Meshed Again In 2016

As of January 1st 2016, my main work focus is once again Meshed Insights Ltd., which we’ve kept ticking over during 2015.  Working at Wipro was an interesting experiment, but frankly I did not enjoy it at all. I could have probably have lingered there indefinitely if I’d wanted, but leaving on December 31st was entirely my own decision. The company is simply not ready to speak up for software freedom or encourage its clients to set themselves free from the proprietary vendors Wipro loves and from which it profits. Screenshot 2014-12-27 at 18.06.02

Fortunately there are better things to do lining up at our door; I’m ready to dive straight in to client activities for Meshed.  We’ve been retained by Mozilla to compile a report describing the entities that could host the Thunderbird Project, and have two other (currently non-public) clients ready to go. We would welcome further engagements for 2016 and I would be thrilled if demand allowed me to hire more staff.

In addition to those client engagements we have ideas relating to the thinking we’ve been doing around Community Interest Companies and open source communities, and I hope to have news about that after FOSDEM. I was also surprised and honoured to be elected to the Board of The Document Foundation, effective mid February, and hope to understand more about that at FOSDEM as well.

As you can tell I’m excited about 2016!  I wish you the very best for the new year.

Winter Music

8396114640_83ea4ebc54_z_d

If you’d like some music for the dark nights (& days) that’s not so “traditional”, try these albums:

More album recommendations welcome!

Answer to a Frequently Asked Question

Q: Which open source license is best?

A: Unlike bilateral copyright licenses, which are negotiated between two parties and embody a truce between them for business purposes, multilateral copyright licenses — of which open source licenses are a kind — are “constitutions of communities”, as Eben Moglen and others have observed. They express the consensus of how a community chooses to collaborate. They also embody its ethical assumptions, even if they are not explicitly enumerated.

When that consensus includes giving permission to all to use, study improve and share the code without prejudice, the license is an open source license. The Open Source Definition provides an objective test of evaluating that such a license is indeed an open source license and delivers the software freedom we all expect.

Since licenses are the consensus of communities, it is natural that different communities will have different licenses, that communities with different norms will find fault with the licenses used by others, and that all will regard their way as optimum. The arguments over this will be as deep as the gulf between the philosophical positions of the communities involved.

Ultimately, there is no license that is right for every community. Use the one that best aligns with your community’s objectives and ethos.

[Now part of OSI’s official FAQ]

Azure Loves Linux; What About Microsoft?

The news that Red Hat and Microsoft have reached an agreement about hosting Linux is very welcome. I am delighted for Red Hat here, and see this as a huge sign of the continuing power and growth of open source. It shows that the cloud market is one where and embrace of Linux is table stakes. It also shows that the enterprise market is one where Red Hat is a huge and powerful supplier.

All the same, let’s be clear that all the “Microsoft Loves Linux” hype I saw at SUSECon in Amsterdam yesterday and at other events earlier this year is just not true. Microsoft Azure loves Linux, there is no doubt; it is a basic requirement for them to become relevant on a cloud market dominated by AWS and Linux. They have been out in force at every commercially-oriented open source I have attended this year and have a full-scale charm offensive in place.

But the rest of the company still does not. They still seem to covertly spread open-source-related FUD about LibreOffice here in Europe. They haven’t foresworn making embedded Linux vendors pay for patent licenses of dubious necessity. The Azure business unit is certainly embracing the ecosystem the same as many before them have done so in their steps towards open source. But the Windows and Office business units show no signs of “loving” Linux and only modest signs of co-existing with open source.

It’s hard to change a company as large and profitable as Microsoft quickly. But a significant and binding gesture of goodwill would go a long way to convincing those of us with the scars of Microsoft’s decades of verbal and actual abuse of open source that they mean business.  It’s no secret what the necessary gesture is.

“We both know we have very different positions on software patents,” said Paul Cormier, Red Hat’s president for products and technologies. “We weren’t expecting each other to compromise.”
(WSJ)

Red Hat, despite asserting they don’t believe Microsoft has any patents that read on their products, included a standstill agreement in the deal. Sources tell me it is carefully phrased to comply with the GPL. If Red Hat felt they had to do that with their new partner, there’s no doubt everyone else remains at risk.

If Microsoft truly want to signal the end of hostilities, step one is to sign the Mozilla Open Software Patent License Agreement or join OIN. Until one of those happens, I remain sceptical of Microsoft’s love for Linux.

[Please see my InfoWorld article for more]

EU-US Safe Harbour For Personal Data Eliminated

The European Court of Justice (CJEU) handed down a decision declaring EU-US safe harbour for personal data invalid this morning. It has far-reaching implications for cloud services in particular and may presage increased opportunity for open source solutions from non-US suppliers. Looks like a real gift to companies like Kolab.

Here’s my first reaction on reading of the sources. Let me know what I have wrong & I’ll fix it. In the Opinion of the Advocate General (who has a broader but compatible view), he said:

¶183. I am therefore of the view that Decision 2000/520 must be declared invalid since the existence of a derogation which allows in such general and imprecise terms the principles of the safe harbour scheme to be disregarded prevents in itself that scheme from being considered to ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.

The court supported that view. That decision strikes down the “Safe Harbour” arrangement that allows companies to treat the USA as equivalent to a European state for the purposes of data protection and privacy.

How The Harbour Broke

Why did they reach that decision? The discussion by the Advocate General is more enlightening than the court, which simplified the matter. The core reason for the AG is that the USA has been found to perform indiscriminate mass surveillance against non-citizens. The key discussion is in paragraphs 198-202:

¶198. I note, in that regard, that the access which the United States intelligence authorities may have to the personal data transferred covers, in a generalised manner, all persons and all means of electronic communication and all the data transferred, including the content of the communications, without any differentiation, limitation or exception according to the objective of general interest pursued. (79)

¶199. Indeed, the access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security. (80)

¶200. Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter.

¶201. As the Parliament has correctly observed in its observations, since it is excluded for the EU legislature or the Member States to adopt legislation, contrary to the Charter, providing for mass and indiscriminate surveillance, it must follow, a fortiori, that third countries cannot under any circumstances be regarded as ensuring an adequate level of protection of personal data of citizens of the Union where their rules of law do in fact permit the mass and indiscriminate surveillance and interception of such data.

¶202. It should be emphasised, moreover, that the safe harbour scheme, as defined in Decision 2000/520, does not contain appropriate guarantees for preventing mass and generalised access to the transferred data.

Further, the AG found (and the Court agreed) that, while there are mechanisms to ensure that the declaration of safe harbour itself is valid (¶19), there is no authority ensuring that any necessary exceptions to privacy once the data is shared in the USA are appropriate and proportionate:

¶208. It should therefore be found that within the safe harbour scheme provided for by Decision 2000/520 there is no independent authority capable of verifying that the implementation of the derogations from the safe harbour principles is limited to what is strictly necessary. Yet we have seen that such control by an independent authority is, from the point of view of EU law, an essential component of the protection of individuals with regard to the processing of personal data.

He also found that there is no way for European citizens to intervene in the abuse of their personal data by the US authorities as there is for them in Europe.

¶212. Furthermore, the Commission has itself pointed out that there are no opportunities for citizens of the Union to obtain access to or rectification or erasure of data, or administrative or judicial redress with regard to collection and further processing of their personal data taking place under the United States surveillance programmes.
¶213. It should be observed, last, that the United States rules on the protection of privacy may be applied differently to United States citizens and to foreign citizens.

They found that the European Commission should itself have reviewed and suspended the safe harbour, particularly in the light of the (largely undisputed) revelations by Edward Snowden of indiscriminate mass surveillance of foreign nationals by the NSA. The court also found that the lack of any competent authority to supervise the safe harbour arrangements and hear binding appeals made 2000/520 invalid anyway.

Questions directly arising

  • Can any EU company now legally engage a US supplier for cloud or web application services, given relationships with US authorities are beyond contractual remedy?
  • If they do, is consent from every data subject necessary?
  • Given US courts claim jurisdiction over any subsidiary of a US corporation regardless of location even without routine data transfer to the USA, can any EU business use the services of a US company even when the work is conducted entirely in Europe?
  • If they do, is consent from every data subject necessary?
  • If the EC made a fresh determination to replace 2000/520, would that heal everything given the existence of NSA surveillance is unlikely to disappear?
  • Can any remedy be made until the US gives EU citizens standing to challenge use of their personal data in the USA in its courts?
  • If it does, will the EC need to regularly re-evaluate its determinations?

The Storm That Broke The Harbour

The journey to that decision is itself important. The original question asked by the High Court of Ireland concerned whether the Data Protection Commission for Ireland was entitled to make any rulings at all about the efficacy of safe harbour given the European Commission had already made a Union-wide declaration, “in the light of factual developments in the meantime since that Commission Decision was first published.”

This took place during the final appeal phase of a claim in Ireland by Maximillian Schrems of Austria that the sharing of his personal data by Facebook Ireland with its parent company Facebook Inc was in breach of European data protection despite Facebook’s compliance with the safe harbour arrangements. The Irish Data Protection Commissioner had dismissed the claim, but Schrems won judicial review of the decision on the basis that the revelations of Edward Snowden revealed the safe harbour was not in fact adequate for data protection.

The Irish High Court itself found important facts. First, it established that Snowden’s revelations should be considered factual:

¶36. According to the High Court, it is clear from the extensive exhibits accompanying the affidavits filed in the main proceedings that the accuracy of much of Edward Snowden’s revelations is not in dispute. The High Court therefore concluded that, once personal data is transferred to the United States, the NSA and other United States security agencies such as the Federal Bureau of Investigation (FBI) are able to access it in the course of a mass and indiscriminate surveillance and interception of such data.

Were the only issue the law of Ireland, there would have been no need for clarification:

¶37. The High Court notes that in Irish law the importance of the constitutional rights to privacy and to inviolability of the dwelling requires that any interference with those rights be in accordance with the law and proportionate. The mass and undifferentiated accessing of personal data does not satisfy the requirement of proportionality and must therefore be considered contrary to the Constitution of Ireland.

But the Irish Commissioner had asserted that, since the European Commission had already asserted the existence of a safe harbour, he could not intervene on behalf of Schrems.

¶50. The Commissioner considered that the very existence of a Commission decision recognising that the United States ensures an adequate level of protection under the safe harbour scheme prevented him from investigating the complaint.

As a result, the CJEU had first to decide whether a national data protection authority was pre-empted by the European Commission. If it was not, it then had to decide whether, in the vase of the US safe harbour, a national authority should in fact override the EC safe harbour. as explained above, the latter decision was indeed taken;

… a decision … such as Commission Decision 2000/520/EC … on the adequacy of the protection provided by the safe harbour privacy principles … does not prevent a supervisory authority of a Member State … from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him

That has to also raise questions within Europe. Given GCHQ also allegedly engages in mass surveillance, are transfers between, say, Germany and the UK, also safe transfers? Having established that national authorities retain sovereignty, surely some could now start questioning transfers across the Union as well as those outside it?

On Equality

Extract from an imaginary equality policy:

The only life experience any of us can truly know is ourself. We perceive others as objects outside ourselves, so it’s easy to forget that we are all different selves, that we each experience life as a self isolated from all others communicating through our senses and memory, and that other people’s selves are just as real — and valid — as our own.

The principle that we are free to hold whatever views we want and to act on them to the extent they do not harm others applies universally. When we act on our own views in ways that harm or significantly affect others, it is not acceptable to assert in defense things like:

  • “they are a minority so they have to accept the majority view”,
  • “they are the majority and we are a minority that is entitled to offend”,
  • “people like us are harmed far more often than people like them”,
  • “people like them usually harm people like us”
  • “their view is so wrong I need not respect it”
  • and especially “my view has absolute authority stemming from within my belief system”.

Everyone is an individual and every individual deserves the respect we expect ourselves. We treat each person as a respected individual, not as a token of their classification in our eyes.

A good rule of thumb is that if we feel the views of others are offensive, they probably feel our own views are offensive as well, a view they are completely entitled to when they do not act on it to harm us. If we wish to have our freedom to own and express our views protected, we must also actively respect — preferably protect — the rights of others to the same freedom.

Odd Fish

We’re all odd fish

Remembering Payday

Wanting to remember to run the payroll for my company, I was amazed to discover that Google Calendar does not offer any way to create a recurring calendar entry for the last day of each month. As it turns out, this is one of the examples actually quoted in the iCalendar standard — RFC2445 (on page 43) — so it’s very surprising Google has not implemented a way to manage such entries.

Fortunately Google Calendar does actually support recurring entries for the last day of a month, so it’s possible to hand-craft an .ICS file that can then be imported into Google Calendar. Baptiste Gazul’s helpful blog post started me in the right direction and I was able to craft some entries for my needs with help from the RFC. I saved the quoted text below into a plain-text file with a .ICS suffix and then used Google Calendar’s Import Calendar function to add the entry.

To have a calendar entry for Payday on the last weekday of every month, try:

BEGIN:VCALENDAR
BEGIN:VEVENT
DTSTART:20150331
RRULE:FREQ=MONTHLY;BYDAY=MO,TU,WE,TH,FR;BYSETPOS=-1;WKST=MO
SUMMARY:Payday
DESCRIPTION:Last weekday of each month
END:VEVENT
END:VCALENDAR

Change DTSTART to specify the date of the first payday.

I actually have to run payroll on the Friday before the last weekday of the month; this seems to work:

BEGIN:VCALENDAR
BEGIN:VEVENT
DTSTART:20150417
RRULE:FREQ=MONTHLY;BYDAY=FR;BYSETPOS=-1;WKST=MO
SUMMARY:Run payroll
DESCRIPTION:Friday before last weekday of each month
END:VEVENT
END:VCALENDAR

Follow

Get every new post delivered to your Inbox.

Join 7,815 other followers

%d bloggers like this: