Tomorrow, May 4th 2012, will be Day Against DRM. Take a moment to reflect on the devices you perhaps use that may infringe on your digital Freedoms.

The short version is, many digital devices and software are designed to restrict the usage you can make of them. In some cases it is the device itself, in other cases it is the files you may purchase. For example, some e-books or films (movies) are sold in a way that do not allow you to use them in certain ways. There is even the incredible example of Amazon remotely deactivating the book 1984 from their Swindles (or Kindles ?).

Another interesting anecdote is South Korea's ministry of defense, they have decided to ban usage of Apple's Iphone because it is so restrictive that they cannot even guarantee the device is not recording them and sending data over wifi. The device is not under their control.

Visit the Day Against DRM website to learn more. See what you can do tomorrow, and after tomorrow.

The other day a good friend of mine suggested I implement Gravatar on my website, so I started checking how it works and found it was incredibly easy. All I'd have to do use put an img element with a link to an md5 hash of the commenter's email. Like this: <img src="http://www.gravatar.com/avatar/205e460b479e2e5b48aec07710c08d50" />

MD5's can be Sensitive Information

There are 2 issues with this:

• Without figuring out the email, you can still find other user's posts on other sites. Indeed, all you need is to search for the MD5 hash. Perhaps the Gravatar user is okay with this maybe not in every case (more later).
• If you are the administrator of a large user database, you can search for MD5 hashes and easily find out what your user database has been posting.

Other Issues

• Non Gravatar user's can be tracked on the web too

  Even if you are not a Gravatar user, many websites will submit your email's MD5 hash to Gravatar and show that hash to the visitor. This means that even non-Gravatar users are now Gravatar users. There is nothing stopping Gravatar from storing this and nothing stopping people you know from finding your posts. Yes, anyone you know can go insane (like many employers who demand your social media credentials) and search the web for your email's md5 hash.

• Gravatar can haz your blog statistics

  Every time someone visits a Gravatar enabled website, Gravatar gets some of the website's user statistics: visitor's IP, browser/OS and the page visited.

• Gravatar Knows Where You Have Been

  Of course, because of the above, Gravatar can know about all the posts made by their users on Gravatar enabled sites. Maybe they don't gather that info, but technically it's totally possible.

• Websites that use Gravatar deliver content from third party sources

  This can be a problem when your website uses HTTPS, using Gravatar means some of your content is no longer encrypted, unless you use Gravatar's https version. But using Gravatars HTTPS version means asking your visitors to trust their SSL certificate, which is issued by GoDaddy !

  I know it is a very common practice to have many bits of websites hosted behind many different URLs, but it's always good to limit that where possible. For example, embedding a Youtube video is understandable as it is actual content and generally users can see where this comes from. Pulling avatars, icons and such from all over the web isn't so cool.

  It also means losing control over what parts of your site are actually getting delivered to your visitors and how they are getting delivered. You cannot know if your visitor's connection to Gravatar is broken or altered.

  On a non-privacy insane perspective there could be performance issues, don't forget visitors now have yet another domain name to resolve. Reducing the amount of DNS queries can help what they call "the user experience".

How can we Fix This ?

• Give your commenter the choice of using Gravatar's service

  Instead of just hashing everyone's email "de force", why not let the commenter chose to have their email hash posted on the Internet first ? Perhaps even a Gravatar user may want to make a comment without linking it to their Gravatar profile ?

  I'll stress this a tiny bit more just because so many sites use Gravatar but don't even inform their users in the slightest way. If you would want to use Gravatar for every comment, why not, but you should at least inform your users.

• Not show the email's MD5 hash in the first place

  Why not just make the request to the Gravatar avatar from the website and then deliver that to the visitors ?

  The technical howto in a nutshell is to replace the Gravatar image link with a script and pass a get variable to it, like the comment id. The script then figures out the md5 hash (if the user agreed), requests an image from Gravatar and shows that to the visitor.

  This also helps reduce the amount of DNS queries your visitors will make, instead your website/webserver will do all the work. And your webserver should probably have better bandwidth than your average visitor.

I think this probably extends to many more services than just Gravatar. And Gravatar are probably nice people with pure intentions... . It's not the end of the world, but it would be nice if webmasters put more thought into this sort of thing. The Interweb is still an experimental place, we should still be actively thinking about how we build it not just lazily and passively do things the way they've always been done.

Gravatar Enabled

Starting today, on this website, if you post a comment you can chose to have your email's md5 submitted to Gravatar to see if you have an avatar there I can use. Your email's MD5 hash will not be visible to other users.

This is what the img element that displays the G/avatars looks like on this website:

<img src="/blah/modules/gravatar/gravatar_img.php?id=1" />

Many ISPs or other Internet services in these current days will often voluntarily co-operate with the authorities without requiring warrants and such. Some will be even working directly with the MPAA/RIAA. However there are some people out there, like Nick Merrill who are are totally not like that.

Today he is raising money to start a non-profit ISP and mobile phone service that will be designed to resist surveillance, with things like encryption, minimal logging and mostly by challenging requests by the authorities that are abusive and/or illegal and/or unconstitutional.

So if you do live in the U.S.A. and more precisely NY for now, you could be very interested in checking out Calyx Institute and perhaps donating via Indiegogo or via their Paypal form.

Also, check out the people on the advisory board.

The UK would like to implement a new system (originally brought up by the Labour party) that would oblige Internet access providers to monitor all electronic communications. The ISPs would have to store logs of all communications, though they say the actual content of emails wouldn't be recorded without a warrant.

They will most likely forge email providers certificates in order to intercept encrypted traffic, because most browser by default trust just about any certificate emitted by a "company" most users wont even notice.

If you are a UK citizen you can sign this petition. You can also check out ORG who follow these issues very closely (the only thing they do wrong is that they use bitly links!).

This came out yesterday, yet it's not an April fools joke..

Read more:

• Phone and email records to be stored in new spy plan - telegraph.co.uk
• Backlash over email and web monitoring plan - bbc.co.uk
• Stop the government snooping on every email and Facebook message - action.openrightsgroup.org
• Scrap Plans to Monitor all Emails and Web Usage - epetitions.direct.gov.uk

Ubuntu requires visitors to create an account and log in to view certain threads. I've read this thread (not blocked yet) and now I understand their reasoning: Anything they may have archived is to be considered old and should no longer be readable unless you have a ubuntuforums account.... . Whatever, basically they are trying to protect visitors from accessing archived and potentially outdated information.

The other thing I dislike is their use of vBulletin, it just goes to show how much they really don't care much about Free Software.

Is Ubuntu the new Apple ?

You may already know that Saab, the car company, has been having many issues and even filed for bankruptcy. After GM claimed to not want to sell technologies to the Chinese bidder who has been trying to save Saab. GM has now refused to sell technologies to Brightwell, a Turkish company.

The actual thing is more like this; While GM owned Saab they developed technologies to build new cars. Now that Saab is dead GM simply does not want to sell those technologies. Anyone who takes over Saab will have to forget about the 9-4x and the 9-5 from what I understood. This all comes down to licensing issues and fear of competition. It seems possible that whoever does eventually buy Saab will have to do without those 2 cars. IMHO, the 9-4x is ugly and bloated and I'm glad it will just die (become a GM badged product), but the 9-5, I actually like that one.

In any case, it seems there is a buyer for Saab and they will soon be known.

P.S. Some may be surprised to see me writing about cars, well please note that I want a Saab, want to help me get one ?

EFF and Carpathia have joined forces to help Megaupload users who stored non-infringing files retrieve what they can. The only limitation is that this is only directed to users that are based in the United States (of America, North America).

If you are concerned by this than visit MegaRetrieval.com to see what can be done.

Now if you are NOT in the U.S.A. you might want to consider participating in this joint complaint organised by Pirates de Catalunya and endorsed by many other Pirate Parties as well as the EFF.

Demand Progress has started an open letter to twitter and asked its subscriber's to sign it, the letter is short and as follows:

While I am against any for of censorship I am also against telling Twitter how to run their business. In this case they aren't abusing employees, nature or other such things. If you (Demand Progress or anyone else) are not happy with their new terms and conditions you are always free to not use their services.

That said, after reading Twitter's Tweets still must flow post it seems almost kosher.. They claim they will attempt (that is the word I dislike) to mark censored posts as such, so to inform the user they are being censored according to their government's laws. If true it could actually somehow have a positive effect, imagine people's reaction when clearly seeing how much information is withheld from them.

I would also like to correct Demand Progress on one point, Twitter is not an "Open Platform", I cannot interact with twitter users in any way unless I create an account with Twitter. Open platforms are services that use Status.net (Like Identi.ca), Friendica, Diaspora and the like, they allow users to communicate between independent nodes and hence avoid any central policing and/or control of it's users and their personal data.

In conclusion I must add that if Twitter's new rules upsets anyone it's actually a good reminder that Twitter does not belong to its users nor is it a public service. Their terms of service clearly stipulate that users accept that Twitter reserve the right to remove any content, and all of Twitter's users have accepted those terms.

O2, a UK phone operator, seems to be sending along in the HTTP headers of their clients http requests the user's mobile phone number! Lewis Peckover has discovered this and set up a test page for people to see what information their mobile ISP is actually sending to websites.

To test, disable your mobile phone's Wifi and visit this page. There you should see the usual stuff, user-agent, IP, languages, etc.. If you see other things like your mobile phone number you might want to ask your ISP for explanations.

Another thing that Lewis notes is that O2 modifies content, he claims they downgrade images and insert JavaScript links. If true, this is really really bad, this is basically tampering and altering private communications. It's just like if the post office opened your letters, made reduced photocopies so your letters are lighter and then passed that on to you.

I am guessing this shouldn't work using HTTPS, however I would like to ask Lewis what is the deal on this as I do not have a mobile phone and hence cannot test this at all. I also don't have a Twitter account so... . If you do, ask him. Khtxbye : ]

Update: I found this old thread about the same sort of thing affecting other customers on other mobile networks. This is really not new and this is not an 02 issue but rather a mobile phone ISP issue.

A new book to be released in a few hours (I think this is on USA time): No Safe Harbor. This book is released by the United States Pirate Party, it features many interesting people and ideas.... .. and yes, it's licensed under the Creative Commons license. You can buy it or download it. Etc. You can even read it.

Louis CK has been distributing his latest show directly himself without any distribution thieves such as I-Tunes and the like. The video is available as a download and this without any DRM attached !

Check out the little note to torrent users (bottom of the page), it's honest at the least.

In any case he's made a lot more money then he had imagined, in just 2 weeks over a million dollars.. at 5$ a copy (not too expensive for most people). Not bad. I don't know this guy (yet), but he seems decent as over 25% of that will go to charities.Read more here for more details.

The other day I read about how Go Daddy supports SOPA (and loves Microsoft and kills elephants !). Since there has been a massive move of domains out of GoDaddy, including Wikipedia (still at GoDaddy as I write, c'mon Jimmy, it's been 5 days now!).

Since GoDaddy has changed their mind about SOPA but then it appears they haven't exactly changed their minds.

If you actually use GoDaddy you can pledge to boycott GoDaddy.. . and/or you could just up and leave them, I mean who registers a domain with a company whose name is "Go Daddy" ?

Important note, if you leave, be careful where you go as there are many GoDaddy re-sellers out there.. Just go to Gandi.net or EasyDNS, they both openly oppose SOPA and aren't just doing it for marketing's sake.