For the non-Debian people among my readers: The following post presents bits of the decision-taking process in the Debian project. You might find it interesting, or terribly dull and boring :-) Proceed at your own risk.
My reason for posting this entry is to get more people to read the accompanying options for my proposed General Resolution (GR), and have as full a ballot as possible.
Some weeks ago, Nicolas Dandrimont proposed a GR for declassifying debian-private. In the course of the following discussion, he accepted Don Armstrong's amendment, which intended to clarify the meaning and implementation regarding the work of our delegates and the powers of the DPL, and recognizing the historical value that could lie within said list.  https://www.debian.org/vote/2016/vote_002  https://lists.debian.org/debian-vote/2016/07/msg00108.html  https://lists.debian.org/debian-vote/2016/07/msg00078.html In the process of the discussion, several people objected to the amended wording, particularly to the fact that "sufficient time and opportunity" might not be sufficiently bound and defined. I am, as some of its initial seconders, a strong believer in Nicolas' original proposal; repealing a GR that was never implemented in the slightest way basically means the Debian project should stop lying, both to itself and to the whole free software community within which it exists, about something that would be nice but is effectively not implementable. While Don's proposal is a good contribution, given that in the aforementioned GR "Further Discussion" won 134 votes against 118, I hereby propose the following General Resolution: === BEGIN GR TEXT === Title: Acknowledge that the debian-private list will remain private. 1. The 2005 General Resolution titled "Declassification of debian-private list archives" is repealed. 2. In keeping with paragraph 3 of the Debian Social Contract, Debian Developers are strongly encouraged to use the debian-private mailing list only for discussions that should not be disclosed. === END GR TEXT === Thanks for your consideration, -- Gunnar Wolf (with thanks to Nicolas for writing the entirety of the GR text ;-) )
Yesterday, I spoke with the Debian project secretary, who confirmed my proposal has reached enough Seconds (that is, we have reached five people wanting the vote to happen), so I could now formally do a call for votes. Thing is, there are two other proposals I feel are interesting, and should be part of the same ballot, and both address part of the reasons why the GR initially proposed by Nicolas didn't succeed:
- Ian Jackson's Acknowledge difficulty of declassifying debian-private makes explicit the role of the listmasters and allows for a formal declassification process to take place, as long as the privacy guarantees we had after the 2005 GR are not diminished.
- Iain Lane's reply to Ian is not yet formally proposed, but makes it spelt out that no declassification should ever occur unless all of the involved authors have explicitly consented
So, once more (and finally!), why am I posting this?
- To invite Iain to formally propose his text as an option to mine
- To invite more DDs to second the available options
- To publicize the ongoing discussion
I plan to do the formal call for votes by Friday 23.
[update] Kurt informed me that the discussion period started yesterday, when I received the 5th second. The minimum discussion period is two weeks, so I will be doing a call for votes at or after 2016-10-03.
Last week, Senator Omar Fayad presented one of the prime examples of a poorly redacted law that, if enacted, will make basically any way of computer use illegal. And yes, even if he states this is merely a draft, it has so many factual and conceptual errors that there is no way to trust sanity can be regained at any point. Oh, and before I continue with this rant: If the topic interests you, I suggest you to read the 10 key points about Ley Fayad, the worst Internet initiative in history, published by r3d.mx.
[update] An English equivalent of the work at r3d, at revolution-news.com: #LeyFayad: The Worst Bill in Internet History
The full text (in Spanish, of course) for the law initiative is available at the Senate webpage; the law will be called Ley Federal para Prevenir y Sancionar los Delitos Informáticos (Federal law to prevent and punish informatic felonies<) — A bad name to start with, as there are many laws already in that contested area. I started reading with the preamble (Exposición de motivos), which already shows bad signs of imprecise redaction and is plagued with factual errors (i.e. asserting that the real danger stems from the Web migrating to the Web 2.0, from which stems that this migration and not any previous one. Or by stating that (quoting+translating a full paragraph):
Activities such as electronic commerce, digital periodism, publicity and the opinions, messages or elements written in social networks can lead to patrimonial, reputation, honor or professional activity losses for people.
He continues by stating that only 16% of the countries have some kind of cybersecurity strategy (and, of course, Mexico doesn't). That... Well, is very hard to believe, as Mexico has two separate policial groups devoted to cybersecurity, and laws regulating from electronic signatures, commerce, identity, privacy, use and abuse, and a long list.
Of course, as most law proposals go, it quickly decays into a dry, boring document... And I must admit I didn't fully read it, but picked here and there. I won't copy in full the note I mentioned at the beginning at r3d.mx, but will continue with some strange points, such as:
- Article 16
- Every person that, without the corresponding authorization or exceeding the authorization confered, accesses, intercepts, interfers or uses an information system, will be punished by one to eight years of prision and fined by 800 to 1000 days of minimum wage
So, yes, borrowing your computer without getting explicit permission, or playing around with the options in kiosks, or tons of whatever we curious people do with systems we encounter are basis for jail. (And yes, fines in this country are expressed in "days of minimum wage", which goes at ~MX$70 per day, which is ~US$4). But it gets funkier quickly:
- Article 17
- Whoever fraudulently destroys, disables, damages or in any way alters the working of an informatic system or any of its components, will be punished by fice to fifteen years of jail and fined by up to a thousand minimum wage days
The same punishment will be given to whoever, without authorization, destroys, damages, modifies, divulges, transfers or disables information contained in any Informatic System or any of its components.
The punishment will be ten to twenty years in prision and a fine of up to a thousand days of minimum wage if the effects here mentioned are done by the creation, introduction or fraudulent transmission, by any means, of an informatic weapon or malicious code
This law is meant to protect against cyberfelonies, if such a thing exists. However, here we are putting at risk people even for accidental equipment destructions. I dropped your portable hard disk with my elbow off the table? Accuse me of acting fraudulently, and I'm up for a serious jail time. And yes, laws are meant to be interpreted... And I don't want to be at the receiving end of this one!
In this last article, Fayad mentions informatic weapons, which are defined in the preamble as any informatic program, informatic system, or in general, any device or material created or designed with the purpose of committing an informatic crime. So the very next article makes me, as it should make all of my fellow students and researchers, very uneasy:
- Article 18
- Whoever uses informatic weapons or malicious code will be imprisioned by two to six years, and fined with 200 to 500 days of minimum wage.
- Article 19
- Whoever builds, distributes, commerces with informatic weapons or malicious codes will be punished by three to seven years of prision and 200 to 500 days of minimum wage.
If we need to analyze malware for our classes (or for paid work, or as a hobby), we clearly fall in article 18. If we write something that can be classified as malware (without even releasing it, as an academic excercise only!), we are covered by article 19. If I give my students code that's known to be malicious (which could be as inofensive as linking to a well-known Web comic), I'm also covered by article 19.
I'll jump all the way to article 31 (reproduced only partially):
- Article 31
- Whoever, by any means, creates, captures, records, copies, alters, duplicates, clones or deletes the information contained in a credit or debit card (...) will be punished by 8 to 14 years of prision and 300 to 500 days of minimum wage. (...)
This clearly disincentivates any way of e-commerce. When I try to buy anything online, I have to capture+copy my (rightfully owned) credit card data. The services provider has to copy, process and then delete said information. Any e-transaction is punished by jail!
Well... But thinking about this again, maybe I shouldn't be so worried about the malware distribution issue at my classes. There are clearer and more contundent articles. Say...
- Article 35
- Whoever convenes, organizes, is part of, or executes a cibernetic attack, will be punished by 20 to 30 years of prision and fined with 100 to 1000 days of minimum wage
Of course we have convened, organized, been part of and executed cibernetic attacks at the computer security lab at ESIME. Why would there be such a lab otherwise?
Then, there are clear indications that the Senator didn't understand the topic his team was working on:
- Article 37
- Who manipulates the digital seals used by command of the public authority will be punished with 240 days of community work
Now... What is a digital seal? It's not a phisical one that does not allow opening the doors to a business found at fault, but something that just proves a document is legitimate and pristine. How can I manipulate them? Of course, if the seals are MD5-based, I can easily forge them (and SHA1-based, it seems they will be broken enough soon to be considered no longer trustable)... But that's about it!
And there is more, lots more. I'm swamped with work, and have to get back to it. But chapters the following chapters have a lot of potential for finding holes.
PS - And yes, the only use I do of Twitter is via the headlines in my blog ;-)
[update] Ley Fayad is dead, yay! \o/ The senator withdrew the proposal.
The discussion regarding the legality and convenience of Uber, Cabify and similar taxi-by-app services has come to Mexico City — Over the last few days, I've seen newspapers talk about taxi drivers demonstrating against said companies, early attempts at regulating their service, and so on.
I hold the view that every member of a society should live by its accepted rules (i.e. laws) — and if they hold the laws as incorrect, unfair or wrong, they should strive to get the laws to change. Yes, it's a hard thing to do, most often filled with resistence, but it's the only socially responsible way to go.
Private driver hiring applications have several flaws, but maybe the biggest one is that they are... How to put it? I cannot find a word better than illegal. Taxi drivers in our city (and in most cities, as far as I have read) undergo a long process to ensure they are fit for the task. Is the process incomplete? Absolutely. But the answer is not to abolish it in the name of the free market. The process must be, if anything, tightened. The process for granting a public driver license to an individual is way stricter than to issue me a driving license (believe it or not, Mexico City abolished taking driving tests several years ago). Taxis do get physical and mechanical review — Is their status mint and perfect? No way. But compare them to taxis in other Mexican states, and you will see they are in general in a much better shape.
Now... One of the things that angered me most about the comments to articles such as the ones I'm quoting is the middle class mentality they are written from. I have seen comments ranging from stupidly racist humor attempts (Mr. Mayor, the Guild of Kidnappers and Robbers of Iztapalapa demand the IMMEDIATE prohibition on UBER as we are running low on clients or the often repeated comment that taxi drivers are (...) dirty, armpit-smelly that listen to whatever music they want) to economic culture-based discrimination Uber is just for credit card users as if it were enough of an argument... Much to the opposite, it's just discrimination, as many people in this city are not credit subjects and do not exist in the banking system, or cannot have an always-connected smartphone — Should they be excluded from the benefits of modernity just because of their economic difference?
And yes, I'm by far not saying Mexico City's taxi drivers are optimal. I am an urban cyclist, and my biggest concern/fear are usually taxi drivers (more so than microbus drivers, which are a class of their own). Again , as I said at the beginning of the post, I am of the idea that if current laws and their enforcement are not enough for a society, it has to change due to that society's pressure — It cannot just be ignored because nobody follows the rules anyway. There is quite a bit that can be learnt from Uber's ways, and there are steps that can be taken by the company to become formal and legal, in our country and in others where they are accused of the same lacking issues.
We all deserve better services. Not just those of us that can pay for a smartphone and are entitled to credit cards. And all passenger-bearing services require strict regulations.
Much ink has been spilled lately (well, more likely, lots of electrons have changed their paths lately — as most of these communications have surely been electronic) on the effects, blame, assurance and everything related to the (allegedly) North Korean attack on Sony's networks. And yes, the list of components and affectations is huge. Technically it was a very interesting feat, but it's quite more interesting socially. Say, the not-so-few people wanting to wipe North Korea from the face of the Earth, as... Well, how did such a puny nation dare touch a private company that's based in the USA?
Of course, there's no strong evidence the attack did originate in (or was funded by) North Korea.
And... I have read very few people talking about the parallels to the infamous Stuxnet, malware written by USA and Israel (not officially admitted, but with quite a bit of evidence pointing to it, and no denial attempts after quite a wide media exposure). In 2010, this worm derailed Iran's nuclear program. Iran, a sovereign nation. Yes, many people doubt such a nuclear program would be used "for good, not for evil" — But since when have those two words had an unambiguous meaning? And when did it become accepted as international law to operate based on hunches and a "everybody knows" mentality?
So, how can the same people repudiate NK's alleged actions and applaud Stuxnet as a perfect weapon for peace?
The following text is not mine. I'm copy-translating a text a dear friend of mine just wrote in Spanish, in Facebook. He writes far better than I do (much better than most people I have known). I am not also a great translator. If you can read Spanish, go read the original.
I hate my country. I want to get the hell out of here. This country stinks.
Phrases that appear in talks between Mexicans since yesterday. On the network and outside of it. And to tell the truth, I would have put them between quotation marks if I had not thought them as well. At some point. Because that is the edtent of the pain. Enuogh to hate, to insult, to give up.
But we talk and write without realizing that it might be the most terrible thing in all this mess. That the pain makes us give up and consent to play a role in the game that they, the executioners, would pleasedly look at from their tribunes, laughing at us while they hand each other the popcorn. That would be over the line. So lets not give them that joy.
Because they surely don't realize we have the obligation to notice it from the very beginning and do something to avoid falling there: The root of the pain they caused us yesterday is because that's how the annihilation of hope feels like.
The shout "Alive they were taken" –they do not realize but we do– is a shout of hope. A pronouncement for the possible goodness in the human being. A testimony of hope in the future. A bet for life. And with his cold address, the federal attorney yesterday wanted to finish the killing of our already aching hope. We cannot grant him that joy.
They say it's the last thing that dies. I'd say it's the only thing that should not die. Ever. It finishes and everything finishes.
There is no possible justice for the parents of the 43. Much less for the 43. Not even however much the official discourse wants to gets us dizzy with the propaganda saying "we will not rest until". Not even if the president quits that would bring back to their classrooms even one of those that by today are just ashes. And sadly, that's the excuse that man wields to not stop boarding his plane and travel wherever he pleases. The farthest from Mexico, the better. Lets not do the same.
Lets remind the world this country is full of us, not of them. That the face of a persn is not the dirtyness on his forehead and cheeks, but the skin that's below, that feels and throbs. Lets show the world Mexico is more the verse than the blood, more the idea than the terror.
And to them...
Lets not give them the joy.
To them, lets make them see that, however hard they try, there are things they will never take from us.
Our love for this country, for example.
The country, over all things.
- Antonio Malpica. After what appears to be the bitter and sadly expected end of a sad, terrible, unbelievable collective social rupture we have lived for ~50 days.
And what comes next? How can it come? How can we expect it? I have no way to answer. We, the country's people, are broken.
I woke up to the news that, after a very short tenure, Brendan Eich steps down as the Mozilla CEO.
Why? Because of the community outcry. Because some years ago, Eich pubilcly supported (and donated funds) the ban of any kind of marriages in California that were not between a man and a woman. The world has advanced enormously in this regard in the last years/decades, and so many individuals and organizations opposed and announced they would boycott Mozilla that either him or Mozilla could not stand the pressure anymore.
So, of course, it's sad the person had to resign. Many people talked about freedom of speech, freedom of harbouring his own personal opinion — But when it comes to the rights of minorities, particularly of minorities that have suffered such hard prejudice and abuse as the gay, lesbian and all the other non-orthodox sexual- and gender- orientations, righting a wrong is much more important than preserving an individual's freedom of opinion. Besides, it's not just thinking or talking about something — The concrete proposition Eich supported (and eventually made him resign) is about bringing the life of thousands of people to a hellish state of uncertainty, and going back to not having a way for the society to legally recognize their way of being, their love, their lifes.
But anyway — What prompts me into writing this is that, once again, the Free Software (and related denominations) community has shown that a set of core values, seemingly shared by a very large amount of our own people with no coordination or correlation with what conforms us as a community (and thus, being emergent traits), are strong enough to create a critical mass, to achieve cohesion. And that ours is not just a technical community of people writing software at all layers of the stack, but –first and foremost– is a group of social activists, committed to making the world better.
I will quote from Matthew Garrett's post on this topic, clearly more contundent and thorough that what I'm trying to come up with:
The Mozilla Manifesto discusses individual liberty in the context of use of the internet, not in a wider social context. Brendan's appointment was very much in line with the explicit aims of both the Foundation and the Corporation - whatever his views on marriage equality, nobody has seriously argued about his commitment to improving internet freedom. So, from that perspective, he should have been a fine choice.
But that ignores the effect on the wider community. People don't attach themselves to communities merely because of explicitly stated goals - they do so because they feel that the community is aligned with their overall aims. The Mozilla community is one of the most diverse in free software, at least in part because Mozilla's stated goals and behaviour are fairly inspirational. People who identify themselves with other movements backing individual liberties are likely to identify with Mozilla. So, unsurprisingly, there's a large number of socially progressive individuals (LGBT or otherwise) in the Mozilla community, both inside and outside the Corporation.
A CEO who's donated money to strip rights from a set of humans will not be trusted by many who believe that all humans should have those rights. It's not just limited to individuals directly affected by his actions - if someone's shown that they're willing to strip rights from another minority for political or religious reasons, what's to stop them attempting to do the same to you? Even if you personally feel safe, do you trust someone who's willing to do that to your friends? In a community that's made up of many who are either LGBT or identify themselves as allies, that loss of trust is inevitably going to cause community discomfort.
Rethinking copyright in the digital era: Dialogs on arts, regulation and culture availability — Museo del Chopo, Mexico City
I was invited as a panelist for the Laboratorio «Repensar el derecho de autor y el derecho de copia en la era digital:
diálogo sobre artes, regulaciones y disponibilidad de la cultura» at the beautiful Foro del Dinosaurio in the Museo del Chopo, located very centrally in Mexico City. The list of speakers is quite interesting, and makes me very interested and happy to be there.
The laboratory will be next week, Wednesday through Friday. I am scheduled to be part of the 17:00 table, Knowledge availability and regulation in Internet, coordinated by Pedro Mendizábal (Creative Commons Perú), and together with Juan Voutsás (Biblotecologic Research Institute, UNAM), Armida Aponte (Creative Commons México). The other topics that will be covered are:
- Rights, technologies and commons
- The culture and its industries in the digital age: What are the interests at stake?
- Intelectual, cultural and scientific works: Open access or availability?
- New business models around copyright-protected works
- nowledge availability and regulation in Internet
- Visual arts and copyright in the digital media
- Open governments and citizenship: Information, data and intelectual works
Sadly, it does not seem they have planned for remote people to follow along. I will ask and update here if there is any way for people outside Mexico City to tune in — For people able to attend, it's free entrance (and certificates will be given to people pre-registered, if you are interested, call 5535-2288 ext. 123)
For further details on the participants, go to the laboratory's web page.
Update: The talks will be streamed! http://www.chopo.unam.mx/chopoenvivo.html, via UStream.
Update About one year after this activity (which was very interesting!) I was contacted by the organizers. They will be publishing proceedings — Transcriptions of our participation! Yes, a transcription is never as easy to read as a text created as such, but I am very happy of this. I was sent a first version of my transcription, which I'm attaching here. It has several corrections to be made (which I asked them to do), but it's surely worth sharing!
Panama just underwent a nasty e-voting exercise: Electronic-mediated elections were held for the committee of the PRD party. It sounds simple - Even trivial! There were only 4100 authorized voters, it was geographically trivial (all set inside a stadium)... But it blew up in smoke. I won't reiterate all what happened, I'll rather direct you to our project's (the e-voting observatorium) page: News regarding Panama (for those coming from the future, search starting at 2012-08-27 — and yes, it's all in Spanish, but there are free-as-in-beer translation services.
Many e-vote proponents/sellers/pushers were very eagerly waiting for this election to brag about one more success... So much that they could not just ignore it, and started rationalizing it away. Anyway, while feeding the observatorium, I came across this opinion-article in the Voto Digital website, which makes quite a bit of pro-e-voting noise. I replied to it, and I think my analysis is worth sharing also with you:
So, lets make some simple numbers, rounding the numbers: The PRD vote in Panama was done for a universe of 4100 voters.
It took 10 hours (instead of the planned 4), so 410 people were processed every hour. There were 40 voting (electronic) booths, so each processed 10 people per hour. This means, each person spent 6 minutes by the booth.
A manual vote in this fashion is highly parallelizable: Each of the voters can be given ballots with anticipation, or many of them cna be allowed in to be given the ballots in situ (depending on the electoral scheme employed). The contention time is the time it takes to each voter to get near the booth and deposit his ballot (either folded or in an envelope) - And it will very rarely be more than a couple of seconds.
So, given that using electronic booths parallelism cannot grow (there is a fixed number of machines) and the queues grew wildly, with traditional voting it would have surely fitted in the expected four hours (they were expected, also, based on their past experiences).
As for counting, that's the slowest part of manual voting, it's also highly parallelizable: If each of the 40 booths has slightly over 100 ballots, the party personnel can easily count them in under 30 minutes. Capture and aggregation for the 40 partial results would take an extra 10 minutes, even being generous.
Manual voting would have saved them around five hours, without demanding additional resources (and being thus much more economical than having to buy 40 specific-purpose computers). And as an additional advantage, the physical and tangible vote proofs would remain, in case they were ever again needed.
I will sound monothematic, but I have been devoting quite a bit of work to this topic lately: Trying to stop the advance of e-voting in Mexico, Latin America and the world.
Why trying to stop it? Isn't technology supposed to help us, to get trustable processes? Yes, it's supposed to... but it just cannot achieve it, no matter how hard it is tried — I won't get into explanations in this blog post, but there is plenty of information. Feel free to ask me for further details.
Anyway — Yesterday (Sunday, 2012-06-17) was the fifth simulated voting that will lead to the first wide-scale deployment of electronic voting booths in my country: About 10% of the population of the state of Jalisco (that means, ~500,000 people) will cast their votes on July 1st electronically.
This particular case illustrates how simulated votings can be used to forge a lie: Pounce Consulting, the company that won the e-voting project for IEPC (Jalisco's voting authority), delivered their booths over 40 days late, just before the deadline for the project to be canceled. Oh, and by the way, it's the same company that just failed to deliver on time for another planned local authority (10% of the booths in the Federal District, where I live, where fortunately 100% of the votes will be cast on traditional, auditable and cheap paper).
After this delay, five voting simulations were programmed, to get the local population acquinted with them. The first ones just failed to get the population's interest and had close to 40% failure rates (mainly regarding transmission). Several other "minor details" were reported, including mechanical details that allowed subsequent voters to see the vote of who had just left.
Anyway, making long story short: The fifth and last simulation was held yesterday. Officially, it was finally successful (about time). As these booths include the "facilities" to communicate the results via the cellular network, but the populations where they are to be deployed do not yet have cellular coverage, 10% of the booths will have to be carried back to the Districtal Header (that can be a ~10hr trip) to be counted. Also, in all places, traditional paper stationery and paraphernalia will be printed just in case it is needed (and when will they now? When half of the votes are cast and lost?)
Anyway... e-voting is still in its first stage in Mexico. Right now, I'm sure, no attempts to rig the election will be made (centrally). But every effort will be made (as it has been made) to dismiss the obviously big and nontrivial ways it has failed and will fail, and any problems will be labeled as "minor". And probably by 2018 we will be facing many more states (even nationwide) deployments.
But propaganda fails to see the obvious: E-voting is more expensive, more complicated, leads to more possible failure states. E-voting should not be deployed in large-scale (i.e. more than a couple of hundred voters) elections. Electronic voting is insecure, violates secrecy, allows for fraud. No matter how many locks are put into it.
Note: All of the information linked to from this post is in Spanish and related to Mexico… Part of it will be translatable via automated means, some will not. Sorry, that's what I have, and it's too much text to invest the effort to hand-translate
I have been following the development of the different e-vote modalities in Mexico for several years already, although I have only managed to do so methodically in the last half year or so. If you are interested in my line of reasoning as to why I completely oppose e-voting, you can look at the short article I published in 2010 or the slightly longer and more updated version published in our book in 2011.
Currently, in Mexico there are two different venues of e-vote that are being pushed: Bad and worse. The bad one will be carried out for about 10% of the population of the state of Jalisco and somewhat less for the state of Coahuila (Distrito Federal was also to be in this list, but the contract was cancelled due to the provider company delivering booths with too many problems and unable to deliver in the due time). The worse one is, fortunately, likely to have the least impact. Why? Because it regards votes cast by Distrito Federal residents (the capital entity, where part of Mexico City is located) living abroad. And it will have less impact because of the amount of the population registered for it: We are about 9 million residents in DF, and in the last election (first time IIRC there was the right to vote from abroad) there were only about 10,000 people registered for casting a (enveloped and sent by post) vote. Even if this year we the campaign for this was better (and I'm not yet sure about it), the number of voters will not be enough to make a dent on the results.
I'm not going into details as to why it is bad in this post — I requested information from the DF Electoral Institute (IEDF) with academic interest, to try to find more information about it, and I want to share my results with you — and, of course, to request for your input on how to continue with this. On May 3rd, I sent the following request (this I am translating to English :) You can look at the receipt for the request for the original redaction) to the official contact address, firstname.lastname@example.org:
- What company was hired to develop the system that will be used to receive the votes from Distrito Federal citizens residing abroad that have decided to use the Electronic Voting over Internet procedure ("Vota chilango")?
- What is the technical information for said system? That is, which technological basis was it developed on? Which operating base (hardware) will it be deployed on?
- How many revisions or security audits has the developed system ben exposed to? Which are the entities in charge of doing them? What has been their evaluation?
Of course, I wasn't very optimistic when receiving this information. Still, I have to share my results: My information request was largely denied:
III. The divulgation of this information harms the interest it protects
Given that, were it to be divulged it would affect the informatic security of the refered system. Anyway, we have to point out that said systems have enough measures and security provisions, so that the citizen can emit his vote in a universal, free, secret and direct way.
IV. The damage that can be produced by making this information public is larger than the public interest to know it
This is so because making this information public puts at risk the correct development of the Internet-based voting, because were the technical, purpose-specific information be made public, it could be misused to carry out informatic attacks.
It is also important to mention that a confidentiality agreement was signed with the company that developed said systems.
VI. The time for the information to be reserved
It will be seven years starting at the present resolution, this information will be made public when the reserve period is over or when the target is reached, except for the confidemtial information that it could contain. (…)
In case some other person is interested in following this information, the other two points were answered, and I'll try to get some relevant information from it:
- The company that provided the Internet-based voting solution was SCYTL SECURE INTERNET VOTING, S.A.
- The only entity in charge of conducting a security revision/audit is Telefónica Ingeniería de Seguridad de México S.A. de C.V.. The audit is still in process, and thus it is not yet possible to give any results from it.
So, I don't have any real conclusions yet. I'm just reporting how work is unfolding.
Tomorrow evening (Wednesday May 23) I'll give a talk on the "e-voting in Mexico 2012" subject in Congreso Internacional de Software Libre in Zacatecas, Mexico. I'll talk on the situation on this and the other topics I have been able to work on.
Around two years ago, the OECD presented a study on residential bandwitdth available per country that triggered quite a bit of debate all over the world — I have seen at least criticism to it in Mexico, in the USA and in Australia. It's very easy to take a simplified view of a statistic and bitch on how sorry the state of our country is. In our case, the outcry was that Mexico was the lowest of all of the OECD countries, and I have seen this repeated on so many topics that it what surprises me is that people keep getting surprised at it! OECD does not represent the ≥200 countries in this world (only the top 30, and the meaning of "top" is not unambiguous).
I found this graph that helps me illustrate this point:
While that graphic is part of a report illustrating how sorry the USA should be for their low position, it shows the OECD member countries. And yes, the only country Mexico could be compared in general terms from those in the list is Turkey. Coherently, they are located at positions 28 and 30.
But what prompted me into writing this post? That some weeks ago I was reading a viewpoint article at the Communications of the ACM magazine: What gets measured gets done: Stop focusing on irrelevant broadband metrics, by Scott Wallsten (might be behind a paywall for you — If you are interested, I can share a copy with you, just ask me by email). Wallsten's article contains the following graph:
I found it pretty telling that, although Mexico sits at the extreme of the graph (and the height of our bar makes it very hard to get a real value out of this particular rendering), our ISPs join a very select group of countries (Sweden, Germany, Belgium, Luxembourg and Ireland, in my very subjective measure) by delivering what they promise.
In 2010, the dominant broadband offering was 1Mbps, although higher options have long existed. I always got basically the 100% of what my ISP (Telmex) has promised, even though I have always had the cheapest package available. Some months ago, I got a call announcing we were being pushed 5x into the future, and starting right then, I had a 5Mbps connection. And although I didn't really expect it to be true, I have had a clean 6Mbps (yes, 6 instead of 5) connection.
So, that's it. This post contains no hidden truths, but just what grabbed my attention from a series of data points :-)
Every year, on January 1st, new material ceases to be protected by copyright and enters the public domain. This means, every year, more knowledge, literature, paintings, music, movies and a long etcetera becomes collective property, instead of being artificially held by the current holders of their rights.
As this image shows (source: http://publicdomainday.org/node/39 ), I have the honor(?) to live in the country with the longest copyright protection term in the world. Copyright in Mexico does not only last for 100 years — It lasts for the natural life of the author plus 100 years. This means that the popular corridos that tell the stories of the 1910 revolution are still not in the public domain. La sucesión presidencial, the book which Francisco I. Madero wrote to justify that a peaceful political change was needed for the 1910 elections, will not enter the public domain until 2014 (president Madero was killed during 1913). Does it make any sense to kidnap cultural, political or artistic works for over a century?
Not only that: Material that is legally sold as public domain in other countries is illegal in ours. Take as an example the recordings of Enrico Carusso, the great Italian tenor who died in 1921. Over 15 years ago, I bought a couple of CDs with his recordings (even if the sources were quite low-quality, as they had been copied over from wax cylinders to magnetic tapes to optical media). I bought them surprisingly cheap, as they were genuine public domain. But they are still protected in my country. That means, I ilegally have some stolen(!) works of art which I lawfully bought outside my country.
Copyright law needs to be revised to match reality. Technological advances have strongly changed reality since 1717's promulgation of the first copyright laws. The solution is not to extend the terms, but to rethink the whole process.
(yes, this rant was mainly made as an excuse for me to copy this image and put it in a location I can easily refer to later. But I hope it is interesting to you!)
This is an update to my last post regarding the «Construcción Colaborativa del Conocimiento» book.
But holding a printed book in your hands is just a different experience, isn't it? :-) Anyway, I said I would give here an update on how to get your hands on it. The main venue would be through my University's e-store. I recommend it to anybody interested in buying the book in Mexico. The book's list price is MX$300 (around US$27), but it is currently sold at half price — I don't know how long will that price be offered.
On the other hand, we also uploaded it to the lulu.com self-publishing service. Of course, given I have not seen the printed results, I cannot assure you the resulting product will be of the same quality as the one we got here, but I have a couple of books I have bought at lulu, and their quality is quite acceptable. So, you can also buy it from lulu.com. Note the 20% discount it shows will be permanent — That's what I would get as an author, a payment I decided to forefit given we are 11 authors and it would be unfair to collect it all myself. So, the price at lulu.com is US$12.64 plus shipping — Very similar to the price at UNAM.
Last Friday, after two years worth of work, I finally got the first box of books for the Construcción Colaborativa del Conocimiento (Collaborative Knowledge Construction) project I worked on as a coordinator together with Alejandro Miranda (pooka), and together with a large group of 11 authors:
Translating over from the back cover text (and this is just a quick translation from me — It reads better in Spanish ;-) ):
What defines us as humans is our ability, on one side, to
create knowledge, and on the other, to share or communicate it with our neighbors. Both features have worked together over tens of thousands of years, and, working together, have led the knowledge to transcend the individual, avoiding the need to rediscovery or reinvention of is already known. Sharing knowledge is what has taken our species to the dominant role it occupies today.
But knowledge creation and sharing has seen a deep transformation in recent decades, thanks to the quick evolution of telecommunications, specially the massification of Internet and cellular telephony. We are transiting towards the so desired –and at the same time so feared– knowledge society.
In this book, eleven authors from very different disciplinary backgrounds and geographic origins ellaborate on how a hyper-connected world has modified the basic rules of interaction in areas as diverse as artistic creation, social organizations, computer code development, education or the productive sector.
This book is the result of a year worth of work for in the "Collaborative Construction of Knowledge" seminar, during which we
used the same new forms of knowledge production we have studied.
The videos of the sessions, electronic participations and the full contents of this book are available under a permisive license at
We will soon have the book ready in IIEc's e-store (which is mostly meant for national requests). I am also uploading the book to the lulu.com self-publishing service, and we are working on a epub-like edition. Right now it is still not available, but it should be there in some days. I will keep you posted.
Meanwhile, the full contents can be read online at http://seminario.edusol.info/seco3
There's something brewing, moving in Jalisco (a state in Mexico's West, where our second largest city, Guadalajara, is located). And it seems we have an opportunity to participate, hopefully to be taken into account for the future.
Ten days ago, I was contacted by phone by the staff of UDG Noticias, for an interview on the Universidad de Guadalajara radio station. The topic? Electronic voting. If you are interested in what I said there, you can get the interview from my webpage.
I held some e-mail contact with the interviewer, and during the past few days, he sent me some links to notes in the La Jornada de Jalisco newspaper, and asked for my opinion on them: On September 23, a fellow UNAM researcher, César Astudillo, claims the experience in three municipalities in Jalisco prove that e-voting is viable in the state, and today (September 26), third generation of an electronic booth is appearingly invulnerable.
Of course, I don't agree with the arguments presented (and I'll reproduce the mails I sent to UDG Noticias about it before my second interview just below — They are in Spanish, though). However, what I liked here is that it does feel like a dialogue. Their successive texts seem to answer to my questioning.
So, even though I cannot yet claim this is a real dialogue (it would be much better to be able to sit down face to face and have a fluid conversation), it feels very nice to actually be listened to from the other side!
My answer to the first note:
El tema de las urnas electrónicas sigue dando de qué hablar por acá en Jalisco... nosotros en Medios UDG hemos presentado distintas voces como la del Dr. Gabriel Corona Armenta, que está a favor del voto electrónico, del Dr. Luis Antonio Sobrado, magistrado presidente del tribunal supremo de elecciones de Costa Rica, quien nos habló sobre los 20 MDD que les cuesta implementar el sistema por lo que no lo han logrado hasta el momento, pudimos hablar hasta argentina con Federico Heinz y su rotunda oposición al voto electrónico y por supuesto la entrevista que le realizamos a usted.
Sin embargo este día La Jornada Jalisco publica la siguiente nota
nos gustaría saber cuál es su punto de vista al respecto,
quedo a la espera de su respuesta
Pues... Bueno, sé que el IFE hizo un desarrollo muy interesante y bien hecho hace un par de años, diseñando desde cero las urnas que proponían emplear, pero no se instrumentaron fuera de pilotos (por cuestión de costos, hasta donde entiendo). Se me hace triste y peligroso que el IEPC de Jalisco esté proponiendo, teniendo ese antecedente, la compra de tecnología prefabricada, y confiando en lo que les ofrece un proveedor.
Se me hace bastante iluso, directamente, lo que propone el título: «comicios en tres municipios prueban la viabilidad del voto electrónico en todo el estado». Pongámoslo en estos términos: ¿El que no se caiga una choza de lámina con estructura de madera demuestra que podemos construir rascacielos de lámina con estructura de madera?
Ahora, un par de párrafos que me llaman la atención de lo que publica esta nota de La Jornada:
la propuesta de realizar la elección en todo el estado con urnas electrónicas que desea llevar a cabo el Instituto Electoral y de Participación Ciudadana (IEPC) es viable, pues los comicios realizados en tres municipios son pruebas suficientes para demostrar que la urna es fiable
y algunos párrafos más adelante,
“Cuántas experiencias más se necesitan para saber si es confiable, 20, 30, no lo sé (...) Pero cuando se tiene un diagnóstico real, efectivo y serio de cuándo técnicamente procede, se puede tomar la decisión”
Como lo menciono en mi artículo... No podemos confundir a la ausencia de evidencia con la evidencia de ausencia. Esto es, que en un despliegue menor no haya habido irregulares no significa que no pueda haberlas. Que haya países que operan 100% con urnas electrónicas no significa que sea el camino a seguir. Hay algunas -y no pocas- experiencias de fallas en diversos sentidos de urnas electrónicas, y eso demuestra que no puede haber confianza en las implementaciones. Aunque el equipo nos saliera gratis (que no es el caso), hay que invertir recursos en su resguardo y mantenimiento. Aunque se generara un rastro impreso verificado por el votante (que sólo ha sido el caso en una pequeña fracción de las estacione de votación), nada asegura que los resultados reportados por el equipo sean siempre consistentes con la realidad. El potencial para mal uso que ofrecen es demasiado.
And to September 26th:
Disculpe que lo molestemos otra vez, pero este día fue publicada otra nota más sobre el tema de las Urnas electrónicas en Jalisco donde se asegura que la urna es invulnerable.
¿nos podría conceder unos minutos para hablar con usted, como la vez pasada, vía telefónica sobre el caso específico de Jalisco, en referencia a estas notas publicadas recientemente? si es posible ¿podría llamarle este día a las 2 pm?
Quedo a la espera de su respuesta agradeciéndole su ayuda, apreciamos mucho esta colaboración que está haciendo con nosotros
Respecto a esta nota: Nuevamente, ausencia de evidencia no es evidencia de ausencia. Se le permite a un pequeño segmento de personas jugar con una máquina. ¿Significa eso que fue una prueba completa, exhaustiva? No, sólo que ante un jugueteo casual no pudieron encontrar fallos obvios y graves.
Un verdadero proceso que brindara confianza consistiría en (como lo hicieron en Brasil - Y resultaron vulnerables) convocar a la comunidad de expertos en seguridad en cómputo a hacer las pruebas que juzguen necesarias teniendo un nivel razonable de acceso al equipo.
Además, la seguridad va más allá de modificar los resultados guardados. Un par de ejemplos que se me ocurren sin darle muchas vueltas:
- ¿Qué pasa si meto un chicle a la ranura lectora de tarjeta magnética?
- ¿Qué pasa si golpeo alguna de las teclas lo suficiente para hacerla un poquito menos sensible sin destruirla por completo? (o, ya entrados en gastos, si la destruyo)
La negación de servicio es otro tipo de ataque con el cual tenemos que estar familiarizados. No sólo es posible modificar el sentido de la votación, sino que es muy fácil impedir que la población ejerza su derecho. ¿Qué harían en este caso? Bueno, podrían caer de vuelta a votación sobre papel - Sobre hojas de un block, probablemente firmadas por cada uno de los funcionarios, por ejemplo. Pero si un atacante bloqueó la lectura de la tarjeta magnética, que es necesaria para que el presidente de casilla la marque como cerrada, despojó de su voto a los usuarios.
Sí, se tienen los votos impresos (que, francamente, me da mucho gusto ver que esta urna los maneja de esta manera). El conteo es posible, aunque un poco más incómodo que en una votación tradicional (porque hay que revisar cuáles son los que están marcados como invalidados - no me queda muy claro cómo es el escenario del elector que votó por una opción, se imprimió otra, y el resultado fue corregido y marcado como tal)... Pero es posible.
Sin embargo, y para cerrar con esta respuesta: Si hacemos una corrida de prueba, en circunstancias controladas, obviamente no se notarán los muchísimos fallos que una urna electrónica puede introducir cuando los "chicos malos" son sus programadores. ¿Podemos estar seguro que este marcador Atlas-Chivas-Cruz Azul tenga el mismo índice de fiabilidad como una elección de candidatos reales, uno de los cuales puede haberle pagado a la empresa desarrolladora para manipular la elección?
Y aún si el proceso fuera perfecto, indican aquí que están _intentando_ licitar estas urnas (y nuevamente, si lo que menciona esta nota es cierto, son de las mejores urnas disponibles, y han atendido a muchos de los señalamientos - ¡Qué bueno!)... ¿Para qué? ¿Qué nos van a dar estas urnas, qué va a ganar la sociedad? ¿Mayor rapidez? Despreciable - Media hora de ganancia. ¿A cambio de cuánto dinero? ¿Mayor confiabilidad? Me queda claro que no, siendo que no sólo somos cuatro trasnochados los que ponemos su sistema en duda, sino que sus mismos proponentes apuntan a la duda generalizada.
La frase con la que cierra la nota se me hace digna para colgar un epílogo: "en ese futuro quizá no tan distante la corrupción también ocurre y ésta se debe siempre al factor humano". Y el factor humano sigue ahí. Las urnas electrónicas son programadas por personas, por personas falibles. Sin importar del lado que estén, recordarán la polémica cuando se hizo público que la agregación de votos en el 2006 fue supervisada por la empresa Hildebrando, propiedad del cuñado del entonces candidato a la presidencia Felipe Calderón. ¿Qué evita que caigamos en un escenario similar, pero ampliamente distribuído? Y aquí hay que referirnos a la sentencia de la Suprema Corte de Alemania: En dicho país, las votaciones electrónicas fueron declaradas anticonstitucionales porque sólo un grupo de especialistas podrían auditarlas. Una caja llena de papeles con la evidencia clara del sentido del voto de cada participante puede ser comprendida por cualquier ciudadano. El código que controla a las urnas electrónicas, sólo por un pequeño porcentaje de la población.