= Making Good Internet Decisions = We all use the Internet; most of us don't know more about than we have to. That's logical; most of us learn what we need to and the Internet's powerful technology allows us to do a lot without really knowing how things work. And that's good because most activists have plenty to do and the easier things are to use, the better. But the Internet isn't a "neutral" tool like a hammer or a calculator. Because it is a mass movement, the Internet is an arena for very internse political struggle. There are people who want to use it primarily to make money and to continue the kind of society most of us are still living in. There are those of us, and our numbers on the Internet are impressive, who see the Internet as another tool for changing society and the world in virtually every way. These aren't just theoretical options. The choices you make impact on the way you use the Internet. They can either contain your experience and force you into the control of a company or allow you to grow and broaden your experience. More than that, these choices have an impact on the rest of the Internet and the rest of the progressive movement. Because, as with any issue or struggle (and possibly more important than most), there are responsible choices to make about your Internet work and there are choices that are simply irresponsible. You want to make the responsible choices and so, in making your Internet plans, here are some issues and questions you need to be conscious of. So when you're choosing an Internet "provider", here are some questions you might ask. == Web == Does your server allow plain text FTP access? FTP is "File Transfer Protocol" and it's the way you get your files (or web pages) into your website for people to see on their browsers. Seeing a page is a fairly safe thing: you see it and there's not a whole lot you can do with it. But uploading a page is quite another matter: if someone uploads a malicious file, it can literally eat up the other web pages on your website or display information you don't want or, even worse, get into the rest of your directory and destroy it. If the provider's server is not properly secure, such a file can destroy everyone else's data. FTP access is insecure because it travels over channels (called "Ports") that allow it to be read as it's being transferred and because it doesn't provide a lot of protection while you're in your directory. A person with proper programs can eavesdrop the entire session, log it and do all kinds of information robbery to be used in exploiting your files. Everyone should use Secure File Transfer Protocol. SFTP is less common than FTP and there are fewer programs that you can use to do an sftp session. So many activists are used to FTP and wonder why they should be using the alternative. Basically, it's because your data is critically important to you and to the rest of us: because you're part of our movement. There are SFTP programs for every computer platform. You should insist that your provider only allows sftp. If the answer's no, do not use that provider. What's your policy on receiving cease-and-desist letters? At some point, you or an organization you do work with is going to get a cease and desist letter from a company, an individual, another organization (usually corporate-based or right-wing) or the government. These letters are designed to stop you from doing something you're doing on line. Often they have to do with copyright infringements but we've seen such letter provoked by statements and expressions of opinion. Many providers give you a day to pull the material and, if you don't, they take your website down. The reason is simple: the only thing they care about is your money. They couldn't care less about the importance oif your message and the even greater importance of allowing you to express that message. Money means everything and, in the balance, the fees you pay them are simply not worth the potential payments to lawyers and other grief caused by a legal action. Let's clarify a couple of points first of all. Because someone writes a letter doesn't mean they are right moral or even legally. In fact, copyright on the Internet is very complicated and partly untested so most letters about infringement are subject to legal interpretation. Otherwise, almost all speech on the Internet is protected. You can't infringe copyright and you can't libel someone (or defame them falsely) but both infringement and libel are decisions of fact subject to jury action. In other words, you haven't done either until a court decides you have. So how in the world can a provider wipe your site? Moreover, it's doubtful that most providers could be held legally responsible for a website's presence on their servers until a court determines that there's an illegality or violation. In short, no provider has to wipe a site until a judge says so and there's no action that can be taken against it. They're just taking the road of least effort. Politically, weak cease and desist policies favor right-wing movements and strategies. The Right wants to repress speech; we don't. We want everyone to be able to talk because once we get the debate going, we win. We're telling the truth, after all. This has been proven historically countless times. So cease and desist is effectively a right-wing tactic and it is absolutely essential that we resist. Imagine if your website has to come down the moment some lawyer issues that kind of letter? And, we assure you, that's what often happens. If someone is so offensive that it shouldn't be on a provider's servers, they don't need a letter from a lawyer to tel them that. Let them ban the materials themselves and then discuss that with the site managers. Otherwise, if it's not too offensive to be on-line, it deserves to be on-line. The correct position is: We don't comply with cease and desist letters. Period. If that's not the answer you're getting from your provider, find another one. Do I have full secure shell access? You may not know this and you may not need it but there's a "layer" of functioning beneath your website display and beneath "protocols" like sftp. It's call "shell access" and it means that you can use a "command line program" to get into your directories and files. A command line program is best identified by its prompt. You have a few letters, then a colon and you enter commands next to that and things work. You're interacting directly with the server's operating system (Unix, Linux or one of the weaker OS systems) and you can do virtually everything you want to your files and accounts. Of course, the caveats that apply to sftp are even more important here -- because there's so much more access. Make sure you have secure access (SSH) and use it. At this point, most providers do that. The problem is that most providers don't provide shell access at all. This may seem like a nothing since many of us don't use shell access. But shell access represents true control over your Internet data and it's the most powerful control we have. It's the way system administrators work. At some point, you may need it or someone in your organization may need it and you should have it because this is your data. No questions asked. If you don't have secure shell access, you should not be with that provider. == Email == How do you handle spam? We have a lot written on this issue because it is among the INternet's most important. So we'll summarize: All spam should be passed on to the user who should be able to make the choices about what to do with it. This is a perfectly effective approach although it requires a bit of work on the user's part. Using one of various programs, you can "guess" what's spam and what's not with a remarkably high degree of accuracy. Then you flag it and the user decides whether to set up email so he/she can review the "spam flagged" email individually or filter it into some spam box. What you don't want is a provider making those choices for you: filtering spam and destroying it, blocking it, or what's worse, rejecting and blocking the server that sent it (called blacklisting...aptly). Your provider has no right to determine the content you should receive; no company should even be allowed to make those choice for you. Most of all, blacklisting is almost always a destructive and irresponsible policy. If someone is "turned in" for spamming, some providers will block that person's entire server (there's no other way to do it) which means that nobody on that server (and there are often hundreds of other users) can communicate with people on the targeted server. It is the worst kind of arbitrary blockage of free speech. Finally, what defintion of spam does your provider have. There is one acceptable definition: spam is the massive, arbitrary email of material to people who cannot reasonably be expected to be interested in it. That is, if the mailer can reasonably expect that you'll be interested in the material you're receiving, that is protected speech and not spam. That's the law and, for our movement, it is a definition that must be protected because, otherwise, you can't organize. Do you use starttls so all email data is encrypted from point-to-point with other email providers using starttls? Starttls is not common among commerial providers and it's possible that the person you're talking to won't even know what you're talking about. But consciousness of this "security trigger" is as important as anything we've talked about here. Starttls is a keyword-based interaction between two providers doing email. You want to email someone on our system, you enter a keyword and that triggers a reaction from the other provider that puts your interaction into secure and encrypted mode. Now the email being transferred, its content and both email address is completely encrypted. Nobody can effectively steal them. You can see how important this can be to you. Does you provider see that as well? If not, your provider isn't thinking about your security or privacy and you should start thinking about another provider. Do you enforce https only web access to webmail? Straight and to the point. When you do webmail with your provider and the url begins with "http" rather than "https", your email is insecure and your provider is not thinking about your security. The secure layer for web access, https, is the only way to make sure your email is traveling through a secure tunnel and is not visible or viewable to hackers. Put it this way: you see that website you got to through http? You can see everything on it? Your webmail is a website. All you need is a password and someone can steal the password or guess it. Ask yourself this question: why do people who take credit card information on the Internet use https pages? Is your email less valuable than a credit card number? == DNS == Can do I have full control over my domain name (ability to change the authoritative DNS servers)? This is quite possible *the* most torturous "lesson" many experienced activists learn on the Internet. You'll frequently find hosting providers who offer you "domain registration" and "monthly hosting". You sign up because it looks like a good deal and you get a registered domain and hosting. But when you want to move your site to another host, you run into all kinds of "contract clauses" and payment requirements and, in the end, you can't move the domain, the old provider must do it. You are in domain prison and this is unethical and fundamentally reactionary...and it is among the most common and even encouraged abuses on the Internet. First an explanation of what's what here because domain registration and hosting aren't the same at all and they are *not* being done by the same people not matter what they tell you. Domain registration is an Internet-wide practice performed by a very few, select and highly specialized companies called "registrars". These are companies that have huge resources and experience and are required to demonstrate those resources and experience with the Internet's management authorities (like ICAAN). Their only role is to sign you up for a domain no one else has, take your yearly fee and put you on a database that has your domain, information about who owns it, and the IP addresses of the people who host the local dns for that domain. They also circulated this information to a network of servers called "DNS servers" (there are about two dozen of them world-wide). That's it. People type in the url and it goes to one of those servers to find out where the local dns is hosted. Local dns is something different. Here the provider has a set of records that have your domain name, your service year (www or mail or whatever) and the IP of the specific server this stuff is one (or servers if there's more than one). It's the system that tells your browser or email client where precisely to go to find a website or to send a specific person email. That's the difference: Like with an office or apartment building, domain registration is like the telephone directory: it gives the address to the building where the person you're looking for resides or work. Local dns is the office or bell directory downstairs that tells you precisely where, inside the building, that person can be found. If a provider controls domain register, that provider can actually prevent you from moving your site from his/her servers or demand all kinds of things from you before permission is given. That's why it's illegal. A provider cannot be a domain registrar. So how do they offer both? They're paying a registrar to do the domain work and passing on the charges to you. The only problem is they don't pass on the information about who the domain registrar is and so you can't make a change yourself. As remarkable as it may seem, this bit of high-tech flim flam is perfectly legal and providers (like tucows and godaddy) do it all the time. This practice runs counter to everything the Internet stands for. You can't move your site if someone else is controlling the domain and if you can't move your site, you are a prisoner. No matter what someone may tell you about a "contract" or anything else, you have the legal right to know who is providing your domain registration and the legal right to move your domain anyplace you want. In fact, you *do* have access to this information even though your provider may hide it from you. You use the whois command on a command line of any terminal hooked up to the Internet. For example, yourterminal$ whois mayfirst.org yield this information: Domain ID:D101505448-LROR Domain Name:MAYFIRST.ORG Created On:25-Sep-2003 18:44:27 UTC Last Updated On:30-Jan-2008 14:13:08 UTC Expiration Date:25-Sep-2010 18:44:27 UTC Sponsoring Registrar:Dotster, Inc. (R34-LROR) Status:OK Registrant ID:DOT-4FPDSMK4ZL0F Registrant Name:Media Jumpstart Inc. Registrant Organization:aka May First/People Link So we know two things right off -- this domain name is owned by the organization Media Jumpstart (our owning foundation) and it's registered at dotster (our domain registrar). All registration records give you this information. And at the bottom of the record it says: Name Server:B.NS.MAYFIRST.ORG Name Server:A.NS.MAYFIRST.ORG which are the names of the local dns servers at May First/People Link. If you go to Dotster, login and you are the owner of this record (the registrant) you can repoint it to whatever provider IP address you want and that place will then assume handling local dns (and presumably many other services) for you. There may be some restrictions (like if you owe the old provider money) but if you're in the midst of a contract year or are paid off, you can make the move legally without any question. The right way to do it is: the person who owns the website should own the registration.