DjangoCon Europe 2019: Apathy and Arsenic: a Victorian Era lesson on fighting the surveillance state

Writeup of the DjangoCon Europe 2019 talk »Apathy and Arsenic: a Victorian Era lesson on fighting the surveillance state« by Lilly Ryan

Lilly Ryan: Lilly Ryan is a pen tester, Python wrangler, and recovering historian from Melbourne, Australia. She writes and speaks internationally about ethical software, social identities after death, teamwork, and the telegraph. More recently she has researched the domestic use of arsenic in Victorian England, attempted urban camouflage, reverse engineered APIs, wielded the Oxford comma, and baked a really good lemon shortbread.

Arsenic is a natural element with a lot of uses, but within this talk, Arsenic means arsenic trioxide. When mixed into food it is odourless, tasteless, and poisonous. It has effects like the worst diarrhea of your life, followed by the end of your life. A little of it will make you tired and cause trouble for your breathing.

Victorian England hat arsenic everywhere: in beauty products, in arsenic wafers, in anti-aging products, for killing mice and other pests, … – but it was most popular as a pigment (brilliant green) for artists, and as a pest killer for farmers. Having it used as color meant it found it way everywhere – Van Gogh's Starry Night (this is why you shouldn't lick art), and playing cards and so on.

Arsenic was also in wallpapers, and would come off in dust if it got too dry, or emit toxic gases if they grew damp – and we're talking England here. This is why people traveled to the sea and felt better – most coastal houses had whitewashed walls. Arsenic also had a reputation as a way to make money quickly, being known as inheritance powder.

As a tech conference, we should talk about the current practice of governments and corporations gathering literally a much data about everybody and storing it forever, and usually not very well. Talking about the 95k GDPR violation complaints since GDPR became active last May, and the breaches that companies have reported since. Google has been fined 50 million Euros, and the amount is trivial for them. Inevitably, large number of data breaches remain undiscovered, and large parts of the world are not covered by GDPR.

Where arsenic and problematic data practices intersect is this: They are dangerous, and the public doesn't care, despite it being everywhere, and they are so prevalent that it is hard to see a way to get rid of them. They seem to be so useful that we just can't limit or get rid of them. Arsenic provides sooo pretty colors, and data helps us how to plan cities and catch bad guys. Inhaling arsenic didn't make all people sick in the same way. Some were more vulnerable, just like some people are more on the receiving end of data breaches, or are directly targeted by attacks (arsenic or digital).

A coal miner in 1852, William Mobury, had 9 children with his wife Mary Ann. 7 of those children died of gastric fever. The couple collected the life insurance money and went on – those were hard days. William then died of gastric fever too, laving Mary Ann and her two daughters all alone. George Ward, an engineer, fell into love with Mary Ann, and then died of gastric fever after the marriage, leaving Mary Ann with the insurance money. James Robinson was a shipwright and married his housekeeper Mary Ann, and their daughter died too. Mary Ann's misfortune continued. One of her surviving children died, so did her remaining daughter after the marriage with Robinson, as did Mary Ann's mother (leaving Mary Ann to inherit everything.) Robinson kicked Mary Ann out after discovering that she was racking up debts and stealing money. A friend took her in, who then died. His brother married Mary Ann, and then died, leaving her with insurance money. Next, she moved in with another family. Wills got rewritten, and everybody died soon after, leaving her with only one remaining stepson. Who died. Her boss became suspicious, and got the local doctor to delay the death certificate. She had a public meltdown, leading to the discovery of her crimes, and soon died of death by rope poisoning. 16 of her own children, 4 partners, her mother, and a friend had died, and she had collected all the life insurance money.

Today, it takes a lot less time for a criminal to make a lot more money than Mary Ann ever did. Instead of marrying and killing and collecting insurance, you collect data that's not yours and sell it or blackmail people with it. See for example the recent wave of fake blackmail emails claiming to have data, spyware and malware, and porn site visit recordings, and demanding payment. About 70.8 bitcoins (300k USD) had been deposited into those wallets a month after this started. In November, one of those wallets hat 928.9 bitcoins, 4.2 million USD.

Many of us saw this email and recognized it for a scam, and had a laugh. But others suffered a lot before paying. Some of you know exactly the kinds of breaches that these things came from, the data is easy to find. But most people don't know their stuff, even today, and inclusion of something like a password makes it more likely to be true, and really scary, making them pay up.

Personal data is potent. Arsenic was everywhere. Grown men died from inhaling it off the wall in their sleep. Others were poisoned. Others were "just" adversely affected. Personal data is not something that needs to be used by criminals to lead to problems. More formal usage by government and private companies (especially ) can end up outing people, influence democratic elections, or steal company secrets (e.g. via spell checkers).

Plenty of people have given up on using large parts of the internet just because it's too complex and scary to them, but most people are apathetic about these problems, or resigned to the fact that they can't change them. The period of time where the most people give the least of a damn is known as peak indifference (Cory Doctorow). We hope that after this peak has passed, an increasing number of people will care. Think about public campaigns against tobacco use – it takes some time to get traction, but then it can really work.

We probably passed peak indifference in March last year, roughly, after the Cambridge Analytica scandal, resulting in a lot of penitent looking CEOs and public commitments to change. Also way more research took place! In the past 12 months, 74% of facebook users adjusted their privacy policy, which sounds like things are starting to turn around. Then GDPR came into force, and people got mountains of mails of any old service provider, leading to more awareness of information flow of personal data.

How do we keep up this momentum? Let's maintain the coverage purposefully instead of in a chaotic way. Peak arsenic indifference passed between 1850 and 1870. After that, arsenic basically vanished except in old houses/products. Awareness lead to resistance. It resulted from literacy and education – not just reading skills, but scientific literacy. Concepts like germs and disease propagation became understood by scientists, and then by the general public. Then the Marsh test was developed, leading to people being less casual about poisoning each other, which was suddenly traceable. John Snow, a doctor, figured out that water could spread cholera, leading to proper sewers, and better sanitation generally. Protest played a big part in helping people convince each other to join the resistance.

To this day, England has never passed any meaningful laws banning the use of arsenic in wallpaper. Never. But other countries, in Europe, banned it in the 1860s, so arsenic fell out of style – France means fashion, after all. This trickled down to England, leading to manufacturers offering other wallpapers. Also, suddenly there was a supply shortage of Arsenic from Europe. One of the best things about this outcome was that it created accessible alternatives for all people, no matter their beliefs or education. Arsenic-free products made people safer no matter their knowledge or the information they had. By the start of the 20th century, arsenic wallpapers have been thrown out, and now you can't find them anymore.

For those following the analogy, you know we're doing a lot already. Crypto parties, secure messengers, information, education, VPN ads, GDPR, password managers are gaining traction, Apple markets privacy to those who can afford it. And besides just focusing on telling people not to use Facebook or Google and blaming individuals for trusting them, we pressure companies who perpetuate unfair systems and immoral practices.

So why does it still feel like in a lot of ways nothing has changed? We click through cookie warnings, but so much is unsolved. What we are lacking compared with the arsenic campaign, is time: arsenic remained a problem, because people kept dying, so the protests kept on. Patience is hard. Time is the key ingredient. We have to keep doing this and not give up or give in to cynicism. We have to repeat this until we are sick of it, and keep going. Do not grow complacent.

Spread Awareness: Grassroots and movements are important, help them spread awareness. Inform people, share your digital competence.

Keep up Resistance: Campaign for better laws and regulations. Be a voice of reason in discusions. Fact-check corporate spin. Do your research.

Yes, we did it last month. Last year. The 90s. They trust that we will get tired and not notice when they bend or change the law. Stay aware.

And if your country is a good place, digital rights wise: fight for others. White arsenic is an industrial by-product. China currently produces about 70% of the worlds supply. It's cheap, productive, and effective. It ends up in the water supply, leads to cancer, and deaths. We can't look around us and think, okay, it's good here, but that just means the problem has moved somewhere where we can't see it anymore.

We have a big responsibility to keep making the world better – we are in a unique position to understand the scale of suffering and damage that is caused by pervasive surveillance and privacy systems, no matter whose hands they are in. We can do something about it. We have to keep doing something about it.

Optimism is scary and hard. Cynicism is easy and gets you laughs and upvotes. Some of you burned out on this decades ago, or years ago. If you're exhausted, support other people years instead, and keep trying!

What is the optimistic, long-term, 150 year end goal? Who are the Mary Anns, and who are the John Snows? We can answer those questions as long as we don't give up.