[The sale of the .ORG top-level domain to a private equity fund run by a bunch of Republican billionaires is a corrupt, revolting perversion. Here, my EFF colleague Mitch Stoltz does an excellent job of explaining what's at stake and how you can take action. -Cory]

The .ORG top-level domain and all of the nonprofit organizations that depend on it are at risk if a private equity firm is allowed to buy control of it. EFF has joined with over 250 respected nonprofits to oppose the sale of Public Interest Registry, the (currently) nonprofit entity that operates the .ORG domain, to Ethos Capital. Internet pioneers including Esther Dyson and Tim Berners-Lee have spoken out against this secretive deal. And 12,000 Internet users and counting have added their voices to the opposition.

What’s the harm in this $1.135 billion deal? In short, it would give Ethos Capital the power to censor the speech of nonprofit organizations (NGOs) to advance commercial interests, and to extract ever-growing monopoly rents from those same nonprofits. Ethos Capital has a financial incentive to engage in censorship—and, of course, in price increases. And the contracts that .ORG operates under don’t create enough accountability or limits on Ethos’s conduct.

Take Action

 SIGN THE PETITION TO DEFEND DOT ORGS

Domain Registries Have Censorship Power

Registries like PIR manage the Internet’s top-level domains under policies set out by ICANN, the governing body for the Internet’s domain name system. Registries have the power to suspend domain names, or even transfer them to other Internet users, subject to their contracts with ICANN. When a domain name is suspended, all of the Internet resources that use that name are disrupted, including websites, email addresses, and apps. That power lets registries exert influence over speech on the Internet in much the same way that social networks, search engines, and other well-placed intermediaries can do. And that power can be sold or bartered to other powerful groups, including repressive governments and corporate interests, giving them new powers of censorship.

Using the Internet’s chokepoints for censorship already happens far too often. For example:

• The registry operators Donuts and Radix, who manage several hundred top-level domains, have private agreements with the Motion Picture Association of America to suspend domains based on accusations of copyright infringement from major movie studios, with no court order or right of appeal.
• The search engine Bing, along with firewall maintainers and other intermediaries, has suppressed access to websites offering truthful information about obtaining prescription medicines from online pharmacies. They acted at the request of groups with close ties to U.S. pharmaceutical manufacturers who seek to keep drug prices high. The same groups have sought cooperation from domain registries and their governing body, ICANN.
• The governments of Turkey and the United Arab Emirates, among others, regularly submit a flood of takedown requests to intermediaries, presumably in the hope that those intermediaries won’t examine those requests closely enough to reject the unjustified and illegal requests buried within them.
• Saudi Arabia has relied on intermediaries like Medium, Snapchat, and Netflix to censor journalism it deems critical of the country’s totalitarian government.
• DNA, a trade association for the domain name industry, has proposed a broad program of Internet speech regulation, to be enforced with domain suspensions, also with no accountability or due process guarantees for Internet users.

As the new operator of .ORG, Ethos Capital would have the ability to engage in these and other forms of censorship. It could enforce any limitations on nonprofits’ speech, including selective enforcement of particular national laws. For intermediaries with power over speech, such conduct can be lucrative, if it wins the favor of a powerful industry like the U.S. movie studios or of the government of an authoritarian country where the intermediary wishes to do business. Since many NGOs are engaged in speech that seeks to hold governments and industry to account, those powerful interests have every incentive to buy the cooperation of a well-placed intermediary, including an Ethos-owned PIR.

Not Enough Safeguards

The sale of PIR to Ethos Capital erodes the safeguards against this form of censorship.

First, the .ORG TLD has a unique meaning. A new NGO website or project may be able to use a different top-level domain, but none carries the same message. A domain name ending in .ORG is the key signifier of non-commercial, public-minded organizations on the Internet. Even the new top-level domains .NGO and .ONG (also run by PIR), which would appear to be substitutes for .ORG, have seen little use.

Established NGOs are in even more of a bind. The .ORG top-level domain is 34 years old, and many of the world’s most important NGOs have used .ORG names for decades. For established NGOs, changing domain names is scarcely an option. Changing from .ORG to a .INFO or .US domain, for example, means disrupting email communications, losing search engine placement, and incurring massive expenses to change an organization’s basic online identity. Established NGOs are effectively a captive audience for the policies and prices set by PIR.

Second, the top-level domain for nonprofits should itself be run by a nonprofit. Today, PIR is a subsidiary of the Internet Society (ISOC), which also promotes Internet access worldwide and oversees the Internet’s basic technical standards. ISOC is a longstanding part of the community of Internet governance organizations. When ISOC created PIR in 2002, it touted its nonprofit status and position in the community as the reasons it should run .ORG. And those community ties help explain why, when PIR proposed building its own copyright enforcement system in 2016, outcry from the community caused it to back down. If PIR is operated for private profit, it will inevitably be less attentive to the Internet governance community.

Third, ICANN, the organization that sets policy for the domain name system, has been busy removing the legal guardrails that could protect nonprofit users of .ORG. Earlier this year, ICANN removed caps on registration fees for .ORG names, allowing PIR to raise prices at will on its captive customer base of nonprofits. And ICANN also gave PIR explicit permission to create new “protections for the rights of third parties”—often used as a justification and legal cover for censorship—without community input or accountability.

Without these safeguards, the sale of PIR to Ethos raises unacceptable risks of censorship and financial exploitation for nonprofits the world over. Yet Ethos and ISOC insist on completing the sale as quickly as possible, without addressing the community’s concerns. Their only response to the massive public outcry against the deal has been vague, unenforceable promises of good behavior.

The sale needs to be halted, and a process begun to guarantee the rights of nonprofit Internet users. You can help by signing the petition:

TAKE ACTION

 SIGN THE PETITION TO DEFEND DOT ORGS

(Crossposted from EFF Deeplinks)

No one knows who owns the Google Cloud drive that exposed 1.2 billion user records, seemingly merged from data-brokers like People Data Labs and Oxydata, who may have simply sold the data to a customer that performed the merge operation and then stuck the resulting files on an unprotected server, which was discovered in October by researcher Vinny Troia using Binaryedge and Shodan.

The data merges home and cell numbers, social media profiles, work histories and email addresses; as Troia says, "This is the first time I've seen all these social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associated account URLs. That's a lot of information in one place to get you started."

The brokers don't think they were breached. PDL founder Sean Thorne hypothesized that some of the data his company nonconsensually gathered on 1.5 billion people was sold to a normal customer who mishandled it and that is "their responsibility."

Oxydata exec Martynas Simanauskas said that while his company sells its nonconsensual dossiers on terms that require its customers to manage the data conservatively, "there is no way for us to enforce all of our clients to follow the best data protection practices and guidelines."

They're totally right about one thing: once you gather and sell this data, you can't control it -- it's pluripotent, omnitoxic, and immortal. It's nuclear waste.

The thing they're wrong about is the wisdom of selling that pluripotent, omnitoxic, immortal toxic waste, given that they can't control it. The fact that they cheerfully admit that there's no way for them to ensure that the nonconsensual dossiers they've assembled won't be weaponized against their subjects (and the commonsense conclusion that these dossiers will be weaponized against their subjects) means that it is incredibly reckless, even sociopathic for these privacy profiteers to be in the business that they're in.

When we compose threat models for privacy breaches, we often assume that the adversary is someone rational: a supervillain with a long-term plan for committing their crimes and then getting away from them. But time and again, we see the actors behind privacy breaches are petty dum-dums, short-term-thinking idiots who literally can't be bothered to password protect their Google Cloud accounts.

You can deal with rational villains with deterrence. But short-term, impulsive idiots are not deterrable. They're like crackheads stealing motorcycle sparkplugs -- unpredictable, irrational, and, basically, unstoppable.

"While the part of the database Vinny found presumably might be acquired from us or one of our customers, it has definitely not been leaked from our database," Simanauskas told WIRED. "We sign the agreements with all our clients that strictly forbids the data reselling and obliges them to ensure that all of the appropriate security measures are taken. However, there is no way for us to enforce all of our clients to follow the best data protection practices and guidelines. Judging from the data structure, it seems clear that the database found by Vinny is a work product of a third party, with entries generated from multiple different sources."

The fact that neither data broker could rule out the possibility that one of their customers mishandled their data speaks to the larger security and privacy issues inherent in the business of buying and selling data.

1.2 Billion Records Found Exposed Online in a Single Server [Lily Hay Newman/Wired]

(Image: RicHard-59, CC BY-SA, modified)

Here is a thought experiment for our age.

You wake up to find your fairy godmother has overachieved: you're a new you, in a physically attractive, healthy body with no ailments and no older than 25 (giving you a reasonable propect of living to see the year 2100: making it to 2059 is pretty much a dead certainty).

The new you is also fabulously wealthy: you are the beneficial owner of a gigantic share portfolio which, your wealth management team assures you, is worth on the order of $100Bn, and sufficiently stable that even Trump's worst rage-tweeting never causes you to lose more than half a billion or so: even a repeat of the 2008 crisis will only cost you half an Apollo program.

Finally, you're outside the public eye. While your fellow multi-billionaires know you, your photo doesn't regularly appear in HELLO! magazine or Private Eye: you can walk the streets of Manhattan in reasonable safety without a bodyguard, if you so desire.

Now read on below the cut for the small print.

Maslow's hierarchy of needs takes on a whole new appearance from this angle.

Firstly: anthropogenic climate change will personally affect you in the years to come. (It may be the biggest threat to your survival.)

Secondly: the tensions generated by late-stage capitalism and rampant nationalist populism also affect you personally, insofar as billionaires as a class are getting the blame for all the world's ills whether or not they personally did anything blameworthy.

Let's add some more constraints.

Your wealth grows by 1% per annum, compounded, in the absence of Global Financial Crises.

Currently there is a 10% probability of another Global Financial Crisis in the next year, which will cut your wealth by 30%. For each year in which there is no GFC, the probability of a GFC in the next year rises by 2%. (So in a decade's time, if there's been no GFC, the probability is pushing 30%.) After a GFC the probability of a crash in the next yeear resets to 0% (before beginning to grow again after 5 years, as before). Meanwhile, your portfolio will recover at 2% per annum until it reaches its previous level, (or there's another GFC).

You can spend up to 1% of your portfolio per year on whatever you like, without consequences for the rest of the portfolio. Above that, for every additional dollar you liquidate, your investments lose another dollar. (Same recovery rules as for a GFC apply. If you try to liquidate all $100Bn overnight, you get at most $51Bn.)

(Note: I haven't made a spreadsheet model of this yet. Probably an omission one of you will address ...)

The head on a stick rule: in any year when your net wealth exceeds $5Bn, there is a 1% chance of a violent revolution that you cannot escape, and end up with your head on a stick. If there are two or more GFCs within a 10 year period, the probability of a revolution in the next year goes up to 2% per year. A third GFC doubles the probability of revolution, and so on: four GFCs within 40 years mean an 8% probability you'll be murdered.

Note: the planetary GNP is $75Tn or so. You're rich, but you're three orders of magnitude smaller than the global economy. You can't afford to go King Knut. You can't even afford to buy any one of Boeing, Airbus, BP, Shell, Exxon, Apple, IBM, Microsoft, or Google. Forget buying New Zealand: the annual GDP of even a relatively small island nation is around double your total capital, and you can't afford the mortgage. $100Bn does not make you omnipotent.

What is your optimum survival strategy?

Stuff I'm going to suggest is a really bad idea:

Paying Elon to build you a bolt-hole on Mars. Sure you can afford it within the next 20 years (if you live that long), but you will end up spending 75% of your extended life expectancy staring at the interior walls of a converted stainless steel fuel tank.

Paying faceless realtors to build you a bolt-hole in New Zealand. Sure you can afford a fully staffed bunker and a crew of gun-toting minions wearing collar bombs, but you will end up spending 75% of your extended life expectancy under house arrest, wondering when one of the minions is going to crack and decide torturing you to death is worth losing his head. And that's assuming the locals don't get irritated enough to pump carbon monoxide into your ventillation ducts.

Paying the US government to give you privileged status and carry on business as usual. Guillotines, tumbrils, you know the drill.

So it boils down to ... what is the best use of $100Bn over 80 years to mitigate the crisis situation we find ourselves in? (Your end goal should be to live to a ripe old age and die in bed, surrounded by your friends and family.)

PLEASE DO join Tom the Dancing Bug's INNER HIVE! Be the first kid on your block to see each week's comic, get extra comics, sneak peeks, insider scoops, and other stuff! JOIN TODAY!

FOLLOW @RubenBolling on the Twitters and a Face Book and perhaps some Insta-grams

READ more Tom the Dancing Bug comics on Boing Boing!