So much for enabling freedom!
by Al
Well, my last post was a bust for any response. It was syndicated to Planet Mozilla, has had a few hundred views, and the only comment on it is my own (posting what a friend of mine on Facebook said).
He said:
“I don’t know if Tor is the end-all-be-all, but the basic point would be: browser-based, quasi-auto-configuring anonymous darknets (that set up and tear down without a trace), and look something like other (e.g. HTTP) traffic would be a boon to free speech.
Until the government decided that it was aiding and abetting pedophilia, and banned it. Thankfully the first amendment does not apply there.”
On Twitter, Vinay Gupta, of Hexayurt fame, suggested:
“http://guptaoption.com/cheapid == identity backbone for dealing with things like distributed voting. You want timestamping and good, clear access to the HTTPS certificate chains to be able to encrypt messages to other users using client side certs.”
I had figured that I’d get more commentary than that on something that is very relevant to current news. I mean that this is blue sky territory, people. I know that there are more ideas on enabling openness and freedom through Firefox, Thunderbird, and in the platform than none at all. There have to be ideas out there on how to extend these to enable, for example, anonymous communication, routing around censorship, etc.
Meanwhile, I heard two stories while driving from work in the car on NPR yesterday relating to the use of Twitter, social networking, and the Internet in the current protests. I found the pieces immediately brought to mind the importance of the Internet and enabling openness as a core necessity.
Check out In Iran, A Struggle Over Cyberspace and The Challenges To Turning Off The Internet In Iran. The latter story even has the obligatory Jonathan Zittrain quote.
Update: Now Zittrain has posted in relation to this matter as well. I seem to be timely as this just went up: Why the PC matters.
Comments
Hey Al,
I think you are bumping up against the rc and people don’t have time to think about much else.
My personal feeling is that personal freedom and a free and open web are both very central to what we are and what we do *however* I feel constrained from talking about it openly for several reasons.
For one, it is difficult for an American to talk about personal freedom without seeming jingoistic to non-Americans. We as a community are much larger than any one country and I am reticent to offend anyone.
For another, personal freedom runs up against many entrenched foes from governments, corporations, and law enforcement that I would prefer to keep at a distance from the project. The current events in Iran show how central internet freedoms are to a free and open society, but Iran is not an outlier. Consider the threats from the U.S., U.K., German and Chinese governments where surveillance, tracking and censorship are commonplace today.
While we tend to think of the client as important, current events show that the internet itself and the services built upon it are the critical resources to protect and defend. I’m not sure how or if we should get involved with that.
One major caveat in trying to help people in countries which censor the information available on the web is that it gives them a firm reason to try to block access to the software itself (Firefox in this instance). I think that we should look into ways of incorporating functionality which helps in this regard as add-ons, and not into the core browser product. Add-ons such as Torbutton already do that to some extent.
Another major problem is how to make using such software easy for people. Instructing ordinary users to go and download Torbutton may work, but it would be exponentially more difficult to also teach them how to download and setup tor itself. We need more user friendly solutions, which for example include installing an add-on and clicking Go Private when the browser restarts. Such a solution will definitely mean having to ship 3rd party apps with an add-on and I’m not sure how feasible that is.
Well, there is the Backpack project, which allows people to create bundles of extensions and have them go in as one installation.
Torbutton is a funny case in that there is only one person really working on it. For a long time, it didn’t work on Firefox 3 at all. It was only when Firefox 2 was retired that the effort was made to get it to really work on 3. Now that 3.5 is coming out, I expect to see a similar behavior.
What extensions, beyond Torbutton, do you think there is a need for? Do these extensions already exist or would they need to be created?
FoxyProxy already goes a long way. It has a nice feature which allows you to define multiple proxies alongside each other and define URL patterns so that it automagically loads the URLs with or without a proxy using the patterns defined. It also has Tor integration, which means a wizard to define a proxy suitable for using with Tor. The golden feature is that it allows you to auto-add URL patterns to the list based on words on the page. The way it works is by exploiting the fact that when we use a normal Internet service here and attempt to access a forbidden website, a web page is shown instead containing text such as “The requested page is forbidden”. You can type in a regex in FoxyProxy which, once matched, indicates to FoxyProxy that the page is in fact a shim page stating that the real website is filtered, so it adds the website as a URL pattern to the proxy pattern list and reloads the page.
There are a number of technical issues which need to be solved before FoxyProxy can be fully functional. FoxyProxy only does the auto-add magic for HTML documents. So when you’re visiting a page which isn’t itself filtered but contains an image with a filtered URL pattern, the image does not load. Another limitation is the management of URL patterns. In my main browsing profile I have hundreds of URL patterns and when I need to modify an individual pattern, I have to go through the whole list manually (no searching or even sorting possible.) Another limitation is that the auto-add feature only works with a single pattern. You _can_ concatenate multiple patterns using the | regex operator of course, but it soon leads to chaos when you’re dealing with multiple filter shim pages.
Most importantly, FoxyProxy is only friendly to the tech-savvy. Normal users do not understand what a URL pattern is, or how to use the auto-add feature. All they want to do is to browse the web without being filtered. To make FoxyProxy friendly to the ordinary user, we need to have at least two features:
1. It should come with multiple anti-filtering packages built-in. Like I mentioned before, the ordinary user doesn’t know/care how to download and setup those extra pieces of software. And even if they do, using them is not easy all the time. For example the connection might drop dead on the anti-filtering software, and FoxyProxy and the whole browser has no idea about it so it goes on trying to connect through a dead proxy instead of reconnecting. Tor is already open-source and I think can be bundled with FoxyProxy, but it’s a big download (~7MB IIRC) which could make it impractical to bundle it with the extension.
2. Its user interface should be simplified to three browsing modes:
a) Filtered browsing: this is effectively browsing as if FoxyProxy not being installed — useful for cases when the user does not want to raise suspicion by using an anti-filtering software.
b) Unfiltered browsing: this is effectively doing all the browsing through an available proxy — useful for cases when the speed of the anti-filtering software is good and the user doesn’t want to leave any trace.
c) Optimum browsing: this effectively means browsing using proxies based on the pattern list. If a page matches a pattern, then FoxyProxy should load it through a proxy, otherwise it shouldn’t. This mode should expose the auto-add feature in a much simpler way to the user: the user should only need to press a button like “This page is filtered”, and FoxyProxy should automatically analyze the source code of the page, extracting text (or DOM structure) which can be useful for identifying other such pages in the future, and add that as an auto-add pattern.
This should effectively give users a nearly zero-configuration anti-filtering solution (the only configuration needed being pressing the “This page is filtered” button.)
What do you think?