law to Canada, Canadians were furious. A consultation on the proposal received 6,138 responses opposing the law, and 54 in support:
And yet, James Moore and Tony Clement pressed on. When asked how they could advance such an unpopular bill, opposed by experts and the general public alike, Moore told the International Chamber of Commerce that every objector who responded to his consultation was a "radical extremist" with a "babyish" approach to copyright:
As is so often the case, history vindicated the babyish radical extremists. The DMCA actually has an official way to keep score on this one. Every three years, the US Copyright Office invites public submissions for exemptions to DMCA 1201, creating a detailed, evidence-backed record of all the legitimate activities that anticircumvention law interferes with.
Unfortunately, "a record" is all we get out of this proceeding. Even though the Copyright Office is allowed to grant "exemptions," these don't mean what you think they mean. The statute is very clear on this: the US Copyright Office is required to grant exemptions for the act of circumvention, but is forbidden from granting exemptions for tools needed to carry out these acts.
This is headspinningly and deliberately obscure, but there's one anecdote from my long crusade against this stupid law that lays it bare. As I mentioned, the US Trade Rep has made the passage of DMCA-like laws in other countries a top priority since the Clinton years. In 2001, the EU adopted the EU Copyright Directive, whose Article 6 copy-pastes the provisions of DMCA 1201.
In 2003, I found myself in Oslo, debating the minister who'd just completed Norway's EUCD implementation. The minister was very proud of his law, boasting that he'd researched the flaws in other countries' anticircumvention laws and addressed them in Norway's law. For example, Norway's law explicitly allowed blind people to bypass access controls on ebooks in order to feed them into text-to-speech engines, Braille printers and other accessibility tools.
I knew where this was going. I asked the minister how this would work in practice. Could someone sell a blind person a tool to break the DRM on their ebooks? Of course not, that's totally illegal. Could a nonprofit blind rights group make such a tool and give it away to blind people? No, that's illegal too. What about hobbyists, could they make the tool for their blind friends? No, not that either.
OK, so how do blind people exercise their right to bypass access controls on ebooks they own so they can actually read them?
Here's how. Each blind person, all by themself, is expected to decompile and reverse-engineer Adobe Reader, locate a vulnerability in the code and write a new program that exploits that vulnerability to extract their ebooks. While blind people are individually empowered to undertake this otherwise prohibited activity, they must do so on their own: they can't share notes with one another on the process. They certainly can't give each other the circumvention program they write in this way:
That's what a use-only exemption is: the right to individually put a locked down device up on your own workbench, and, laboring in perfect secrecy, figure out how it works and then defeat the locks that stop you from changing those workings so they benefit you instead of the manufacturer. Without a "tools" exemption, a use exemption is basically a decorative ornament.
So the many use exemptions that the US Copyright Office has granted since 1998 really amount to nothing more than a list of defects in the DMCA that the Copyright Office has painstaking verified but is powerless to fix. We could probably save everyone a lot of time by scrapping the triennial exemptions process and replacing it with an permanent sign over the doors of the Library of Congress reading "Abandon hope, all ye who enter here."
All of this was well understood by 2010, when Moore and Clement were working on the Canadian version of the DMCA. All of this was explained in eye-watering detail to Moore and Clement, but was roundly ignored. I even had a go at it, publicly picking a fight with Moore on Twitter:
This was something of a grand finale for the pair. Today, Moore is a faceless corporate lawyer, while Clement was last seen grifting covid PPE (Clement's political career ended abruptly when he sent dick pics to a young woman who turned out to be a pair of sextortionists from Cote D'Ivoire, and was revealed as a serial sex-pest in the ensuing scandal:)
Even though Moore and Clement are long gone from public life, their signature achievement remains a Canadian disgrace, an anchor chain tied around the Canadian economy's throat, and an impediment to Canadian progress.
This week, two excellent new Canadian laws received royal assent: Bill C-244 is a broad, national Right to Repair law; and Bill C-294 is a broad, national interoperability law. Both laws establish the right to circumvent access controls for the purpose of fixing and improving things, something Canadians deserve and need.
But neither law contains a tools exemption. Like the blind people of Norway, a Canadian farmer who wants to attach a made-in-Canada Honeybee tool to their John Deere tractor is required to personally, individually reverse-engineer the John Deere tractor and modify it to talk to the Honeybee accessory, laboring in total secrecy:
Likewise the Canadian repair tech who fixes a smart speaker or a busted smartphone – they are legally permitted to circumvent in order to torture the device's repair codes out of it or force it to recognize a replacement part, but each technician must personally figure out how to get the device firmware to do this, without discussing it with anyone else.
Thus do Moore and Clement stand athwart Canadian self-reliance and economic development, shouting "STOP!" though both men have been out of politics for years.
There has never been a better time to hit Clement and Moore's political legacy over the head with a shovel and bury it in a shallow grave. Canadian technologists could be making a fortune creating circumvention devices that repair and improve devices marketed by foreign companies.
They could make circumvention tools to allow owners of consoles to play games by Canadian studios that are directly sold to Canadian gamers, bypassing the stores operated by Microsoft, Sony and Nintendo and the 30% commissions they charge. Canadian technologists could be making diagnostic tools that allow every auto-mechanic in Canada to fix any car manufactured anywhere in the world.
Canadian cloud servers could power devices long after their US-based manufacturers discontinue support for them, providing income to Canadian cloud companies and continued enjoyment for Canadian owners of these otherwise bricked gadgets.
Canada's gigantic auto-parts sector could clone the security chips that foreign auto manufacturers use to block the use of third party parts, and every Canadian could enjoy a steep discount every time they fix their cars. Every farmer could avail themselves of third party parts for their tractors, which they could install themselves, bypassing the $200 service call from a John Deere technician who does nothing more than look over the farmer's own repair and then types an unlock code into the tractor's console.
Every Canadian who prints out a shopping list or their kid's homework could use third party ink that sells for pennies per liter, rather than HP's official colored water that cost more than vintage Veuve Cliquot.
A Canadian e-waste dump generates five low-paid jobs per ton of waste, and that waste itself will poison the land and water for centuries to come. A circumvention-enabled Canadian repair sector could generate 150 skilled, high-paid community jobs that saves gadgets and the Earth, all while saving Canadians millions.
Canadians could enjoy the resliency that comes of having a domestic tech and repair sector, and could count on it through pandemics and Trumpian trade-war.
All of that and more could be ours, except for the cowardice and greed of Tony Clement and James Moore and the Harper Tories who voted C-11 into law in 2012.
Everything the "radical extremists" warned them of has come true. It's long past time Canadians tore up anticircumvention law and put the interests of the Canadian public and Canadian tech businesses ahead of the rent-seeking enshittification of American Big Tech.
Until we do that, we can keep on passing all the repair and interop laws we want, but each one will be hamstrung by Moore and Clement's "felony contempt of business model" law, and the contempt it showed for the Canadian people.
Antiusurpation and the road to disenshittification
THIS WEEKEND (November 8-10), I'll be in TUCSON, AZ: I'm the GUEST OF HONOR at the TUSCON SCIENCE FICTION CONVENTION.
Nineties kids had a good reason to be excited about the internet's promise of disintermediation: the gatekeepers who controlled our access to culture, politics, and opportunity were crooked as hell, and besides, they sucked.
For a second there, we really did get a lot of disintermediation, which created a big, weird, diverse pluralistic space for all kinds of voices, ideas, identities, hobbies, businesses and movements. Lots of these were either deeply objectionable or really stupid, or both, but there was also so much cool stuff on the old, good internet.
Then, after about ten seconds of sheer joy, we got all-new gatekeepers, who were at least as bad, and even more powerful, than the old ones. The net became Tom Eastman's "Five giant websites, each filled with screenshots of the other four." Culture, politics, finance, news, and especially power have been gathered into the hands of unaccountable, greedy, and often cruel intermediaries.
Oh, also, we had an election.
This isn't an election post. I have many thoughts about the election, but they're still these big, unformed blobs of anger, fear and sorrow. Experience teaches me that the only way to get past this is to just let all that bad stuff sit for a while and offgas its most noxious compounds, so that I can handle it safely and figure out what to do with it.
While I wait that out, I'm just getting the job done. Chop wood, carry water. I've got a book to write, Enshittification, for Farar, Straus, Giroux's MCD Books, and it's very nearly done:
Compartmentalizing my anxieties and plowing that energy into productive work isn't necessarily the healthiest coping strategy, but it's not the worst, either. It's how I wrote nine books during the covid lockdowns.
And sometimes, when you're not staring directly at something, you get past the tunnel vision that makes it impossible to see its edges, fracture lines, and weak points.
So I'm working on the book. It's a book about platforms, because enshittification is a phenomenon that is most visible and toxic on platforms. Platforms are intermediaries, who connect buyers and sellers, creators and audiences, workers and employers, politicians and voters, activists and crowds, as well as families, communities, and would-be romantic partners.
There's a reason we keep reinventing these intermediaries: they're useful. Like, it's technically possible for a writer to also be their own editor, printer, distributor, promoter and sales-force:
But without middlemen, those are the only writers we'll get. The set of all writers who have something to say that I want to read is much larger than the set of all writers who are capable of running their own publishing operation.
The problem isn't middlemen: the problem is powerful middlemen. When an intermediary gets powerful enough to usurp the relationship between the parties on either side of the transaction, everything turns to shit:
A dating service that faces pressure from competition, regulation, interoperability and a committed workforce will try as hard as it can to help you find Your Person. A dating service that buys up all its competitors, cows its workforce, captures its regulators and harnesses IP law to block interoperators will redesign its service so that you keep paying forever, and never find love:
Multiply this a millionfold, in every sector of our complex, high-tech world where we necessarily rely on skilled intermediaries to handle technical aspects of our lives that we can't – or shouldn't – manage ourselves. That world is beholden to predators who screw us and screw us and screw us, jacking up our rents:
(Maybe this is a post about the election after all?)
The difference between a helpmeet and a parasite is power. If we want to enjoy the benefits of intermediaries without the risks, we need policies that keep middlemen weak. That's the opposite of the system we have now.
Take interoperability and IP law. Interoperability (basically, plugging new things into existing things) is a really powerful check against powerful middlemen. If you rely on an ad-exchange to fund your newsgathering and they start ripping you off, then an interoperable system that lets you use a different exchange will not only end the rip off – it'll make it less likely to happen in the first place because the ad-tech platform will be afraid of losing your business:
Interoperability means that when Amazon rips off audiobook authors to the tune of $100m, those authors can pull their books from Amazon and sell them elsewhere and know that their listeners can move their libraries over to a different app:
But interoperability has been in retreat for 40 years, as IP law has expanded to criminalize otherwise normal activities, so that middlemen can use IP rights to protect themselves from their end-users and business customers:
https://locusmag.com/2020/09/cory-doctorow-ip/
That's what I mean when I say that "IP" is "any law that lets a business reach beyond its own walls and control the actions of its customers, competitors and critics."
For example, there's a pernicious law 1998 US law that I write about all the time, Section 1201 of the Digital Millennium Copyright Act, the "anticircumvention law." This is a law that felonizes tampering with copyright locks, even if you are the creator of the undelying work.
So Amazon – the owner of the monopoly audiobook platform Audible – puts a mandatory copyright lock around every audiobook they sell. I, as an author who writes, finances and narrates the audiobook, can't provide you, my customer, with a tool to remove that lock. If I do so, I face criminal sanctions: a five year prison sentence and a $500,000 fine for a first offense:
In other words: if I let you take my own copyrighted work out of Amazon's app, I commit a felony, with penalties that are far stiffer than the penalties you would face if you were to simply pirate that audiobook. The penalties for you shoplifting the audiobook on CD at a truck-stop are lower than the penalties the author and publisher of the book would face if they simply gave you a tool to de-Amazon the file. Indeed, even if you hijacked the truck that delivered the CDs, you'd probably be looking at a shorter sentence.
This is a law that is purpose-built to encourage intermediaries to usurp the relationship between buyers and sellers, creators and audiences. It's a charter for parasitism and predation.
But as bad as that is, there's another aspect of DMCA 1201 that's even worse: the exemptions process.
You might have read recently about the Copyright Office "freeing the McFlurry" by granting a DMCA 1201 exemption for companies that want to reverse-engineer the error-codes from McDonald's finicky, unreliable frozen custard machines:
Under DMCA 1201, the Copyright Office hears petitions for these exemptions every three years. If they judge that anticircumvention law is interfering with some legitimate activity, the statute empowers them to grant an exemption.
When the DMCA passed in 1998 (and when the US Trade Rep pressured other world governments into passing nearly identical laws in the decades that followed), this exemptions process was billed as a "pressure valve" that would prevent abuses of anticircumvention law.
But this was a cynical trick. The way the law is structured, the Copyright Office can only grant "use" exemptions, but not "tools" exemptions. So if you are granted the right to move Audible audiobooks into a third-party app, you are personally required to figure out how to do that. You have to dump the machine code of the Audible app, decompile it, scan it for vulnerabilities, and bootstrap your own jailbreaking program to take Audible wrapper off the file.
No one is allowed to help you with this. You aren't allowed to discuss any of this publicly, or share a tool that you make with anyone else. Doing any of this is a potential felony.
In other words, DMCA 1201 gives intermediaries power over you, but bans you from asking an intermediary to help you escape another abusive middleman.
This is the exact opposite of how intermediary law should work. We should have rules that ban intermediaries from exercising undue power over the parties they serve, and we should have rules empowering intermediaries to erode the advantage of powerful intermediaries.
The fact that the Copyright Office grants you an exemption to anticircumvention law means nothing unless you can delegate that right to an intermediary who can exercise it on your behalf.
A world without publishing intermediaries is one in which the only writers who thrive are the ones capable of being publishers, too, and that's a tiny fraction of all the writers with something to say.
A world without interoperability intermediaries is one in which the only platform users who thrive are also skilled reverse-engineering ninja hackers – and that's an infinitesimal fraction of the platform users who would benefit from interoperabilty.
Let this be your north star in evaluating platform regulation proposals. Platform regulation should weaken intermediaries' powers over their users, and strengthen their power over other middlemen.
Put in this light, it's easy to see why the ill-informed calls to abolish Section 230 of the Communications Decency Act (which makes platform users, not platforms, responsible for most unlawful speech) are so misguided:
If we require platforms to surveil all user speech and block anything that might violate any law, we give the largest, most powerful platforms a permanent advantage over smaller, better platforms, run by co-ops, hobbyists, nonprofits local governments, and startups. The big platforms have the capital to rig up massive, automated surveillance and censorship systems, and the only alternatives that can spring up have to be just as big and powerful as the Big Tech platforms we're so desperate to escape:
This is especially grave given the current political current, where fascist politicians are threatening platforms with brutal punishments for failing to censor disfavored political views.
Anyone who tells you that "it's only censorship when the government does it" is badly confused. It's only a First Amendment violation when the government does it, sure – but censorship has always relied on intermediaries. From the Inquisition to the Comics Code, government censors were only able to do their jobs because powerful middlemen, fearing state punishments, blocked anything that might cross the line, censoring far beyond the material actually prohibited by the law:
We live in a world of powerful, corrupt middlemen. From payments to real-estate, from job-search to romance, there's a legion of parasites masquerading as helpmeets, burying their greedy mouthparts into our tender flesh:
But intermediaries aren't the problem. You shouldn't have to stand up your own payment processor, or learn the ins and outs of real-estate law, or start your own single's bar. The problem is power, not intermediation.
As we set out to build a new, good internet (with a lot less help from the US government than seemed likely as recently as last week), let's remember that lesson: the point isn't disintermediation, it's weak intermediation.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Shifting $677m from the banks to the people, every year, forever
I'll be in TUCSON, AZ from November 8-10: I'm the GUEST OF HONOR at the TUSCON SCIENCE FICTION CONVENTION.
"Switching costs" are one of the great underappreciated evils in our world: the more it costs you to change from one product or service to another, the worse the vendor, provider, or service you're using today can treat you without risking your business.
Businesses set out to keep switching costs as high as possible. Literally. Mark Zuckerberg's capos send him memos chortling about how Facebook's new photos feature will punish anyone who leaves for a rival service with the loss of all their family photos – meaning Zuck can torment those users for profit and they'll still stick around so long as the abuse is less bad than the loss of all their cherished memories:
It's often hard to quantify switching costs. We can tell when they're high, say, if your landlord ties your internet service to your lease (splitting the profits with a shitty ISP that overcharges and underdelivers), the switching cost of getting a new internet provider is the cost of moving house. We can tell when they're low, too: you can switch from one podcatcher program to another just by exporting your list of subscriptions from the old one and importing it into the new one:
But sometimes, economists can get a rough idea of the dollar value of high switching costs. For example, a group of economists working for the Consumer Finance Protection Bureau calculated that the hassle of changing banks is costing Americans at least $677m per year (see page 526):
The CFPB economists used a very conservative methodology, so the number is likely higher, but let's stick with that figure for now. The switching costs of changing banks – determining which bank has the best deal for you, then transfering over your account histories, cards, payees, and automated bill payments – are costing everyday Americans more than half a billion dollars, every year.
Now, the CFPB wasn't gathering this data just to make you mad. They wanted to do something about all this money – to find a way to lower switching costs, and, in so doing, transfer all that money from bank shareholders and executives to the American public.
And that's just what they did. A newly finalized Personal Financial Data Rights rule will allow you to authorize third parties – other banks, comparison shopping sites, brokers, anyone who offers you a better deal, or help you find one – to request your account data from your bank. Your bank will be required to provide that data.
And I like the final rule even better. They've really nailed this one, even down to the fine-grained details where interop wonks like me get very deep into the weeds. For example, a thorny problem with interop rules like this one is "who gets to decide how the interoperability works?" Where will the data-formats come from? How will we know they're fit for purpose?
This is a super-hard problem. If we put the monopolies whose power we're trying to undermine in charge of this, they can easily cheat by delivering data in uselessly obfuscated formats. For example, when I used California's privacy law to force Mailchimp to provide list of all the mailing lists I've been signed up for without my permission, they sent me thousands of folders containing more than 5,900 spreadsheets listing their internal serial numbers for the lists I'm on, with no way to find out what these lists are called or how to get off of them:
So if we're not going to let the companies decide on data formats, who should be in charge of this? One possibility is to require the use of a standard, but again, which standard? We can ask a standards body to make a new standard, which they're often very good at, but not when the stakes are high like this. Standards bodies are very weak institutions that large companies are very good at capturing:
Here's how the CFPB solved this: they listed out the characteristics of a good standards body, listed out the data types that the standard would have to encompass, and then told banks that so long as they used a standard from a good standards body that covered all the data-types, they'd be in the clear.
Once the rule is in effect, you'll be able to go to a comparison shopping site and authorize it to go to your bank for your transaction history, and then tell you which bank – out of all the banks in America – will pay you the most for your deposits and charge you the least for your debts. Then, after you open a new account, you can authorize the new bank to go back to your old bank and get all your data: payees, scheduled payments, payment history, all of it. Switching banks will be as easy as switching mobile phone carriers – just a few clicks and a few minutes' work to get your old number working on a phone with a new provider.
This will save Americans at least $677 million, every year. Which is to say, it will cost the banks at least $670 million every year.
Naturally, America's largest banks are suing to block the rule:
Of course, the banks claim that they're only suing to protect you, and the $677m annual transfer from their investors to the public has nothing to do with it. The banks claim to be worried about bank-fraud, which is a real thing that we should be worried about. They say that an interoperability rule could make it easier for scammers to get at your data and even transfer your account to a sleazy fly-by-night operation without your consent. This is also true!
It is obviously true that a bad interop rule would be bad. But it doesn't follow that every interop rule is bad, or that it's impossible to make a good one. The CFPB has made a very good one.
For starters, you can't just authorize anyone to get your data. Eligible third parties have to meet stringent criteria and vetting. These third parties are only allowed to ask for the narrowest slice of your data needed to perform the task you've set for them. They aren't allowed to use that data for anything else, and as soon as they've finished, they must delete your data. You can also revoke their access to your data at any time, for any reason, with one click – none of this "call a customer service rep and wait on hold" nonsense.
What's more, if your bank has any doubts about a request for your data, they are empowered to (temporarily) refuse to provide it, until they confirm with you that everything is on the up-and-up.
I wrote about the lawsuit this week for @[email protected]'s Deeplinks blog:
In that article, I point out the tedious, obvious ruses of securitywashing and privacywashing, where a company insists that its most abusive, exploitative, invasive conduct can't be challenged because that would expose their customers to security and privacy risks. This is such bullshit.
It's bullshit when printer companies say they can't let you use third party ink – for your own good:
And it's bullshit when the banks say you can't change to a bank that charges you less, and pays you more – for your own good.
CFPB boss Rohit Chopra is part of a cohort of Biden enforcers who've hit upon a devastatingly effective tactic for fighting corporate power: they read the law and found out what they're allowed to do, and then did it:
The CFPB was created in 2010 with the passage of the Consumer Financial Protection Act, which specifically empowers the CFPB to make this kind of data-sharing rule. Back when the CFPA was in Congress, the banks howled about this rule, whining that they were being forced to share their data with their competitors.
But your account data isn't your bank's data. It's your data. And the CFPB is gonna let you have it, and they're gonna save you and your fellow Americans at least $677m/year – forever.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
