Software systems and institutional xenophobia

I don’t usually write about politics, because there are people with more sophisticated opinions and knowledge out there, compared to me, playing at the easiest level, to quote John Scalzi, and rarely having to fear for my future (except for when it comes to health problems). But today I need to point out something that worries me a lot.

We live in a society that, for good or bad (and I think it’s mostly for good), is more and more tied to computer systems. This makes it very easy for computer experts of one kind or another (like me!) to find a job, particularly a good paying job. But at the same time it should give us responsibilities for what we do with our jobs.

I complained on Twitter how most of the credit card application forms here in the UK are effectively saying «F**k you, immigrant scum» by not allowing you to complete the application process if you have less than three years’ addresses in the UK. In the case of a form I tried today, even though the form allows you to specify an “Overseas address” as previous address, which allows you to select Ireland as a country, it still verifies the provided post code to UK standards, and refuses you to continue the process without it.

This is not the first such form. Indeed, I ended up getting an American Express credit card because they were the only financial institution that could be convinced to take me on as a customer, with just two months living in this country, and a full history of addresses for the previous five years and more. And even for them, it was a bit of an issue to find an online form that did indeed allow me to type that in.

Yet another of the credit card companies rejected my request because “[my] file is too thin” — despite being able to prove to them I’m currently employed full time with a very well paying company, and not expecting to change any time soon. This is nearly as bad as the NatWest employee that wanted my employer’s HR representative to tell them how long they expected me to live in the UK.

But it’s not just financial institutions, it’s just at any place where you provide information, and you may end up putting up limitations that, though obviously fine for your information might not be for someone else. Sign-up forms where putting a space in a name or surname field is an error. Data processing that expects all names to only have 7-bit ASCII encoding. Electoral registries where names are read either as Latin 1 or Latin 2.

All of these might be considered smaller data issues of nearsighted developers, but they also show how these can easily turn into real discrimination.

When systems that have no reason to discard your request on the basis of the previous address have a mistake that causes the postcode validation to trigger on the wrong format, you’re causing a disservice and possible harm to someone who might really just need a credit card to be able to travel safely.

When you force people to discard part of their name, you’re going to cause them disservice and harm when they will need a full history of what they did — I had that problem in Ireland, applying for a driving learner permit, not realising that the bills for Bord Gáis Energy wrote down my name wrong (using Elio as my surname).

The fact that my council appears to think that they need to use Latin-2 to encode names, suggests they may expect that their residents are all either English or Eastern European, which in turn leads to the idea of some level of segregation of them away from Italian, French or Irish, all of which depend on Latin-1 encodings instead.

The “funnies” in Ireland was a certain bank allowing you to sign up online with no problems… as long as you had a PPS (tax ID) issued before 2013 — after that year, a new format for the number was in use, and their website didn’t consider it valid. Of course, it’s effectively only immigrants who, in 2014, would be trying to open a bank account with such codes.

Could all of these situation be considered problems with incompetence? Possibly yes. Lots of people are incompetents, in our field. But it also means that there was no coverage for these not-so-corner cases in the validation. So it’s not just an incompetent programmer, it’s an incompetent programmer paired with an incompetent QA engineer. And an incompetent product manager. And an incompetent UX designer… that’s a lot of incompetence put together for a product.

Or the alternative is that there is a level of institutional xenophobia when it comes to software development. In the UK just as in Ireland, Italy and in the United States. The idea that the only information that are being tested are those that are explicitly known to the person doing the development is so minimalist as to be useless. You may as well not validate anything.

Not having anyone from the stakeholders to the developers and testers consider “Should a person from a different culture with different naming, addressing, or {whatever else} norms be able to use this?” (or worse, consider it and answering themselves “no”), is something I consider xenophobia¹.

I keep hearing calls to pledge ethics in the field of machine learning (“AI”) and data collection. But I have a feeling that those fields have much less impact on the “median” part of the population. Which is not to say you shouldn’t have ethical consideration in them at all. But rather than we should start with teaching ethics in everyday’s data processing too.

And if you’re looking for some harsh laugh after this mood-killing post, I recommend this article from The Register.

¹ Yes I’m explicitly not using the word “racism” here, because then people will focus on that, rather than the problem. A form does not look at the colour of your skin, but does look at whether you comply with its creators idea of what’s “right”.

Ethical implications of selling routers

I write this while back in Italy at my mother’s. As with many of my peers, visiting the family back in old country means having to do free tech support for them. I loathe that, but for politeness I may oblige.

In this particular case, my neighbour asked me to look at his tablet, because it was showing up scammy ads every time he was visiting the website of University of Venice. I checked, and beside some fake-protection apps (sigh) the tablet looked fine. I told him to avoid using the stock Samsung browser and prefer Chrome or Firefox, but then I realized something else was amiss.

A very brief check on his home router found that the problem was clearly with that one: the admin password was the default of admin, the router admin page is accessible from the WAN interface (that is, to the whole Internet) and indeed the DNS servers were hijacked. Stop-gap solution was changing the default admin password, and setting Google Public DNS as the new server in DHCP.

Unfortunately the proper solution (disabling remote access to the admin interface) is not viable for this router, because this router model (TP-Link TD-W8961N v2) does not have a firmware update to fix the absurd ACL system that should lock you up from the outside, and that doesn’t, really. Indeed, the firmware that is installed on the device looks newer than the one on TP-Link’s website, but that’s just because it’s the Italian localized version.

Note: make sure you change the default password of your router even if remote access is disabled! While I used not to care and keep admin:admin/admin:password pairs, it’s getting way too easy to hijack browsers and sidestep the remote access limitations.

Up to here it would be your usual tale of people who don’t (and really shouldn’t need to) have a clue about security being caught on the crossfire. Things changed when he told me that he brought the router to service to the store he bought it from, because he needed to enable port forwarding for some videogame (didn’t say which ones.) Which means a store sold this insecure device, serviced it, and left the customer in a horribly insecure state.

Unfortunately there is really not much I can do about that store. Even though I could leave a negative review to it, I doubt anybody would be checking those reviews over here. And because they are friendly my neighbour is unlikely to stop going to that store, even though I advised against him. He was also sure he found a good deal with this router — it was available online for €55 but they sold it for just €29 — but I have a hunch that the online version would have been the same model in V3 form (which includes a firmware to fix the vulnerability above), while the store sold their previous stock of V2.

This goes again to my previous point that technologists have a responsibility towards their users, whether they are geeks or not. I think OpenWrt was a very good starting point for this, unfortunately for what I see the project stagnated and instead a number of commercial projects around it flourished, which only help to a point. Also, while OpenWrt works great if you need a “pure router”, it becomes vastly useless the moment when you live in a country like Italy, where most of the broadband still arrives in form of DSL, and you then need to look for a modem/router.

FSFE boasts a campaign to let you use whichever router you want but, beside being a very local campaign (compulsory routers were never a thing in Italy, for instance, and as far as I can tell, their campaign only focused on the German market), it also opens the possibility that users will choose cheaper, significantly less secure devices because they don’t care or more properly because they don’t realize how bad that is for them and Internet as we know it.

Some time ago, someone on the Italian parliament (I completely forgot who and I don’t care about it right now) proposed a law for which you would have to have a license to be able to install customer-premises equipment — most of the free software people have been against this proposal, including me. But I sometimes wonder if it made sense, to a point. Unfortunately I doubt acquiring that license would provide you the ethics necessary for this kind of job.

I don’t have easy solutions, but I do think we should be thinking about them. We need devices that are actually secure by default, and where the user has to try to make them insecure. We need ways to reuse devices without having to spend more money for them to be replaced, and after-market ROMs or WRT-style firmwares are that, except, because of targets, too many of those don’t apply to the people who need them the most.

Sharing my doubts about the FreedomBox presentation

Okay this is one of the things that I was supposed to write about right after FOSDEM. Too bad that I left Brussels for the wrong country, and I couldn’t find the time to write until I was back home — hopefully this won’t happen during my next trip, either because I get the Efika to run as I need it to, or because I’ll write from the iPad like I’ve done a couple of time recently; I followed Jb’s suggestion and got a Bluetooth keyboard, or to be precise, I got Belkin’s keyboard cover that, while bulky, makes it a perfect choice for writing on the train, or at a customer’s while I’m waiting.

The closing speech at FOSDEM this year was about FreedomBox a project I already knew from Matija and that I didn’t care much about. If anything, I was quite upset with the idea of a similar project due to the results coming from the Diaspora debacle and the pretence to just set something up and expect it never to require update and maintenance.

I was honestly hoping for some reassurance on the maturity of the project’s goal with that speech, but instead I found it the same as before: a bit too vague, a bit too concerned with how things appear rather than how they work. While the idea of working within the constraints of Debian has its advantages, just saying that “All Free Software will be packaged by Debian” is not going to make it true. Debian has had its share of issues with projects that are by all count Free Software, but not in the way they want them to be; think Schilling. I am generally in agreement with their choices on when not to package something, but that still does not make space for such a blanket statement.

They spent quite a bit of time talking about the DreamPlug computer they are using; while interesting, I haven’t read much about it n the past few months, as most of the excitement seems to have gone when more issues with overheating came through.. I haven’t worked with the hardware and thus I can’t make much of a review for that, but having heard a few of the issues with it while in the room, but not coming from the speaker at all, it seems like they have been sugar-coating the truth about the hardware a bit. Knowing one project’s limitations is generally a good idea.

But I think the main issue I got with the whole charade has been in the original presentation. With the name “FreedomBox” I was thinking that the whole spirit of the project would be sparked by the “usual” anti-corporatism that you find thriving in the Free, Open Source Software community, and which I don’t like to partake to most of the time. That’s what usually get people to complain if you host your blog with blogspot, or you use GMail for email, and so on so forth.

For those wondering: I host my own blog because I like being able to customize it, and while I no longer use the domain, my email is handled through Google Apps for Business… I find it more efficient than running my own mail infrastructure given that I only need two mailboxes: work and everything else.

Instead, what the speech went to talk about is … something much more iffy: from one point it would be much more serious than the anti-corporatism I already noted, but from the other I think it opens up a Pandora’s vase much more complex than it solves. Because what Bdale Garbee started talking about was how Facebook and other companies allow the US Government to scan for facial recognition the photos you upload on them.

Interestingly, he started with admitting that there are good uses for such an access, and then moved to say that it’s also a technology open to abuse on human rights. It’s hard to debate against this, but that’s also true of most of the possible technologies you have out there. That’s because no technology is, by itself, ethical or unethical: it’s the way you use it that make it one or the other. So I don’t think anybody would be arguing that there is no way that any government would abuse a technology that would allow them to identify a person by looking through the gigabytes of photos people upload to Facebook and other similar services. At the same time I guess it is hard to argue that such a technology would never be used for good, which I guess is the reason Mr. Garbee admitted right away that it has positive uses.

But that brings me to the issue that most irked me with the whole speech: he didn’t consider that the FreedomBox’s technology has the same capability to be abused. And this is one thing that really upsets me in most of the talks around software and services that allow you to “disappear”, they expect that being Free or Open Source software means they are by default intrinsically ethical. No way.

Americans seem to be used to the “terrorist cell” example; in Italy I’d probably use the Mafia example; but I think we can find everywhere in the world an example of some group of people who’d like to be invisible to the government, against everyday’s people interest, even where the government itself is against the people’s. Yes I know the famous Benjamin Franklin quote about freedom, but honestly even if a great person said something, doesn’t make it true by default any more than making software Free makes it ethical by default.

Anyway all of this is just my opinion, of course. You can agree or not, but honestly if Bdale Garbee is the best speaker on the topic, I’m not sold at all about the FreedomBox as it is.