webmail and low bandwidth DE

In my last blog2blog post to Robert W Martin, I asked him to explain why he wants to live his life online without needing his own equipment - something he calls digital existence.

You gave a pretty decent answer, Rob. For me, one of the most powerful motives for seeking digital existence is that it is now technically conceivable to overcome the security concerns inherent in hardware independence. This point was hammered home by your comment on your experience with electronic health records. If Alberta Health and Wellness can provide secure remote access to legally protected patient records, certainly it is possible to provide secure (or at least secure enough) remote access to my CV drafts, letters to the power company, and weiqi game records?

Digital existence has a different attraction in the South Pacific. If I had to characterize computer use in this part of the world it would be as follows:

• There is a large cohort of older, wealthy, professionals who are heavy Internet users at home and at work; they can afford the high price of connectivity
• There is a larger cohort of young users who have very little disposable income
• This younger cohort are primarily unsophisticated but passionate users of low bandwidth social computing - hi5, bebo, facebook, free sms gateways to local mobile phone companies, and photo sharing sites
• This younger cohort would love to share files and video as well, but the slow and/or expensive connections in the region make this impractical - you can almost hear a chant of I want my youtube
• This younger cohort does not own their own computers nor do they typically have Internet connections at home - they rely on Internet cafés, computer labs at educational institutions, and their workplace to get online

In short, 20-somethings in the South Pacific are living low-bandwidth digital existence right now. However, they are doing so with very little understanding if the privacy and security ramifications of their activities.

So, with that, time for some the paranoia. When we started this, you asked, "can you really trust webmail?" A great question. Let's examine this with a little differential risk analysis. If you were going to send me an email, the list of locations where your message falls under threat would be as follows:

The traditional POP3/IMAP (i.e. Outlook Express) scenario:
Rob's POP3/IMAP client, Rob's PC, Rob's LAN, Internet, Rob's mail server, followed by the Internet again and then into an area influenced by my email choices.

And the webmail scenario looks like this:

The webmail (i.e. gmail, yahoo, or hotmail) scenario:
Rob's browser, Rob's PC. Rob's LAN, Internet, Rob's webmail host, followed by the Internet again and then into an area influenced by my email choices.

Let's agree that the risks inherent in your message traversing your PC, your (possibly wireless) LAN, the Internet, and my email-sphere-of-influence are common to both scenarios and mention them no further. Let's focus on the two legs of the journey that differ:

• POP3/IMAP client vs. browser
• the POP3/IMAP/SMTP mail server vs. the webmail server (which includes SMTP of course)

Looking at the clients, I think a well chosen mail client is no more or less secure than a well chosen browser. Both can operate with or without SSL/TLS (if supported by the server), both can render HTML and can execute Javascript, and both are extendible with various privacy and security enhancing plug-ins. They differ in that the mail client saves all of your mail on a local drive, which is great if you are the only user or a machine but terrible if the machine is used by multiple users. I suppose you could rig your mail client to store your mail on a removable device.

The browser, on the other hand, will often write some or all of your webmail fetched mail to cache - especially on a shared computer where you do not control the settings . Even once the cache is cleared, your mail may linger until some cryptographic disk wiping takes place, unless you cache to a removable device. Also, your browser would be vulnerable to session hijacking attacks that would not impact a mail client. For machine independent secure emailing, a thumb drive mounted mail client and a thumb drive mounted browser (see xb browser) are probably equally good, but having a thumb drive feels like cheating when the point was to have no hardware of your own. If you disallow thumb drives, the browser seems to come out ahead in the digital existence balance.

Looking at the servers, both traditional POP3/IMAP/SMTP servers and webmail server's can archive some or all of your email after it has been sent or received, including messages that you have deleted. Perhaps the difference is that webmail servers are guaranteed to have a copy of all of your mail, and it will be all indexed and ready for searching by:

• you
• any data mining software
• any advertising (think gmail) software
• any unscrupulous sysadmin
• any criminal who gains access to this juicy repository of information
• any government agent with a warrant (Patriot Act or otherwise)

Still the use from anywhere nature of webmail is invaluable to the goal of digital existence. So the conversation naturally moves towards cryptography...

Photo by: nico.cavallotto

Debating digital existence

My buddy Robert W Martin (not the guy in the picture) wants to live his life online. But he wants to do it without owning any of his own hardware. To readers in Fiji, this may sound like a yaqona induced fantasy, but Rob lives in a large city in Canada. For about CDN$40 (FJ$60) per month, he gets a connection at home at a speed of about 512kb/s, up and down, with no practical usage limit. At work, his connection may be as fast as 1Mb/s and similarly fast connections are available at numerous Internet cafes for anywhere from free to CDN$5 (FJ$7.50) per hour, not to mention various mobile networking options with various speeds and prices.

With affordable and fast connectivity like this, all he needs to do is get a free webmail account, an online office application service like Google Docs, a file vault, maybe a photo hosting site, and then a bunch of IM and P2P accounts and he's set, right? But here's the problem, like most security professionals, he's paranoid.

He calls his quest the search for digital existence:

This means not having a computer of my own. No desktop, no laptop, not even a wifi-connected smartphone. I want to exist online and experience the richness of the web without having to own any hardware. My access will be through public access terminals and Internet cafes, and by borrowing bandwidth from work, friends and family.[Digital existence revisited, The life and times of Robert W Martin]

Rob has invited me to hammer through some of the difficult questions with him in a blog2blog conversation.

Rob, you suggested that we address these questions:

• Can you really trust webmail?
• Do you really want your files hosted online?
• How much encryption do you need?
• Do you need your own access device (keyboard, computer, PDA, etc.) or can you trust public computers?

Good ideas, but first I want to know why. Why do you want to live on the net without your own hardware? Why do you want digital existence?

Photo by: Cayusa

Koha library system live in Samoa

My blogging has been interrupted recently by some development work in Samoa. Here is an announcement of the fruit of my labours. I hope to write up my experiences over the next few days into a story of a high tech development project in the South Pacific - a roller-coaster ride that almost goes off the rails!

September 18, 2007
Dear UNESCO Apia colleagues, Pacific Libraries, and UNESCO National Commissions

The UNESCO Apia Communication & Information Sector would like to invite you to preview the new website for the Samoa Nelson Memorial Public Library.

The temporary website address is: http://202.4.48.191/ (the final address will be http://www.???.ws)

The website is based on the full-featured Koha Library Management System (LMS) that allows for the online publication of the Nelson Library’s entire catalogue of 40,000+ titles including an extensive Pacific collection. In future, members will be able to reserve titles online.

Basic Google/online searches on Samoa/Pacific publications will highlight the Library’s website significantly increasing the awareness of the titles and knowledge contained at the Library, increasing physical and virtual visits and academic collaboration, and very importantly identifying and highlighting rare and valuable titles.

It is the Vision of the CI Sector to empower Pacific Islanders with ICT skills to access, create, preserve and share knowledge. The development of viable, dynamic websites for National Libraries is a key result area for the Sector.

Libraries possess an immeasurable wealth of knowledge especially on the Pacific and it is critical that the knowledge is made available online, that capacity building and support is provided to library staff for sustainability, and that the Library website is widely promoted for awareness, use of the knowledge and continual development of the Library.

The Sector deployed Koha for the Cook Islands National Library in 2006 and we hope to deploy Koha for at least 1 PIC National Library per year focusing on LDC and vulnerable member states.

We would greatly appreciate your comments.

Regards,
Abel Caine

Adviser for Communication & Information
UNESCO Office for the Pacific States
PO Box 615
Apia, Samoa

Is blogging a dead issue in Fiji?

I have had a lot of fun blogging about blogging in Fiji. (You can relive all dfiji blog blogging here!) It is fascinating for me to see the interplay of blogs, Fiji's military, and the anti-interim-government movement. Now that we have returned to martial law for the second time this year, I am wondering if blogs will re-emerge as a major political issue?

• Will any "big name" renegade bloggers get caught?
• Will the anti-military blogs return to inciting violence?
• Will the truly pro-democracy anonymous bloggers denounce their anti-democratic anonymous compatriots, or will they remain united against a common foe?
• Will the government actively block any blogs?
• Will opposition to the interim government take root in other online forums such as Facebook or Hi5?

It will be interesting to see what transpires - in between watching rugby matches, of course.
Photo by: Elena!

The blessings of digital silence

Other than being he home to the Banded Iguana, one of the facts about Fiji is relative digital isolation. If you work on the USP Laucala campus, you've got a pretty fast connection but at the cost of serious usage limits - proxied web connections, blocked ports, content filtering, etc. If you are a wealthy individual or organization, you can procure enough bandwidth in Fiji to make your cousins in neighboring island nations blush. But it is not possible (or at least practical) to get the kind of affordable residential broadband here that has made YouTube a household word and daily pass-time in households in North America, Europe, and South and East Asia.

Internet access in Fiji is also severely constrained by geography. Once you leave the urban centres, your options for access rapidly diminish until you are eventually left with the PC in the lobby of the nearest FJ$500 a night resort as your last uh... resort.

Still, it is refreshing to take a break from the piles of emails, rss feeds, online games, and carpal tunnel syndrome and spend some time in non-virtual reality and interact with other entities without mediation by the TCP/IP protocol suite. It's actually pretty nice.

Back in a few days...



Photos by amkhoslaand YXO