Cory Doctorow formulates something that I think can go onto every list of principles organisations I work with formulate for smart cities, as well as the many data ethics discussions I sit in on.

Don’t track people, help people track the environment to feed their decisions. This flipping of perpective fits with what I posted yesterday about Peter Bihr’s approach to smart cities. It also fits with my main irritation at the state of debate about self driving cars, where all is centered on the car itself. Self driving cars will need to tap into a myriad of sensor streams from lamp posts, road pavement, and whatnot.

Cory’s approach provides agency, the standard smart city approaches tend to take it away.

Bookmarked Imagining a “smart city” that treats you as a sensor, not a thing to be sensed | Cory Doctorow’s craphound.com

the idea of an Internet of Things that treats people “as sensors, not things to be sensed” — a world where your devices never share your data with anyone else to get recommendations or advice, but rather, where all the inanimate objects stream data about how busy they are and whether they’re in good repair, and your device taps into those streams and makes private recommendations, without relaying anything about you or your choices to anyone else.

As I’ve often written, the most important thing about technology isn’t what it does, but who it does it to, and who it does it for. The sizzle-reels for “smart cities” always feature a control room where wise technocrats monitor the city and everyone in it — all I’m asking is that we all get a seat in that control room.

The key insight I find I gained in the past months is that SDGs can be used to add a macroscope to most issues and challenges. So I think Peter Bihr definitely is on a useful track:

Peter Bihr posts about using the UN Human Right Charter, and more specifically the UN’s Sustainable Development Goals (SDGs), as a framing for responsible IoT and Smart Cities.

2019 12 Smart City Evaluation FrameworkImage Peter Bihr, license CC BY NC SA

I find using the SDGs a valuable notion to help balance any of your activities. A while ago I listened to a conversation with Taiwanese Minister Audrey Tang (唐凤), who explicitly formulates her entire job description in terms of SDGs, and that was a very useful nudge for me. I know my friend Henriette also formulates her activities in a similar way.

I currently work quite a bit with one client on policy monitoring, indicators and measurements. One of the elements I stress is that you need to be aware how indicators can create perverse impulses if used singularly, and that you need to look at any proposed set of measurements to see what they overlook and ignore. Unexpected consequences if they impact visible stakeholders probably will get incorporated over time, but externalised costs and effects (impacting people, places and systems outside your view) usually won’t. SDGs, because they cover a wide range of topics, and acknowledge the deep interconnectness and interdependencies between those varied topics, are a helpful starting point to find a balanced and nuanced approach. So that (taking a randomly imagined example) climate, poverty and equality related elements can be meaningfully incorporated into a mobility dashboard that would otherwise maybe just stick to zoomed in things like traffic density and average speed on a highway. It’s the type of zooming in and out, around a specific challenge, out to the surrounding system(s), and in to the constituent building blocks, that is a common approach in TRIZ innovation efforts, with in this case the SDGs providing a macroscope for the zooming out while maintaining local / zoomed in context.

As of our last all hands meeting we have moved our company to using NextCloud on a server in a German data center. This is the second major step in improving on our information hygiene in the company, after adopting RocketChat and leaving Slack.
I had created the cloud already last May, but we had not transitioned everyone in the company and all our work. That transition has now been made.

It allows us to avoid having to work with clients in cloud environments like Google Docs, it has OnlyOffice for online collaboration in documents, it allows to avoid file transfer services in favor of being able to provide (time limited, password protected) download links from our own server, and it has integrated STUN/TURN support so we can do (video)conference calls from within our own environment. It’s a managed server/service for a few hundred Euros per year. A key benefit is being able to nudge our clients to routines less exposed to the data hungry silos, and also to show compliance with (regularly inconsistent and differing) rules regarding which online services they do and don’t allow. Setting an example is in itself a benefit given our work on transparent data governance, data ethics and accountability.

In the coming weeks we’ll aim to get fully accustomed to our new working environment, but so far it has been pretty self-evident.

Screenshot from working with a colleague in OnlyOffice (content blurred obviously)

We are working our way through a list of things to improve our overall information hygiene, a discussion I started last spring. It involves changes at the company level (like Nextcloud and Rocketchat) and changes at the individual level (helping colleagues e.g. with password management. We moved all of us onto the same password manager, that also includes the option to share passwords from a company account). It focuses on tools and technological measures, as well as on behaviour and work routines. And it looks at both laptop and mobile devices. I’ve created a ‘information hygiene ladder’ on those three dimensions, with a different level of information security at each rung, that we can strive for. The upper end, the “I’m being targeted by a three letter agency”, we’ll never address I’m sure. But there is a wealth of opportunities to improve our information security level before that extreme stage.

A new word was coined in the Netherlands today, “Citrix files” meaning not files stored in Citrix, but “Citrix traffic jams”. Actual, too many cars on the road style traffic jams that is. At issue is a vulnerability in Citrix software, used by many organisations to allow their people remote access to work files. Ministries, hospitals etc all use it. Because of the vulnerability all ministries that have it closed down their Citrix access, meaning all their people need to come into the office this Monday to be able to access their work files. This adds to the Monday morning rush hour, causing additional traffic jams: Citrix traffic jams.

Citrix Traffic Jams headline

I much like Laura Kalbag’s “I don’t track you” declaration on her blog. She links to that post in the footer of her webpages.

As Laura Kalbag says it’s “as much a fact as a mission statement“. I would definitely like to be able to say the same, because it’s important as a signal, as a statement that the web does not need to be what the silos as advert delivery and manipulation vehicles make it to be. But for this blog it isn’t fully a fact.

I do not track anything anyone does on my site. But others in some instances do. This is the case where I embed material from elsewhere. Although often what I embed is still my own content, such as photos and slides, they are served from the likes of YouTube (Google), Flickr, and Slideshare (LinkedIn). The primary reason for using such services is storage space. Presentations, videos and photo collections tend to be large files, filling up the allocated space in my hosting package quickly. And of course there are occasions where I do want to show content by others (photos and videos). Especially in the case of images, showing other people’s content here is very deliberate, based on an obligation to re-use.

This means that I am an enabler of the tracking that such services do when you visit my blog. To be certain, you have a personal responsibility here too: your browser is your castle, and that Castle Doctrine of browsers means that you should already actively block tracking in your browser. However, I also have a responsibility to not expose visitors to tracking where that can be avoided.

So how to avoid tracking? What alternatives are out there? Here’s a list with the services from which this site over the years has embedded material.

  • YouTube (Google): I did not know this until I looked for it today, prompted by Laura Kalbag’s blogpost, but Google provides a setting with embedded YT videos that disables tracking and serves the video from a different domain (youtube-nocookies.com). This is what I will do from now on, and I will go through my older postings to change the embed code in the same way.
  • Flickr: I use Flickr a lot, it’s both my off-site online photo backup, as well as an easy way to post images here, without taking up hosting space. My tracking detection tool (Ghostery) does not find any trackers of embedded images, provided I strip out some of the scripting that comes with an embed by default. This stripping of superfluous stuff I routinely do, and is in my muscle memory.
  • Slideshare: this I think needs replacing. A Slideshare embed always comes with a Google Analytics tracker and a 3rd party beacon it seems. There is no way I can strip any of that out. It’s a good idea to do without Slideshare anyway, so need to search for an alternative. I might go for my own cloud space, or start making my slides differently, e.g. in HTML5, or find some other tool that I can attach to a private cloud space, and allows easy sharing with others.
  • Scribd: this one definitely needs to go too. Embedding a Scribd document adds Google Analytics and a Facebook tracker, and curiously still a Google+ tracker too, though that service no longer exists. Again, need to search for an alternative. Same as with Slideshare.
  • Vimeo: this video embedding service does not add trackers as far as I can tell from my Ghostery tracking monitoring plugin.
  • 23Video: this platform has pivoted to corporate marketing videos and webinars, and no longer supports casual embeds like in the past. I will need to go through my archive though to clean up the postings where I used 23Video.
  • Qik. This was a live streaming video service I used around 2008. The domain is no longer active, and any embeds no longer work. Will need to clean up some old postings.

So, from this list, Slideshare and Scribd stand out as the ones adding tracking features to this site, and will need to go first. So I’ll focus there on finding replacements. Flickr and Vimeo are ok for now, and Youtube for as long as they respect their own privacy settings. Flickr and Vimeo of course don’t have your data as their business model, whereas YT does, and it shows. Once I’ve removed the tracking functionality from embedded content, what remains is that any call to an outside source results in your IP being logged in that outside server’s logs, and by extension your user agent etc. This is unavoidable as it comes with connecting to any web server. The only way I can avoid such logging is by ensuring I no longer use anything from any outside source, and hosting it myself. For my own content that is possible, as for images I re-use from e.g. Flickr (by serving the image itself from a server I own, and otherwise just linking to the source and creator. As I did with the image below), but hardest for re-using other people’s videos.

Tracks of footprints in the snow, image by Roland Tanglao, license CC BY

Since New Year’s day a slow drip of many documents concerning the work of Cambridge Analytica across 68 countries is giving insights in how the combination of consumer tracking and targeted adverts is being used to influence democratic decisions. Not just within a country, but across multiple countries and simultaneously (meaning foreign interests presented as domestic opinions of the electorate in multiple countries). It’s not entirely surprising, these are age old instruments of propaganda, provocation etc, being redeployed in the digital age, which allows an entirely new level of scale and granularity that makes it a much more malicious beast. It’s shocking on two levels. First, it shows there’s a strong need to make radically transparent to people where material they get served in the silos is coming from, why it is being showed to them, whether it’s part of a/b testing or not, and who is paying/taking influence on each item presented to them. Second, even if there should be no effect at all of these type of campaigns (which seems to crop up as a defence here and there), it is revealing that office-seeking clients and political operatives buy into the cynical premise of the entire concept. Which alone should disqualify them from being elected. The clients need to be held more to account, than the service provider, regardless of any illegality on the side of CA.

The HindSightFiles twitter account is releasing a steady stream of Cambridge Analytica files during the first few months of 2020, leaked by former CA employee Brittany Kaiser. Part of these documents were used earlier in the US Mueller investigation into 2016 election influencing by Russia, and released to the UK Parliament after the initial CA scandal broke.