Before I start this post discussing what happened this week, I want to state that I asked Andrey if it was okay for me to write it, or if doing so would unnecessarily keep the wound open for him. He said it was okay. So we’re cool on that.
As for why I am qualified to write this post, if you find anyone else who
- gave several years of their life to the WordPress open source project;
- has an undergraduate degree in international affairs with a concentration on post-Soviet Russian and Eastern European studies and a minor in Russian language in literature, and a postgraduate certification in internet law and policy;
- had several years of full-time professional experience working with the governments of the US, Russia, Ukraine, Belarus, and the US sanctions regime against Russia thrown in for good measure;
- is currently professionally tits-deep in the UK’s Orwellian legislation about freedom of speech, content interception and moderation, device interception and alteration, and an identity-verified splinternet mandated by government demands for control; and for that matter,
- contains at least 25% raging Ukrainian blood, and in fact, is
- so ethnically Slavic that they own a pierogi press (see header image),
please tell me so that person and I can swap political war stories and recipes, because this war is making me hungry. Pierogi press, democratising dumplings.
This post is written entirely from the outside. I feel a bit Michael Corleone here – “just when I thought I was out, they pull me back in” – having retired from all OSS community involvement just before the pandemic. (You can thank Joomla for that.) I am no longer involved in any community outside my current professional role, nor do I “keep up” with what’s going on with them.
The enduring personal friendships I made in those years, however, are the stars I navigate home by, and always will be.
So on to the drama.
By now everyone knows what happened. A Russian propaganda plugin entitled “Za Mir”, which displayed a banner with the “Z” symbol, was approved for inclusion in the WordPress.org plugin repository. This meant the plugin was featured in the dashboards of – as the project and its controlling company so often boast – 43% of the sites on the open web.
Among the people to see it were Ukrainians, like my friend Andrey in Kyiv, who is currently spending every day trying very hard not to die.
— Andrey Savchenko (@Rarst) March 23, 2022
A furious debate apparently ensued in the project’s Slack, which I’m no longer in, about whether the plugin was acceptable or not. It was eventually pulled on the basis of some airy hand-waving about being “kind, helpful, and respectful.”
The authority to pull the plugin was exercised by the project’s leadership, who as is well known, are not elected by, accountable to, or removable by the community, and are employees of the US company which owns and controls the .org open source project.
A community debate also ensued, because the community loves a bit of wpdrama. That debate didn’t fix the problem, but it certainly created new ones, which I’ll go into shortly.
WPTavern, which is also owned by the US company which owns and controls the .org open source project and therefore must toe certain lines, deeply, had a write-up. Sadly, I must advise you to read the comments.
This was not a freedom of speech issue.
It is a danger sign about the health of the WP project that free speech, and the American First Amendment, seem to be the only tools that the community has at their disposal to intellectually process what happened.
Let me be very clear on this, because I know that this is something that the community is going to struggle to comprehend:
- The plugin was not a free speech issue.
- The plugin was not a First Amendment issue.
- The plugin had absolutely nothing to do with free speech or the First Amendment.
- Any attempt to deal with the issue through 1, 2, or 3, was completely wrong.
- Any attempt to deal with the issue through 1, 2, or 3 was a threat to the project.
- If this doesn’t make sense to you, to back to no 1.
- If this morally offends you, go back to no 1.
The plugin was not the work of a good-faith actor making a controversial political statement as a valid exercise of his right to free speech. The plugin was a bad-faith actor, affiliated with the Russian military, deploying a social engineering proof of concept to show that it’s possible for Russia to gain access to 43% of the world’s web sites.
He did not submit his plugin to the repo to express an opinion. He jiggled the handles until he found an unlocked door. He found it.
Because obviously the project didn’t get the memo – I mean, the actual memo, issued by the White House two days before the plugin hit the repo – warning US businesses to shore up their defences against Russian cyberattacks. Those public-facing PR statements, if you didn’t know, are always accompanied by direct communication from the government, to companies, on the specific threats heading their way and the mitigations they need to put in place immediately.
Maybe the corporation which legally owns and controls the open source project did get that memo, and that information just didn’t trickle down. Maybe they didn’t get the memo at all.
Regardless of whether they did or did not:
what it does prove is the exact the scenario I wrote about at the turn of the year, when I discussed how the US government and military now view open source projects as national security threats.
The idea that vital internet infrastructure can be responsibly maintained by any random volunteer who shows up, without any vetting or training or qualifications, through the magic of software freedom and some airy hand-waving about the American First Amendment, is a ship which has sailed directly into the Kerch strait.
Exhibit A is – and should be, for all the world to see – the WordPress project allowing the Russian military to social-engineer a coordinated propaganda campaign into the dashboards of 43% of the sites on the open web.
One of the calling cards of Soviet intelligence (e.g. the Putin era) was an agent breaking into your house and leaving a shite in your toilet. Doing nothing else, just that, so that you knew they had that power over you. This is the virtual equivalent of the shite in the toilet.
— Heather Burns (@WebDevLaw) March 25, 2022
But while наш друг may have successfully demonstrated a proof of concept on that cybersecurity threat, he also created another one.
Do you people not understand how sanctions work?
Let’s recall that the open source project is completely legally owned and controlled by a US company which provides a global tech platform as well as an enterprise offering. That company could, at any time, be gently asked to consider ceasing offering those services to Russian users and clients. Or it could be told, not asked, and brought into the sanctions regime.
Thus taking 43% of the sites on the open web, and the open source community which powers them, with it.
I dealt with the Russian sanctions regime in a previous job, in my Washington years, which might as well be a previous life. There are no concessions in it, no exemptions, and no mitigations, least of all freedom of speech. The sanctions regime has roughly the same sense of humour as the six-foot-seven Secret Service agent with the Glock standing at your office door while his charge meets with your boss. You are not going to “kind, helpful, and respectful” your way out of it.
You’re going to block the country and users and the services and the clients and the sites by lunchtime, or else a lot of big guys with Glocks are going to show up at your front door at dinnertime. Deeply.
Still, if your mission is “democratising publishing”, that’s going to grate against your principles. So it’s in your interest to do everything in your power to maintain good stewardship of the project, and the platform, so that it doesn’t raise the eyes of the sort of people who already see you as a national security threat.
Letting a Russian state actor use your platform as a billboard for a state propaganda campaign is not going to get you the results you want.
Is there a precedent for a global open source project being brought into the American sanctions regime?
We may be about to find out.
It’s quiet uptown
There is a quote I include in my upcoming privacy book, one which reflects the point in the narrative where I have to stop being the hand-holding good cop and start being the face-slapping bad cop:
This week, a lot of people were dangerously bad at their jobs and a threat to others.
They failed to understand the political implications of a bad-faith abuse of their systems; they failed to recognise a bad-faith abuse in the first place; they processed the situation through an American worldview which was completely irrelevant to the situation; in doing so, they created a timewasting argument about the wrong problem; they caused real unnecessary hurt to people who are the active targets for genocide:
and they validated every concern the US government and military has about OSS projects being a threat to national security, and at 43% of the web, global security as well.
And for what, exactly?
It’s been nearly five years since I stood in Paris on a breathtaking summer’s day and asked the community to consider what democratising publishing actually means, and what it stands for, beyond the four software freedoms. To define what principles it stands for, and how to defend those principles. In hindsight, the talk was a total waste of my time, even if the trip, my god, most definitely was not.
But in deciding that the project isn’t going to stand for anything beyond an incredibly naive American worldview of how rights and freedoms and speech and threats interact on the web, via its controlling corporation’s commercial interests, the project also made itself a vulnerable target.
One which, if taken advantage of, puts 43% of the sites on the web at risk. This week, that happened, with such ease and efficiency that some Russian military functionary, somewhere, will have been laughing his head off at the whole lot of you.
There’s a song about a man with authentic political principles meeting his idol, and discovering that his idol’s only political principle was building a career for himself. The good guy, as emotionally flawed as he is, can’t comprehend that. And he asks that bad guy, who will someday kill him in a jealous rage, one question:
If you stand for nothing, Burr, what’ll you fall for?
Well, Alex, if you stand for nothing, you’ll fall for the Russian military exploiting every vulnerability you ever laid out in public for all the world to see.
And you did.
Stay safe, Andrey.
Plus ça change: I've learnt that a certain BDFL is DMing people who shared this tweet, saying that they don't have a "complete understanding" of the situation. I wonder if his "To Gaslight" list has reached @rarst yet.
— Heather Burns (@WebDevLaw) March 26, 2022
Two hours later, literally two hours later, the WP project proved, once again, that it does not do politics, even when it directly threatens the mission of democratising publishing or the billion-pound ecosystem built in its name.
As per recent drama: the US has put in (cough) an exemption from the sanctions regime for tech companies and projects serving Russian citizens, thanks to good advocacy work from the companies and projects which bother to show up at the policy table.https://t.co/45xWZZ9Pc7
— Heather Burns (@WebDevLaw) April 8, 2022