Stockholm’s war on interoperability
The city of Stockholm commissioned Skolplattform, an omnibus app to deliver timely information to students, teachers and parents. It was a mess: a late, SEK 1B (USD 117M) “IT disaster” boondoggle with a 1.2 star rating.
https://play.google.com/store/apps/details?id=se.stockholm.vardnadshavare&hl=en&gl=US
Among the groups that were poorly served by the app were parents, and among those parents was Christian Landgren, a software developer. Landgren created a streamlined version of the app just for parents that he dubbed Öppna (open) Skolplattformen. As the name suggests, it was free/open source software, hosted on Github:
https://github.com/kolplattformen/skolplattformen
Öppna Skolplattformen worked because Landgren and his collaborators reverse-engineered the Skolplattformen, discovering the URLs and syntax for its private API. That may sound daunting, but it’s something web developers do all the time — their primary sources were the web developer tools built into Chrome!
https://play.google.com/store/apps/details?id=org.skolplattformen.app&hl=en_GB&gl=US
Now, Skolplattformen carries a lot of potentially sensitive information about students, staff and parents, so it’s reasonable that the City of Stockholm wanted to assure itself that Öppna Skolplattformen wasn’t harvesting user-data and violating their privacy.
That’s a reasonable concern, but the way Stockholm acted on it was entirely unreasonable. As Matt Burgess writes in Wired, the City did everything it could to exterminate, rather than validate, Öppna Skolplattformen.
https://www.wired.com/story/sweden-stockholm-school-app-open-source/
The City began by warning that the app might be illegal, and told parents to stop using it. Without any factual basis, the City told parents the app was accessing their private information. It altered its code to break the Öppna app. It referred the app to the to the national data protection authority.
Finally, the City complained to the police, calling the app a cyber-crime, and seeking an official audit of the app’s data-handling.
Separately, the City commissioned a third-party audit of the app’s data-handling from the outside firm Certezza. However, when that audit reported in, the City illegally refused to publish it.
Why would they do that? It’s impossible to know what was going through the minds of City officials like Hélène Mossberg, deputy head of digitization and IT for Stockholm’s education department, but here’s a possible explanation. When the police cybercrime division investigated Öppna app, they concluded “All information that Öppna Skolplattformen has used is public information that the City of Stockholm voluntarily distributed.”
The police report referenced Certezza’s report. It’s reasonable to conclude, then, that the City knew from early days that it was wrong when it accused the 40 volunteers who maintained the Öppna app of breaching privacy law.
Indeed, those volunteers were busily discovering and reporting bugs in the official apps — bugs that could have exposed Skolplattformen users — teachers, students and parents — to privacy breaches.
Here’s the thing: the City of Stockholm should have scrutinized any third party app that touched its systems for privacy breaches. That’s its job. But the way it proceeded shows that its primary concern wasn’t safeguarding private data — it was safeguarding its reputation. By blocking a third-party app that succeeded where its app had failed, the City was able to maintain the fiction that the billion kroners Skolplattformen cost to produce was money well-spent. By slandering the volunteers who discovered security defects in its billion-kroner app, the City was able to maintain the fiction that it had exercised good oversight in public spending.
There’s a name for this conduct: privacywashing, when legitimate adaptation, investigation and modification is blocked in the name of preserving privacy.
Privacywashing is when Doordash threatened its workers over their use of #Para, an app that let them know how much a job was worth before they agreed to do it, by falsely claiming that Para compromised driver and customer privacy:
https://pluralistic.net/2021/08/07/hr-4193/#boss-app
Privacywashing is when Facebook declared war on Ad Observer, a plugin that volunteers use to determine when Facebook violates its own policies on paid political disinfo. Facebook falsely claimed that Ad Observer violated user privacy:
https://pluralistic.net/2021/08/05/comprehensive-sex-ed/#quis-custodiet-ipsos-zuck
Privacywashing is when corporate, anti-Net Neutrality shills decry antitrust proposals with dire and wholly unfounded predictions that competition will lead to privacy breaches:
The core premise of privacywashing is that the entities that provide online services are the best guardians of their users’ privacy. Time and again, we learn that this is untrue. Facebook says it needs the power to block independent scrutiny of its ads or Cambridge Analytica will steal all our data. The thing is, Facebook has always had that power and it already let Cambridge Analytica steal all our data. And even if FB blocks the next Cambridge Analytica, it obviously can’t be trusted not to lie to us and steal all our data for itself.
Likewise, Doordash has had multiple, ghastly breaches of its customers’ most sensitive data, including a swatter-friendly database of their home addresses. Its argument that we should let it make the final determination about who can plug new stuff into Doordash because it’s so good at making those calls is obvious bullshit.
Interoperability is the key to technological self-determination. It’s a way for users to help themselves — by fixing bad moderation policies, bad information design and bad accessibility choices.
Interop allows us to address monopolization without having to wait decades for a breakup order to work its way through the courts. If you’re stuck on Facebook because the cost of leaving behind your friends, family and community is too high, interop lets you leave — and still stay in touch with them.
https://www.eff.org/deeplinks/2021/08/facebooks-secret-war-switching-costs
Interop definitely creates privacy risks — but so does its absence. Facebook, Doordash, and other bullies who’ve attacked interoperators are quite capable of abusing our privacy without help from third parties. The same goes for the Skolplattformen, which was shown by the Öppna volunteers to have significant security defects.
It’s possible (and necessary) to policy privacy online without engaging in privacywashing. In “Privacy Without Monopoly,” the EFF white-paper I co-wrote with my colleague Bennett Cyphers, we present a solution:
https://www.eff.org/wp/interoperability-and-privacy
To have data-protection without monopoly, you need a freestanding privacy law that specifies what is, and is not, permissible. Then, you need a public authority that holds everyone — itself, tech companies, interoperators — to the standard set by that law.
This is very nearly what the City of Stockholm did! When they learned of a third-party app that could have been breaching user privacy, they audited it. The problem is in what happened next: rather than publishing the audit, they buried it, and made libellous accusations about the volunteers who’d developed the app.
Why’d they do it? Perhaps it was to save face, since their opening gambit wasn’t to audit the Öppna app, but rather to smear it, before they’d bothered to make a factual determination about its data-handling. Having pre-committed to the position that the app was privacy-invading, any disclosures that contradicted that position would make them seem incompetent.
Sweden is part of the EU, which means it actually has a freestanding privacy law that it can refer to in order to determine whether apps like Öppna Skolplattformen were coloring within the laws. The GDPR isn’t perfect, but it is an objective standard to assess every service against — both first-party apps like Skolplattformen and follow-on apps like the Öppna version.
https://www.eff.org/deeplinks/2021/06/gdpr-privacy-and-monopoly
Privacy and interoperability are entirely compatible with one another, and Sweden is better-poised than most jurisdictions to ensure this compatibility:
https://pluralistic.net/2021/08/24/illegitimate-greatness/#peanut-butter-in-my-antitrust
We should demand that app developers — both public and private — adhere to good privacy, accessibility and usability standards. But no standard will ever be complete. There will always be people whose use-cases and disability adaptations are not covered by the design brief, no matter how well-intentioned or comprehensive.
It’s fine and proper for the operators of online services to solicit feedback on how to make them better, but that can’t be the end of the story. The ability of users — and the toolsmiths that serve them — to adapt digital systems means that we don’t have to rely on the good judgment of flawed and conflicted service operators to decide what is a bug and what is a feature.
There’s a name for this ability: Competitive Compatibility, AKA comcom (nee “Adversarial Interoperability”).
https://www.eff.org/deeplinks/2019/10/adversarial-interoperability
Comcom has been a part of technology’s story since the earliest days. It is a legitimate and vital practice that humanizes technology and makes it accountable to the people who rely on it. It’s a trump card that users can play to overrule shareholders, executives and bureaucrats who value their profits or reputations over their users’ digital lives.
That’s important when we’re talking about affluent, tech-savvy parents in rich Nordic countries — but it’s even more important when we’re talking about marginalized groups who have no social power. It’s conceivable that Landgren could have simply petitioned the City to fix its app, but Doordash’s misclassified, precarious workforce needed the kind of immediate relief it got from Para.
None of this is to say we should have a free-for-all. Both the operators of services and the interoperators who mod them can expose users to risk. Neither group should be trusted to mark their own exams when it comes to deciding whether that risk has been addressed. The story of Öppna Skolplattformen is a parable about how public authorities could address that risk — and what happens when they abdicate that responsibility.
Image:
Christian Landgren
https://twitter.com/Landgren/status/1319712457196261376