Thursday, May 23, 2024

Cross "Border" Digital Infrastructure

 So again while at ID4Africa in Cape Town this week, I heard a lot of people talking about Cross Border use of digital identity. Lets talk a bit about infrastructure here, as I'm not sure people are aware of how hard it is to determine, reliably, where a person, or device are located, geograhpically, let alone jurisdictionally.

We (Microsoft Center for Cloud Research) wrote about this a wwhile back when simply considering the impact of GDPR on Cloud Services and the location of personal data.

The infrastructure doesn't tell you where it is - borders are not digital, they are geo-political constructs that only exist in someone's mind. GPS doesn't work in doors, and can be remarkably perverse in cities anyhow. Content providers (e.g. the BBC in the UK) worry about delivery of content (and adverts and charging) because of different business models in different countries, different content ownership (pace Google YouTube, but also OpenAI), and have, as yet, not solved this problem.

COnsider that someone in ireland can be in or out of the EU in a single step. Or that someone might be on a boat or plane outside a national jurisdiction, using a network to process personal data, which is, exactly, where? Data and processing can be replicated or shareded across multiple sites (indeedmost Cloud Services specifically support keeping copies of state machines while rtunning far appart so that they survive local outages (power failure, disaster/flood etc) and are still live/available. In some cases, the geographic separation to get a required level of relaibility may involve running live programs on live data in multiple jurisdictions/sovereign states. The law does not comprehend this yet (well). and designing digital id (services and wallets etc) without understanding it is not going to help much. Of course, we have the concept of "adequacy" between countries (with regards GDPR - this was also discussed in ID4Africa last year/2023) - it needs some very careful updating.

Also, recentl moves in Internet Standards worl are both towards more anonimity (e.g. oblivious HTTPs) but also towards providing precise location as a service (e.g. proposals from CloudFlare). 

Be careful what you wish for, where?

sustainability of digital wallets for public infrastructure services

One thing occurred to me when listening to people at ID4Africa 24 talk about wallets is that there's a major sustainability problem due specifically to security considerations. 

Any wallet needs to be trusted if it is used for transactions that involve personal data or money.

To implement this trust, the wallet software currently built by major vendors such as Apple, Google and (say) HSBC can use secure enclaves (Trusted Execution ENvironment) support on the device (e.g. trustzone on ARM processors, or variants as built by various handset vendors).

However, the supprt varies with time, but with modications to hardware coming along (e.g. future ARM support for multiple realms and attestation) and simply because software and hardware volunerabilities arise, some of the latter being mitgated by changes to the software, some not.  THis is expensive, so vendors tend to time out support on older devices fairly aggressively.

One report from Cambridge shows how short that can be in practice, so your device no longer gets security patches for the OS (or application SDKs). At this point, can you trust things on it? Almost certainly not in this day and age.

So there are around 750M people in Europe, 450, of them in the EU. If we mandate wallets for Id (or even just make them the only convenient way to access many services) you need to upgrade, typically by replacing all their phones about every 3 years. That's 130M phones a year. Many of these phones cost at least 100 euro and upwards of 1000 euro for high end devices. That's a cost of 130B euro a year.


While some of the materials can be recycled (including many newer batteries), the rare earths and other materials used in these devices are already pretty unacceptable in supply chain ethics.

Not a sustainable way to do things. Meanwhile, proposing to run a secure cloud based wallet is viable, but the cost of running a data center with much of peoples' personal data, which full encrypted access, and TEE style processing is also very high (some large single data center energy use is approaching that of large city metro energy use already), plus moving the data to and from between device and clould is also a non-trivial contribution to running costs, both monetary, and energy/carbon wise.

We are building ourselves into another unacceptable future...

Someone please check my arithmetic...

Wednesday, May 22, 2024

DPG #2 or should I say DPPG or possibly DPPI

 We're hearing a lot about DPIs - Digital Public Infrastructure (the Internet, the spectrum for mobile telephone,  open banking networking etc)....

So then there's a lot of talk about building new Infrastructures for (e.g.) Digital Identity - and provisioning this through Public Private Partnerships - so really we then have a DPPI - indeed, the Internet and WWW and Cloud serve as an example of just that too.

But then we have Digital Public Goods - for me, this is an extension of the notion of open source - so again the software that runs the Internet is available in open source form, together with documentation, and even much test data (simulators too). 

But new systems have evolved new forms of ownership, so a lot of the digital content in the Internet is a mix of open (free) and open access but not free to re-purpose (e.g. copyright owners want recompense) - this showed up first in music/file sharing networks, now subsumbed by systems like Youtube - which have to navigate the ownership space carefully .

New forms of digital goods now include trained models (AIs - e.g. LLMs) - these derive value from the data they are trained on (supervised, therefore involving human labour too, or unsupervised), so we then have a new form we might call a DPPG, something that has a mix of properties of public goods and private goods. 

This needs careful consideration, since a lot of IP rights are being skated over right now - the old "move fast and break things" is being applied by some unscrupulous (or to be more generous, just careless) organisations.

Is OpenAI just napsterising the stuff in the common crawl that has clear limits on commercial/for profit re-use (code and data)?

A couple more points about the Public/Private Partnership aspect of digital infrastructure (and goods). 

The Internet was public til 1992. Then the US government divested, so the birth of commercial ISPs happened. Later, ISPs got big enough to own transmission infrastructure (fiber, last mile copper, spectrum etc). Some of the net remained state provided (from my narrow UK perspective, examples are the UK JANET network for research&education and the NHS spine for health services - there are plenty like that) - there are also community provided networks (e.g. Guifi in Spain) that are collectively owned and operated. In the process of federating these together various tools and techniques emerged for "co-opetition" - things like BGP for routing, CA transparency for certificates etc -these are also examples of how to co-exist in a PPP world and they have (mostly) worked for the 32 years since then.

So there are interfaces between components provided using different models (public, private, community). And these change over time (both the technical and the legal, regulatory, business relationships).

The other thing here is time scales - the Boeing 747 ("Jumbo Jet") has had a product lifetime from 1963 until 2023. Software to model it (from wind tunnel tests, to avionics etc) has to run until the last one stops flying. That's 60 years so far. Any DPPG (software artefact, digital twin etc) being designed today better have a design lifetime of at least 100 years. Yes, that is right. One Hundred Years. Not of solitude.

What sorts of businesses have survived unscathed for these sorts of timescales, and what models do they use (my university is 800+ years old, and then there's the Vatican:) Quite a lot of nation states have not lasted that long.

Tuesday, May 21, 2024

DPGs #1


The oldest and best example of a digital public good is the Internet. Why people don't start from this is surprising to me:

Since 1982, source code of the exemplary implementation from UC Berkeley has been 

available plus documented in an open access series of books documenting that code and working:TCP/IP Illustrated (vol 2)

The key thing here was that every thing accepted as an internet standard had at least 2 interoperating implementations, preferably three, one of which was open source (unencumbred by any IP) - for me, this defines digital (code/data), public (there's no barrier to entry due to ownership restrictive practices) infrastructure (you can run the code and computers are general purppose machines so any computer can run it, subject to resource constraints:-)

Two other reference points - despite the best of intentions and some clver game theory in design processes , we still suffer from frequent tussels in cyberspace - see Tusslees in Cyberspace
from the same people that said this:

"We reject: kings, presidents, and voting. We believe in: rough consensus and running code." David D. Clark 1992.

The standards process in the IETF has open governance, overseen by the non profit Internet

Society, with free access to standards documentation (RFCs) and online/remote access to standards meetings for 30 years...go from here: The Internet Society and the Internet Engienering Task Force which includes hackathons and code sprints as well as writing specs.

For many years, there were also open events for interoperation testing. I remember going to the first Interop Trade Show in Monterey in 1986

The actual operational running of the internet (a mix of private, public and mixed provisioning) 

has teams of people around the world coordinating - e.g. NANOG and RIPE and AfNOG in US and Europe

and Africa e.g. see Reseaux IP European and also net information registries e.g.  AfriNIIC

As well as this, the origin of computer emergency response teams (the "CERTs) who deal with 

coordinated response to security incidents...was from coping with attacks on systems and the infrastructure.

Much of the leading edge research is also covered in open access academic conferences which also typically feature published code and test data (artefacts) and even reproducibility testing results - e.g. see ACM SIGCOMM for a good list of examples of state-of-the-art (probably about 5 years ahead of deployment

A sustainable DPG would include a decentralised grid made of a very large number of microgenerator sources - we have been building something like this on public buildings in the City where I live (London, England) where we crowdfund putting large solar installations on schools, gyms, etc, at scale of 100Kw typical configurations. We are working on getting permission to build a publically owned grid to re-distribute spare power locally (rather than having to just go through the privately operated centralised grid). SUch a system could (with appropriate use of storage, e.g. in batteries in nearby parked EVs) provide a power source for must digital public services.

A whole ecosystem ready built as a way to do all aspects of a DPG!

Saturday, April 13, 2024

social media convestions and aliens in the ether

Starting locally, I've notice how there are many different conventions about how people use different social media platforms (social networks, email, microblogging, etc) 

At one extreme, some people DM me on slack - this is annoying as, to save my sanity, i have turned off notifications on everything, and I look at different platforms with different frequencies - slack, mostly, once a day, compared to say, whatsapp (and signal and matrix), once an hour at least. While I don't use. teams for messaging, I know people who do, but they are signed on while at work all working hours, so that works ok for them.

At another extreme, some people only use a platform in broadcast mode, so an email list is flooded with "how do I leave this list" messages, or a whatsapp group is flooded with "please stop sending your messages to everyone" messages.

Which leads me to the global problem- without interoperability, we have to select a channel we use for a mode of use, and there are going to be lacunae, or indeed, black holes, and inter-galactic wastelands with no information at all

Which leads me to the universal problem and may be one explaination for Fermi's Paradox - we are hearing from alien's in the ether all the time, but most of them are using broadcast (as are we) and what happens to the shared spectrum when everyone broadcasts all the time? You get a descent into pure noise - indeed, we can work out that lots of alien's are NOT using broadcast otherwise we'd be subject to Olber's paradox, which is to say, the sky would be (modulo quantum limits) white noise from all the interfereing broadcasts. 

A slightly more advanced alien civilisation might think "aha, broadcast - shared spectrum, we need to employ collision detection, or even better, collision avoidance" just like Ethernet and WiFi do already on our planet. However, a little more thought would suggest that the protocol for this might suffer from rather high latency when waiting for a "Clear to Send" response to a "Request to Send" message over the light years.  So obviously smart aliens would do one of three things:

  • frequency division multiplexing - each civilisation gets a specific RF band to use
  • space or code division multiplexing - we develop really good collimaters or inter-stellar chipping sequences
  • cooperative relaying and power management - we place "cell towers" at convenient places (e.g. white holes and black holes) and then avoid interference by switching out of this universe (like cellular switching onto glass fiber networks, but in this case, interstellar wormholes).
The other thing these really smart aliens would do would be to prevent our wildly stupid RF reaching them at all by clever filtering. A "really clever filter" is a very big faraday cage, which could be built out of suitably designed dark matter. This is also why we don' see the white noise - we are in our own RF bubble. We are alone. All the clever people are the other side of the barrier. 

Sometimes they do visit us, but to avoid detection, they largely use obsolete social media platforms like MySpace and Orkut, where they can have a laugh.

Sunday, March 10, 2024

Witch Consumer Magazine, review of the leader boared top three LLMs "Conformité Ecologique" (the ubiquitous CE marque)


Witch Consumer Magazine, review of the leader boared top three LLMs "Conformit√© Ecologique"  (the ubiquitous CE marque)

We analyzed the CE claims of the following three large languish models, with respect to four key metrics for the Ecologique, as agreed in European law, namely enthalpy, internet pollution (measured in LoCS -- libraries of congress), bio-dediversification,and general contribution towards the heat death of the universe.

Currently, according to the boared, these are the top-of-the-heap in terms of hype-parameters:

The Faux Corperation's Pinocchio

Astravista's Libration

Sitting Duck's Nine Billion Dogma

We hired some prompt engineers to devise a suitably timely benchmark suite, and embedded the the three systems in our whim tunnel taking care to emulate all aspects of the open road to avoid any repeat of the folk's wagon farage.

Indeed, we used all three systems to design the whim tunnel, and compared the designs to within an inch of their lives until we were satisfied that this was a suitably level playing field on which to evaluate.

The benchmark suite will be made avaialble later, but for now, suffice it to say that we were able to exceed the central limit theorem requirements, so that our confidence is running high that the results are both meaningful, and potentially explainable, but certainly not excusable.



Pinocchio ran very hot, both during training and during every day use.


Libration was about half the temperature of Pinocchio


Roughly 12.332 times less than the next worst.



The Internet was worse off after this tool was used by 

approximately 3 LoCs


Again about a half as bad


Was difficult to measure as the system never stabilised, but oscillated between getting worse,                     and then better, however,  the improvements were usually half the degradations.



This was a shock - we expected better, but in fact the outcome was really rapid removal of                         variance.


Around half as bad as Dogma


very slightly less bad than Libration



Excess use of Libration could bring the heath death of the  universe closer about 11 times faster                 than a herd of small children failing to tidy up their rooms


Absurdly only 3x better than Libration.


Appeared to gain from the Poppins effect, and generally ended up  tidier than before

Some critics have pointed out that Enhalpy and Entropy are two sides of the same coin, and pollution is likely simply the inverse of de-diversification, nevertheless,  we proceeded to evaluate all four in case later we might find different.

In general, none of these products meet the threshold for a CE mark, and for your health, and sanity, we strongly recommend that you do not use any of them, especially if you are in the business of prediction. Next week, we will review a slew of probablistic programming models with a special emphasis on the cleanliness of the Metropolitan Hastings line.

Monday, February 26, 2024

Towards International Goverance of AI

 I wonder what people are really thinking when they think of governance of Intelligence?

If we were considering human intelligence (which we are by extension) we better tread carefully, especially when considering who owns it. The ability to reason, creatively, to innovate is not really the same as any other thing we have sought governance over - 

  • nuclear weapons (test ban treaty, and pugwash convention)
  • spectrum allocation
  • orbits around earth
  • maritime&air traffic - fuels, tracking, control etc
  • recombinant DNA (asilomar conference
  • the weather (and interventions like geo-engineering e.g. see RS report on same)

What's similar about these, and what is different? 

Well we only have one go at each - there's a very countable human race, planet, sea, zombie apocalypse, climate emergency. we don't have time to muck about with variants of rules that apply to fungible material goods. We need something a tad more radical.

So how about this: A lot of AI is trained on public data (oxygen==the common crawl) - this is analgous to robber barons who enclosed the commons, then rented out the land to farmers to graze their cattle on, which used to be a free shared good...

A fix for this, and to re-align incentives is to introduce a Piketty style tax on the capital value of the AI - we could also just "re-nationalise" it, but typically, most people don't believe state actors are good at managing things and prefer to have faith in the invisible hand-  however, history shows that the invisible hand goes hand-in-glove with rich-get-richer, so a tax on capital (and as he showed in great detail in Capital in the 21st Century, it does not have to be a very high rate of tax to work), we can return the shared value of the AI to the common good.

A naive way to compute this tax might be to look at the data lakes the AI was trained on, although this may not all be available (since a lot of big AI companies add some secret sauce as well as free or appropriated ingredients) - so we can do much better by computing the entropy of the output of the AI.

A decent algorithm should produce very information rich output, compared to the size - e.g. a modern LLM with 100s of billions of dimensions, should produce short sentences or images which are highly instructuve - we can measure that, and tax the AI accordingly.

This should also mitigate the tendency to seek data without agreement or consent. 

I realise this may sound like a tax on recording media (back in the day, there were campaigns about "hope taping is killing the music industry"), but I claim there's a difference here in terms of the over-claimed, over-hyped "value add" that the AI companies assert - the real value was in the oxygen, public data, like birdsong or folk tunes, which should stay free or we die - in not being able to make it free, I suggest we do the next best thing and tax the rich. Call me old fashioned, but I think a capital value Piketty tax to mitigate rentiers is actually a new idea, and might actually work. We could call it VAIT.

Sunday, February 18, 2024

Government Procurement of Open Systems Interoperability or Open Source - a lesson for Digital Public Infrastructure

40+ years ago the US and European countries devised a government procurement policy which was to require suppliers to conform to Open Systems Interconnection standards - this was a collection of documents that could be used in RFP (request for proposals) to ensure that vendors bidding for government contracts to supply communications equipment, software, systems and even infrastructure would comply to standards that meant the government could avoid certain pitfalls like lockin, and monopolies of vendors arriving in the communications sectore.

It worked - we got the Internet - probably the worlds first digital public infrastructure provided both by public and private service providers, equipment and software vendors, and a great deal of open source software (and some hardware).

There's one review of how this evolved back in 1990 that represents an interesting transition point, from what were International Standards for Interconnection provided by the UN related organisation ISO or the ITU, to the Internet Standards, which were just about to come to dominate real world deployments - 1992 was a watershed point when the US research fudning agencies stopped funding IP infrastructure, and commercial ISPs very rapidly crystalised out of regional and national (and later, international) community run networks (where communities had been collaborations of research labs and universities funded by DARPA and NSF, or similar in Europe).

Why did the Internet Standards replace the ISO/ITU standards as the favourites in goverment procurement? It is hard to prove this, but my take is that they were significantly different in one simple regard - the specifications were matched with open source implementations. From around the early 1980s, one example was Berkeley Unix which included a rock solid TCP/IP software stack, funded by DARPA (derived from one at BBN (and required to be open source so others (universities, commerce and defense) could use and add to it as needed in the research programs of the 1980s, as actually happened. By 1992, just as the network went beyond government subsidy status, Berners-Lee released the first open source web server and browser (and specifications) and example sites boomed. Then we had a full fledged ecosystem with operational experience, compelling applications, and a business case for companies to join in to extend and make money, and governments to take advantage of rapidly improving technology, falling prices, and a wide choice of providers.

So in a competing world, standards organisations are just more sector, and customers, including some of the biggest cosumters, i.e. governments, can call the shots in who might win.

Now we face calls for Digital Public Infrastructures for other systems (open banking, digital identity being a cornerstone of that, but many others) and the question arises about how the governance should work for these.

So my conclusion from history is that we need open standards, we need government procurement to require interoperability (c.f. Europen Digital Markets Act requirement) and we need open source exemplars for all components to keep all the parties honest.

I personally would like to go further - I think AI today exploits the open availability of huge swathes of data to create new knowledge and artefacts. This too should be open source, open access, and required to interoperate - LLMs for example could scale much better if they used common structures and intermediate model formats that admitted of federation of models (and could even do so with privacy of training data if needed)...

We don;t want to end up with the multiple silos that we currently have in social media and messaging platforms, or indeed, the ridiculous isolation between video conferencing apps that all work in browsers using WebRTC but don't work with each other. This can all be avoided by a little bit of tweaking of government procurement, and some nudging using the blunt instrument of Very Large Contracts :-)

Blog Archive

About Me

My photo
misery me, there is a floccipaucinihilipilification (*) of chronsynclastic infundibuli in these parts and I must therefore refer you to frank zappa instead, and go home