#eff* | Explore Tumblr Posts and Blogs

mostlysignssomeportents · 2 months

Text

Holy CRAP the UN Cybercrime Treaty is a nightmare

Support me this summer on the Clarion Write-A-Thon and help raise money for the Clarion Science Fiction and Fantasy Writers' Workshop!

If there's one thing I learned from all my years as an NGO delegate to UN specialized agencies, it's that UN treaties are dangerous, liable to capture by unholy alliances of authoritarian states and rapacious global capitalists.

Most of my UN work was on copyright and "paracopyright," and my track record was 2:0; I helped kill a terrible treaty (the WIPO Broadcast Treaty) and helped pass a great one (the Marrakesh Treaty on the rights of people with disabilities to access copyrighted works):

https://www.wipo.int/treaties/en/ip/marrakesh/

It's been many years since I had to shave and stuff myself into a suit and tie and go to Geneva, and I don't miss it – and thankfully, I have colleagues who do that work, better than I ever did. Yesterday, I heard from one such EFF colleague, Katitza Rodriguez, about the Cybercrime Treaty, which is about to pass, and which is, to put it mildly, terrifying:

https://www.eff.org/deeplinks/2024/07/un-cybercrime-draft-convention-dangerously-expands-state-surveillance-powers

Look, cybercrime is a real thing, from pig butchering to ransomware, and there's real, global harms that can be attributed to it. Cybercrime is transnational, making it hard for cops in any one jurisdiction to handle it. So there's a reason to think about formal international standards for fighting cybercrime.

But that's not what's in the Cybercrime Treaty.

Here's a quick sketch of the significant defects in the Cybercrime Treaty.

The treaty has an extremely loose definition of cybercrime, and that looseness is deliberate. In authoritarian states like China and Russia (whose delegations are the driving force behind this treaty), "cybercrime" has come to mean "anything the government disfavors, if you do it with a computer." "Cybercrime" can mean online criticism of the government, or professions of religious belief, or material supporting LGBTQ rights.

Nations that sign up to the Cybercrime Treaty will be obliged to help other nations fight "cybercrime" – however those nations define it. They'll be required to provide surveillance data – for example, by forcing online services within their borders to cough up their users' private data, or even to pressure employees to install back-doors in their systems for ongoing monitoring.

These obligations to aid in surveillance are mandatory, but much of the Cybercrime Treaty is optional. What's optional? The human rights safeguards. Member states "should" or "may" create standards for legality, necessity, proportionality, non-discrimination, and legitimate purpose. But even if they do, the treaty can oblige them to assist in surveillance orders that originate with other states that decided not to create these standards.

When that happens, the citizens of the affected states may never find out about it. There are eight articles in the treaty that establish obligations for indefinite secrecy regarding surveillance undertaken on behalf of other signatories. That means that your government may be asked to spy on you and the people you love, they may order employees of tech companies to backdoor your account and devices, and that fact will remain secret forever. Forget challenging these sneak-and-peek orders in court – you won't even know about them:

https://www.eff.org/deeplinks/2024/06/un-cybercrime-draft-convention-blank-check-unchecked-surveillance-abuses

Now here's the kicker: while this treaty creates broad powers to fight things governments dislike, simply by branding them "cybercrime," it actually undermines the fight against cybercrime itself. Most cybercrime involves exploiting security defects in devices and services – think of ransomware attacks – and the Cybercrime Treaty endangers the security researchers who point out these defects, creating grave criminal liability for the people we rely on to warn us when the tech vendors we rely upon have put us at risk.

This is the granddaddy of tech free speech fights. Since the paper tape days, researchers who discovered defects in critical systems have been intimidated, threatened, sued and even imprisoned for blowing the whistle. Tech giants insist that they should have a veto over who can publish true facts about the defects in their products, and dress up this demand as concern over security. "If you tell bad guys about the mistakes we made, they will exploit those bugs and harm our users. You should tell us about those bugs, sure, but only we can decide when it's the right time for our users and customers to find out about them."

When it comes to warnings about the defects in their own products, corporations have an irreconcilable conflict of interest. Time and again, we've seen corporations rationalize their way into suppressing or ignoring bug reports. Sometimes, they simply delay the warning until they've concluded a merger or secured a board vote on executive compensation.

Sometimes, they decide that a bug is really a feature – like when Facebook decided not to do anything about the fact that anyone could enumerate the full membership of any Facebook group (including, for example, members of a support group for people with cancer). This group enumeration bug was actually a part of the company's advertising targeting system, so they decided to let it stand, rather than re-engineer their surveillance advertising business.

The idea that users are safer when bugs are kept secret is called "security through obscurity" and no one believes in it – except corporate executives. As Bruce Schneier says, "Anyone can design a system that is so secure that they themselves can't break it. That doesn't mean it's secure – it just means that it's secure against people stupider than the system's designer":

The history of massive, brutal cybersecurity breaches is an unbroken string of heartbreakingly naive confidence in security through obscurity:

https://pluralistic.net/2023/02/05/battery-vampire/#drained

But despite this, the idea that some bugs should be kept secret and allowed to fester has powerful champions: a public-private partnership of corporate execs, government spy agencies and cyber-arms dealers. Agencies like the NSA and CIA have huge teams toiling away to discover defects in widely used products. These defects put the populations of their home countries in grave danger, but rather than reporting them, the spy agencies hoard these defects.

The spy agencies have an official doctrine defending this reckless practice: they call it "NOBUS," which stands for "No One But Us." As in: "No one but us is smart enough to find these bugs, so we can keep them secret and use them attack our adversaries, without worrying about those adversaries using them to attack the people we are sworn to protect."

NOBUS is empirically wrong. In the 2010s, we saw a string of leaked NSA and CIA cyberweapons. One of these, "Eternalblue" was incorporated into off-the-shelf ransomware, leading to the ransomware epidemic that rages even today. You can thank the NSA's decision to hoard – rather than disclose and patch – the Eternalblue exploit for the ransoming of cities like Baltimore, hospitals up and down the country, and an oil pipeline:

https://en.wikipedia.org/wiki/EternalBlue

The leak of these cyberweapons didn't just provide raw material for the world's cybercriminals, it also provided data for researchers. A study of CIA and NSA NOBUS defects found that there was a one-in-five chance of a bug that had been hoarded by a spy agency being independently discovered by a criminal, weaponized, and released into the wild.

Not every government has the wherewithal to staff its own defect-mining operation, but that's where the private sector steps in. Cyber-arms dealers like the NSO Group find or buy security defects in widely used products and services and turn them into products – military-grade cyberweapons that are used to attack human rights groups, opposition figures, and journalists:

https://pluralistic.net/2021/10/24/breaking-the-news/#kingdom

A good Cybercrime Treaty would recognize the perverse incentives that create the coalition to keep us from knowing which products we can trust and which ones we should avoid. It would shut down companies like the NSO Group, ban spy agencies from hoarding defects, and establish an absolute defense for security researchers who reveal true facts about defects.

Instead, the Cybercrime Treaty creates new obligations on signatories to help other countries' cops and courts silence and punish security researchers who make these true disclosures, ensuring that spies and criminals will know which products aren't safe to use, but we won't (until it's too late):

https://www.eff.org/deeplinks/2024/06/if-not-amended-states-must-reject-flawed-draft-un-cybercrime-convention

A Cybercrime Treaty is a good idea, and even this Cybercrime Treaty could be salvaged. The member-states have it in their power to accept proposed revisions that would protect human rights and security researchers, narrow the definition of "cybercrime," and mandate transparency. They could establish member states' powers to refuse illegitimate requests from other countries:

https://www.eff.org/press/releases/media-briefing-eff-partners-warn-un-member-states-are-poised-approve-dangerou

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2024/07/23/expanded-spying-powers/#in-russia-crime-cybers-you

Image: EFF https://www.eff.org/files/banner_library/cybercrime-2024-2b.jpg

CC BY 3.0 https://creativecommons.org/licenses/by/3.0/us/

#pluralistic #cybercrime treaty #un #cybercrime #treaties #eff

837 notes · View notes

mostlysignssomeportents · 2 years

Text

Good riddance to the Open Gaming License

Last week, Gizmodo’s Linda Codega caught a fantastic scoop — a leaked report of Hasbro’s plan to revoke the decades-old Open Gaming License, which subsidiary Wizards Of the Coast promulgated as an allegedly open sandbox for people seeking to extend, remix or improve Dungeons and Dragons:

https://gizmodo.com/dnd-wizards-of-the-coast-ogl-1-1-open-gaming-license-1849950634

The report set off a shitstorm among D&D fans and the broader TTRPG community — not just because it was evidence of yet more enshittification of D&D by a faceless corporate monopolist, but because Hasbro was seemingly poised to take back the commons that RPG players and designers had built over decades, having taken WOTC and the OGL at their word.

Gamers were right to be worried. Giant companies love to rugpull their fans, tempting them into a commons with lofty promises of a system that we will all have a stake in, using the fans for unpaid creative labor, then enclosing the fans’ work and selling it back to them. It’s a tale as old as CDDB and Disgracenote:

https://en.wikipedia.org/wiki/CDDB#History

(Disclosure: I am a long-serving volunteer board-member for MetaBrainz, which maintains MusicBrainz, a free, open, community-managed and transparent alternative to Gracenote, explicitly designed to resist the kind of commons-stealing enclosure that led to the CDDB debacle.)

https://musicbrainz.org/

Free/open licenses were invented specifically to prevent this kind of fuckery. First there was the GPL and its successor software licenses, then Creative Commons and its own successors. One important factor in these licenses: they contain the word “irrevocable.” That means that if you build on licensed content, you don’t have to worry about having the license yanked out from under you later. It’s rugproof.

Now, the OGL does not contain the word “irrevocable.” Rather, the OGL is “perpetual.” To a layperson, these two terms may seem interchangeable, but this is one of those fine lawerly distinctions that trip up normies all the time. In lawyerspeak, a “perpetual” license is one whose revocation doesn’t come automatically after a certain time (unlike, say, a one-year car-lease, which automatically terminates at the end of the year). Unless a license is “irrevocable,” the licensor can terminate it whenever they want to.

This is exactly the kind of thing that trips up people who roll their own licenses, and people who trust those licenses. The OGL predates the Creative Commons licenses, but it neatly illustrates the problem with letting corporate lawyers — rather than public-interest nonprofits — unleash “open” licenses on an unsuspecting, legally unsophisticated audience.

The perpetual/irrevocable switcheroo is the least of the problems with the OGL. As Rob Bodine— an actual lawyer, as well as a dice lawyer — wrote back in 2019, the OGL is a grossly defective instrument that is significantly worse than useless.

https://gsllcblog.com/2019/08/26/part3ogl/

The issue lies with what the OGL actually licenses. Decades of copyright maximalism has convinced millions of people that anything you can imagine is “intellectual property,” and that this is indistinguishable from real property, which means that no one can use it without your permission.

The copyrightpilling of the world sets people up for all kinds of scams, because copyright just doesn’t work like that. This wholly erroneous view of copyright grooms normies to be suckers for every sharp grifter who comes along promising that everything imaginable is property-in-waiting (remember SpiceDAO?):

https://onezero.medium.com/crypto-copyright-bdf24f48bf99

Copyright is a lot more complex than “anything you can imagine is your property and that means no one else can use it.” For starters, copyright draws a fundamental distinction between ideas and expression. Copyright does not apply to ideas — the idea, say, of elves and dwarves and such running around a dungeon, killing monsters. That is emphatically not copyrightable.

Copyright also doesn’t cover abstract systems or methods — like, say, a game whose dice-tables follow well-established mathematical formulae to create a “balanced” system for combat and adventuring. Anyone can make one of these, including by copying, improving or modifying an existing one that someone else made. That’s what “uncopyrightable” means.

Finally, there are the exceptions and limitations to copyright — things that you are allowed to do with copyrighted work, without first seeking permission from the creator or copyright’s proprietor. The best-known exception is US law is fair use, a complex doctrine that is often incorrectly characterized as turning on “four factors” that determine whether a use is fair or not.

In reality, the four factors are a starting point that courts are allowed and encouraged to consider when determining the fairness of a use, but some of the most consequential fair use cases in Supreme Court history flunk one, several, or even all of the four factors (for example, the Betamax decision that legalized VCRs in 1984, which fails all four).

Beyond fair use, there are other exceptions and limitations, like the di minimis exemption that allows for incidental uses of tiny fragments of copyrighted work without permission, even if those uses are not fair use. Copyright, in other words, is “fact-intensive,” and there are many ways you can legally use a copyrighted work without a license.

Which brings me back to the OGL, and what, specifically, it licenses. The OGL is a license that only grants you permission to use the things that WOTC can’t copyright — “the game mechanic [including] the methods, procedures, processes and routines.” In other words, the OGL gives you permission to use things you don’t need permission to use.

But maybe the OGL grants you permission to use more things, beyond those things you’re allowed to use anyway? Nope. The OGL specifically exempts:

Product and product line names, logos and identifying marks including trade dress; artifacts; creatures characters; stories, storylines, plots, thematic elements, dialogue, incidents, language, artwork, symbols, designs, depictions, likenesses, formats, poses, concepts, themes and graphic, photographic and other visual or audio representations; names and descriptions of characters, spells, enchantments, personalities, teams, personas, likenesses and special abilities; places, locations, environments, creatures, equipment, magical or supernatural abilities or effects, logos, symbols, or graphic designs; and any other trademark or registered trademark…

Now, there are places where the uncopyrightable parts of D&D mingle with the copyrightable parts, and there’s a legal term for this: merger. Merger came up for gamers in 2018, when the provocateur Robert Hovden got the US Copyright Office to certify copyright in a Magic: The Gathering deck:

https://pluralistic.net/2021/08/14/angels-and-demons/#owning-culture

If you want to learn more about merger, you need to study up on Kregos and Eckes, which are beautifully explained in the “Open Intellectual Property Casebook,” a free resource created by Jennifer Jenkins and James Boyle:

https://web.law.duke.edu/cspd/openip/#q01

Jenkins and Boyle explicitly created their open casebook as an answer to another act of enclosure: a greedy textbook publisher cornered the market on IP textbook and charged every law student — and everyone curious about the law — $200 to learn about merger and other doctrines.

As EFF Senior Staff Attorney Kit Walsh writes in her must-read analysis of the OGL, this means “the only benefit that OGL offers, legally, is that you can copy verbatim some descriptions of some elements that otherwise might arguably rise to the level of copyrightability.”

https://www.eff.org/deeplinks/2023/01/beware-gifts-dragons-how-dds-open-gaming-license-may-have-become-trap-creators

But like I said, it’s not just that the OGL fails to give you rights — it actually takes away rights you already have to D&D. That’s because — as Walsh points out — fair use and the other copyright limitations and exceptions give you rights to use D&D content, but the OGL is a contract whereby you surrender those rights, promising only to use D&D stuff according to WOTC’s explicit wishes.

“For example, absent this agreement, you have a legal right to create a work using noncopyrightable elements of D&D or making fair use of copyrightable elements and to say that that work is compatible with Dungeons and Dragons. In many contexts you also have the right to use the logo to name the game (something called “nominative fair use” in trademark law). You can certainly use some of the language, concepts, themes, descriptions, and so forth. Accepting this license almost certainly means signing away rights to use these elements. Like Sauron’s rings of power, the gift of the OGL came with strings attached.”

And here’s where it starts to get interesting. Since the OGL launched in 2000, a huge proportion of game designers have agreed to its terms, tricked into signing away their rights. If Hasbro does go through with canceling the OGL, it will release those game designers from the shitty, deceptive OGL.

According to the leaks, the new OGL is even worse than the original versions — but you don’t have to take those terms! Notwithstanding the fact that the OGL says that “using…Open Game Content” means that you accede to the license terms, that is just not how contracts work.

Walsh: “Contracts require an offer, acceptance, and some kind of value in exchange, called ‘consideration.’ If you sell a game, you are inviting the reader to play it, full stop. Any additional obligations require more than a rote assertion.”

“For someone who wants to make a game that is similar mechanically to Dungeons and Dragons, and even announce that the game is compatible with Dungeons and Dragons, it has always been more advantageous as a matter of law to ignore the OGL.”

Walsh finishes her analysis by pointing to some good licenses, like the GPL and Creative Commons, “written to serve the interests of creative communities, rather than a corporation.” Many open communities — like the programmers who created GNU/Linux, or the music fans who created Musicbrainz, were formed after outrageous acts of enclosure by greedy corporations.

If you’re a game designer who was pissed off because the OGL was getting ganked — and if you’re even more pissed off now that you’ve discovered that the OGL was a piece of shit all along — there’s a lesson there. The OGL tricked a generation of designers into thinking they were building on a commons. They weren’t — but they could.

This is a great moment to start — or contribute to — real open gaming content, licensed under standard, universal licenses like Creative Commons. Rolling your own license has always been a bad idea, comparable to rolling your own encryption in the annals of ways-to-fuck-up-your-own-life-and-the-lives-of-many-others. There is an opportunity here — Hasbro unintentionally proved that gamers want to collaborate on shared gaming systems.

That’s the true lesson here: if you want a commons, you’re not alone. You’ve got company, like Kit Walsh herself, who happens to be a brilliant game-designer who won a Nebula Award for her game “Thirsty Sword Lesbians”:

https://evilhat.com/product/thirsty-sword-lesbians/

[Image ID: A remixed version of David Trampier's 'Eye of Moloch,' the cover of the first edition of the AD&D Player's Handbook. It has been altered so the title reads 'Advanced Copyright Fuckery. Unclear on the Concept. That's Just Not How Licenses Work. No, Seriously.' The eyes of the idol have been replaced by D20s displaying a critical fail '1.' Its chest bears another D20 whose showing face is a copyright symbol.]

#pluralistic #copyfraud #wizards of the coast #wotc #dungeons and dragons #d&d #ogl #open gaming license #eff #fair use #kit walsh #consideration #licenses

8K notes · View notes