Rick van Rein
Published

do 05 mei 2022

←Home

Identity 17: Future Warfare may be about Identity

Wars shift from using brute metallic instruments of opression, to ever more (mis)information as a battle force. With a bit of imagination, we can get an idea of the instruments that could be used in future warfare.

This is an opinion article in a mostly technical article series on identity.

Today, the Netherlands celebrates Liberation Day, marking the end of a Nazi occupation of our contry between 1940 and 1945. Fear and violence were the instruments used to oppress our people, but it gave rise to underground resistence. I have often wondered if I would have the courage to stand up and fight the enemy in such a war, but the work in the InternetWide project and its delivery as ARPA2 software may in fact be preparing for future warfare.

The current Ukraine war shows a more prominent role for information. Propaganda and control over resources are nothing new, Hitler did that too, but it does take on new forms. But another general pattern may be to introduce new technology with propagandistic messaging (marketing) but use it as a strategic advantage later on.

Adolf Hitler manifested himself through beer garden lectures with populist themes, his popularity grew and he promised prosperity through technical advancement with highways and a Volkswagen. The highways turned out to be infrastructure for fast tank movement operations.

Technical and economic advances can be convincing arguments while wheeling in instruments of oppression. When people have individual freedom of choice but no ideal or information to guide their choices, they fall back on economic optimisation. This includes making choices that turn out to have been short-sighted with more information. But these processes are difficult to stop; it is even the mechanism by which whole societies collapse, even when everybody sees it coming; individuals continue to fend for themselves when they feel they cannot do anything else. What could I do, I am only one. But no, many like-minded individuals can easily make a difference if they act as a mass.

This article is not predicting any concrete future war, but I am showing you some instruments that could be used and how we can all make smarter choices to evade them. And I am bringing forward the point that Liberation Day is there to remember that freedom is not a given, and that we should be mindful enough to not let it slip away.

Sovereignty

A strong motivation underpinning the Internet is to create as many bubbles of sovereign control as feel a need to exist. These bubbles of control can be as small or large as desired. The people who work on Internet standards, who implement them and develop central infrastructure are highly concerned about this level of fundamental freedom. This plane of society is rife with open source contributors and open protocol adherents, both vital ingredients of online sovereignty.

This attitude has brought us domain names, which anyone can register for a humble fee and completely control. It has given us email, under full control of a domain owner (if they decide to go that extra mile, instead of selling out to a large provider outside their control). And it has brought us strong cryptographic mechanisms so we can prove who we are, or to be as concealed as we like. Bitcoin and Ethereum are recent examples which, in spite of their devastating energy expenditure, take a first step towards freedom in the monetary area.

Freedom is one concern out of many. It is more common to look at expenses and treat freedoms (such as privacy and sovereignty) as afterthoughts. This usually means that we give up on those aspects of our lives, because they are not expressed in our spreadsheets. In addition, computer services scale very well (cloning a general mechanism is almost free) and if these services make their earnings from jeopardising these freedoms, then we are bound to make silly choices. And indeed, that has become mainstream practice. We store our data, even our identity, at a few very large silos who crack away at it to analyse how to squeeze earnings out of us indirectly. The use of patterns with the intent of marketing suggestions is a direct insult to our freedom of choice.

Every one of those silos is operated under a jurisdiction, with major ramifications for your sovereignty. In practical terms, your online presence is subjected to inspection and eradication under not only the commercial motivations of your service provider, but also the policital motivations of the country in control. Privacy has no visible price tag, so is easily forgotten in the interest of economic saving.

Selling out 101: University of Twente

I studied at the Unversity of Twente in the early 90's, and still come there every once in a while. It saddens me to showcase this wonderful institution as one that is giving away all control in such a systematic manner that it reeks of conspiracy. But honestly, I believe it to be penny-pinching that makes the university make silly choices.

Aside from thrift there must also be a lack of clear thinking, because many UT members must have read Orwell's book 1984, and still they let it happen. I use the university as an example of a common trend, because it is the last place where you would expect money to be more powerful than knowledge. So while reading this, keep in mind that many people are making similar choices, and giving up their freedom and sovereignty for a few measly euros. There is no such thing as "economic rationalisation", it is an excuse for penny-pinching at the expense of human values.

  • Students have almost abandoned email and are only practically available via chat. They collectively make the populist choice, namely WhatsApp. It is amazing that something as trivial as passing around small texts in virtual realtime would call for such an invasion of privacy, but since it is an enclosed environment, it's a black-or-white, either you're with us or you're against us choice.

    Students are young, and have an age that allows them to make mistakes and learn from them. But it is surprising that a trivial chat service is not made available as an open protocol to the many thousands of students and staff that are active on this (technical?) university. All student organisations want similar facilities, and it would be quite possible to provide these in bulk. It is a missed opportunity to teach students that they can control technology; instead it teaches them to run off to Google and be mindless consumers if they want to do things online. It makes them impose privacy regulations of Mailchimps because that is the only realistic choice available to a sports club.

    When I studied, the driving idea was to empower students as makers, rather than prepare us for a life as click bait. The university's sell-out started by not taking responsibility, the first mistake of my university. It got worse from there on.

  • With vague marketing notions of one shared image the complete control over all websites of the university were centralised on one server. The prior existence of subdomains for faculties and their research groups has all been redirected into one glowing image. With more colour and far less information about the work of the various groups.

    What nobody seems to notice in such a change is that complete control over a very large organisation can now be had in one stroke. Content becomes political when you centralise it. It is subjected to black-hat as well as white-collar abuses. Someone might break in to do much more harm; or one might sell out the underlying data and surrender much more individual liberty than any research group might individually have wanted to let happen.

  • During Corona, teaching was streamed with Big Blue Button, a piece of open source software that worked effortlessly. It has now been replaced by a business solution, with the excuse that one vital function was lacking, in reality just a small control.

    Yes, we are talking about a (technical?) university that invades privacy rather than making a fix to open source code, which they could then donate back to the benefit of everyone else. Rather than this one-time investment they choose to surrender either money on a reguary basis, or some aspect of their sovereignty (or their students').

    Passing core information services over to external providers means that their privacy conditions will have to be accepted. External staff will get to see a lot of data passing by, including private information (student identity) and when used for research discussions it may leak business-critical information that may be passed on to 3rd parties down a chain of responsibility. If any link along that chain leaks, or is subjected to the laws of another jurisdiction, then it may be problematic to the organisation and its core business, even for a university where research is considered private/internal up to the point of publication.

    These external providers do not write their privacy regulations to protect you, but merely to defend themselves against laws that intend to protect the online freedoms that are so easily lost when externalising hosting. The usual sign of this is lengthy privacy regulations.

    Note that universities have no shortage of young intelligent people, eager to pickup such chores for a modest fee. It should be completely trivial to modify open source systems from time to time, and it has been a normal practice before universities started to centralise control over information technology, and treat it as an expense rather than a vital part of their organisation.

  • Email was another one of those scattered things that gave way to sovereignty of research groups. It has now been collected under one domain, and central control. As part of this process, many identities of the entire university got @exchange.utwente.nl as their domain because, yes indeed, the control over email has been handed out to an American company.

    It is a common Dutch management style to separate those with decisive power from those who know what would be clever. You would hope that universities were smarter than that, but mine clearly is not. Had the decision been well-informed, than a technician would have explained that MX records can be hung under any (sub)domain to point to any hostname, so a service provider never needs to dictate the email domain, not even when they ask for a hostname under the domain the receives email (and even that is not necessary). I would really like to know why email addresses posted on top of articles in scientific journals can no longer be reached. I doubt there is anything scientifically relevant, though.

    Also, if I can run my own email server, why could a university not do the same? The only work is to add and remove users from time to time, something that can easily be automated, and software upgrades, which a Linux distribution handles. On the other hand, given that the exchange. prefix is (part of) a trademark of Microsoft, would it be possible to move that email domain to another service provider in the future, without facing lawsuits? If anything, then trademarks are about product naming, and I can imagine Microsoft winning a lawsuit over it, causing the entire UT staff to face yet another change of email addresses and all journal article addresses to be rendered invalid once more. In practice, the university may now be stuck with their current email provider. Who can now demand anything they want from them.

    The university has jeopardised its online freedom.

  • Telephony is another such thing. It has been moved over completely to the same provider as for email. Email and telephony together represent incredible control over what goes on at a university.

    Maybe you consider telephony as a remnant of the past, overtaken by mobile telephony. But consider that a modern phone runs on software that needs to connect to the Internet; it is a microphone with remote control. It is the last place where you should want to run automated updates with closed-source software from a company under another jurisdiction. Doing so strikes at the heart of what a university is about: research and development and, to some degree, having a competitive edge based on not-yet-published research.

  • Login to most services, including knowledge (in the library) is subject to access control. It has been mandated that this is two-factor authentication for everything. (Interestingly, this is even the case for temporary accounts that are casually handed out to visitors and alumni, and that last a few days.)

    Access to knowledge in the form of books and scientific papers in my university is now subject to approval by an external party from another jurisdiction.

    Should we expect them to also offer search facilities and start controlling what is shown to faculty members?

  • Control is now closing in on the edges. If you want to engage in sports, you always needed a card that grants access to facilities. This makes sense, as it helps to maintain those facilities at the expense of its users. Recently, an announcement was made that access control gates are to be used, so you basically need to surrender your identity before you can pee or take a shower.

    The system adds no value at all, except for more control and data processing, which is likely to be placed in the hands of an information giant in time to come.

This development is happening in many places at the same time. Gradually, we are giving away control over our online presence, and in part even our everyday livelihood. But it happens so slowly that journalists barely report on it. And it is so abstract that only well-informed people draw a line in the sand that they will not have crossed. Most people just let it happen. How long was the uproar over the last change in privacy regulations of Facebook? And how many have closed their account? How do you boil a frog? One degree at a time; going slowly so it does not notice the change.

Future Warfare over Identity

I have been surprised by the effectiveness of taking Russia out of international payment systems. A response to require ruble payment for gas payments makes sense from their perspective. But in general, warfare never makes sense to me, because it is all destructive. It has a disruptive effect on many people, without any gain for anyone. (In my PhD thesis "stellingen" I stated Oorlog betekent dat iemand met een te groot ego op een te hoge post zit. and that still seems valid to me.)

When disruption of every day life is a goal, any form of dependency becomes a strategic advantage. Today it is gas versus banking, but I predict that there will be a growing role for dependency on online services.

I predict that future warfare will move towards control over online identity and online data.

Imagine a war in which WhatsApp blocks messaging, where Gmail forgets your email history or Microsoft refuses to acknowledge your second factor authentication. Many of us have given up their sovereignty as if it was a tradeable service like the supply of electricity. Except that these online services are not anonymous; they encapsulate your identity, that is the names by which you are known to others, to the servers to which you logon, and so on. They may even be the place where your contact list is stored. Without access to these, you would be paralysed for a large part of your life.

In case of a war, you do not want to have given up sovereignty over your information. You want to own your mailbox. You want to control authentication choices at services run by others, so you want to control your online identity. You want to communicate effortlessly. And you want to have prepared your privacy so you can speak freely. Not just you, but your nation ought to be free of information leaks.

Our World is facing serious resource problems, and these are likely triggers for war. But even if that does not happen, there already is a slow-paced battle going on. The control over identity, data and social networks is migrating into the hands of a few large silos that use it for their own good — and may be required by their governments to make it available to them too. This poses a serious strategic disadvantage. The more data and control you land with a large site, the more likely it is that they will increase demands. It will be a gradual process; increasing expenses or, more likely, increased control over how they may interfere with your online conduct. This is taking place today. It is not as obvious as a war with guns and tanks, but it is nonetheless a fight for individual freedom.

A war is blunt and direct. Creeping erosion of online freedom is much more subtle, but it can cause similarly high levels of devestation.

I can no longer exchange email with members of the University of Twente without Microsoft watching over my shoulders. I cannot access its library books and academic research papers without Microsoft controlling my acces. I cannot freely discuss matters of academic or personal nature at a university office without a risk of being overheard through a Microsoft phone (if not by a Amazon Alexa or Google Assistent).

Communication involves more than one party. If the other sells out on their own privacy, they also sacrifice that of their communication peers. This is anti-social behaviour and may interfere with the willingness of others to communicate.

The university has adopted a no-smoking policy for its campus, but I can think of more useful forms of personal hygien: Just like you don't want to poison others with second-hand smoke, it is a professional practice to not poison others with the information leaking out from your services.

InternetWide Sovereignty is up for grabs

Humans can do wonderful things when they collaborate. Competition is said to bring out the best in people, but in my own humble experience, innovation is more often the result of people tinkering from intrinsic motivation than under economic pressure, at least in technology. And it is this individual tinkering that needs freedom to move, to publish and exchange ideas with like-minded individuals. Ideas flourish under an open and free network of people. Not under central control, nor under marketing strategies. This is why I used the University of Twente as an example; it is an ultimate place where these freedoms and forms of individuality are a requisite for the primary productive process.

But the Internet is there, and can still remedy these problems. This applies to a university as well as to individuals and commercial companies. And the price level is completely affordable.

  • Open source software is licensed in such a way that you have end control. Even if you don't actively participate in its development, you can make a quick fork to make a small improvement and suggest its integration in future versions. It is this easy to exercise control over software, and is a light process in comparison to getting it done by a commercial service provider, precisely because you can do it yourself. Or, as a result of the openness, find one of many people willing and able to help you out for a modest one-time payment.

  • Open protocols are standardised in such a way that compliance can be verified by technicians. There is no need for lawyers or lawsuits to get compatibility problems sorted out. More importantly, technicians can fix problems and are glad to do so if it improves compatibility. But note well; this only works if a party is not "too big to fail". Large parties tend to have an "embrace and kill" strategy that starts off with a standard and adds proprietary extensions that can make them functionally incompatble. Be weary of such extensions, especially if they are not documented or if other obstructions block others from moving along.

    Most of us are no fan of Jehova's teachings and its ideas of expelling members from their communities when they break with their religion. And yet, we seem to accept closed protocols and services that only talk to those who use the same domain — a domain that thereby gains full control over online identities and their ability to communicate.

  • Domain names give you full control over online identities. You want to own your domain name and be in control of its DNS servers. If you cannot do this, be willing to pay a service provider under a fair contract.

    Subdomains provide a way of passing control down to a department without giving up the power to retract that control. For a subdomain manager, the benefit of a subdomain is to have an identity that is verifiably part of a larger whole.

  • Mail and web under a domain name are stock items for most hosting providers, and you can choose one that meets your criteria for privacy and storage resilience. By all means, avoid the slightly cheaper silos that are so large-scaled that you can only control them up to their level of desire. You get what you paid for. The unbalance of power at large silos is going to be costly at some point.

    At the very least, plan an escape route with any hosting provider; control identity and do not use their domain (or one with their trademark), have downloads of all data (or the contractual right to get it when you close down) and make sure you can redirect traffic elsewhere.

  • Chat is completely trivial to setup and run as an open protocol under your domain, and it can easily be offered for free. A good choice is XMPP, which is wonderfully and openly standardised, is heavily used, has many open source implementations and can even integrate with less-open chat solutions.

    End-user applications are often liked for a slick user interface; with an open protocol and open source you it would be simple to have a slick mobile app produced just for you. You might gradually expand the app to deliver other bits of data over its authenticated channels. XMPP at least has a generous tradition of extensions.

    Why are we using so many chat applications? Because they are cheap to run and simple to offer; it passes terse data that is fit for statistical analysis, and if it is a closed protocol a full overview of users and their connectivity can be seen, and that data is exclusively available to the chat service. In short, it helps to sell advertisements.

    These "benefits" disappear with open protocols, which would allow users to connect to anyone and everywhere. Open protocols serve users, rather than service providers.

  • Identity is a typical service to not lay in the hands of a data-hungry party. This is the right to enter your account and look around, after all! Even if current agreements do not do not use this technical ability, it might happen in a future "upgrade" of service conditions. Will your corporate lawyer detect such issues? Is your technical staff capable of changing providers in such an event? How costly will such a change be? Where do you draw the line, and how economical is that choice?

    This article series discusses options for having control over your online identity and staying in control. We used intentional extension facilities in protocols to make this possible, wrote open protocol specifications that we aim to standardise via the Internet Engineering Task Force, and we see many ways of integrating it into most of the protocols we use today. Not just the (eroding) web environment, but also email, chat, telephony, database access and much more.

    In short, we developed software that you can use to run an openly accessible identity provider under your domain name. This takes in standard protocol exchanges such as SASL or Kerberos and on the basis of this exchange it authenticates a user under its domain. The domain is validated by an identity-depending party using standard Internet mechanisms (DNSSEC, DANE) so that it knows that it is talking to an identity provider whose prerogative it is to decide on user identities underneath the domain.

  • Telephony, and especially the potential to listen in to microphones on desks everywhere, is probably an underestimated risk for information leaks. This means that you want control over the phone switches that connect to such microphones. Although VoIP can be a bit of a nuisance to setup, there are many commercial providers who are quite capable of helping out, usually with the open protocol SIP, possibly with open source PBX software, and facilitating your existing phone numbers. Home users often find such functionality in their routers, either as part of a package deal or as an easily configured link to telephony. There really is no need to leak your commercial or academic advances, nor to be subject to listening in on private conversations.

  • GDPR Compliance can be a nuisance, but it gives the same privacy guidance to many organisations that make a united requirement of fair privacy from services that control their information. Do not struggle with the GDPR, but use it to select your service providers. You may end up in your own jurisdiction, which makes (economic) sense, certainly when you are publicly funded.

    Instead of listing all the faults that follow from the poverty of a thrifty sell-out, wipe the slate clean by choosing one who subscribes to the privacy of your users. Do not lightly decide to sacrifice your user's privacy, by treating them as cheap labour subject to cost optimisation, but consider them human resources.

    It is a sign of poverty if money makes you do things that you would not have done if it hadn't played a role.

  • Confront your organisation about any point where they sacrifice freedom or sovereignty, for the company or its "human resources". If the work force is indeed considered a resource, then they should treat it respectfully.

    Make sure that choices always include ethic variants, find the price difference with the cheapest and conclude from this what the price (per head) for these values is, if the choice for the cheapest form is made.

    Make sure to verify whether an escape mechanism exists. No choice is made for ever, and it should not be costly to leave, because that will be used as an excuse for not taking a turn for the good.

    Be sure to introduce these issues in the advisary board of your organisation. Make your board aware of the future implications of today's choices.

  • As a company, consider that the best workers have more freedom to move, and are more likely to feel a burden from these sacrifices. Given other options, they might leave. You would be left with less opinionated workers, which may well be the less motivated ones.

Liberation Day is worthy of Celebration

Let's commemorate past wars, and avoid future ones, by realising the great value of individual freedom in a democracy. Let us repeat that it is not an automatic given, and needs our ongoing attention. And that our freedom is a valuable human asset, worth fighting for (says a pacifist) because it is in no way destructive; it actually provides an alternative for the delusive paths that move us towards desolation.

The University of Twente is cited above as a mere example of a global trend. Many organisations make the same silly choices for the same silly reasons. They are penny-wise but pound-foolish. They are selling out because they are only staring at numbers. Numbers that have no meaning because they ignore human values. Numbers that do not express the anti-social devestation on the privacy and sovereignty of your communication peers. Numbers that are dangerously one-dimensional, and could never represent the splendour of a diverse and multi-cultural society.

Let's start to break free on this Liberation Day. Not just this year, but in all the ones following. Our project is here to guide you, and is glad to integrate your contribitions for general good. Because the silo of open source and open protocols is just as capable as any silo. All it takes is collaboration — which is a more powerful force than competition (let alone warfare) could ever be.

And we are all but alone; many open source projects are part of this ongoing battle, and they need your support in so many easy ways; be it through donations or project acquisition, through documentation or bugfixes and new feature additions.

But, more than anything, these open source projects are waiting for you to start using their software.

Liberation Day is a good day to free yourself, and move away from the ongoing commercial battle of control over your online presence.



This article was published under a CC BY-SA 4.0 license.

Go Top