============================================================ = Digital inequality and degrowth web: a biased glance = = (revision 2) = = by Clover Wood, 2023 = ============================================================ > This essay is about 3900 words long, so it probably > will take you about 15 minutes to read through. tl;dr: I tried to access some sites about degrowth from computers and smartphones that are powerful enough for daily usage in 2023, but are not supported by software or hardware vendors anymore. Some sites worked, some sites didn't, so I researched "why" and "what to do". The main issues, not surprisingly, are caused by HTTPS, CSS and JavaScript; I offer some workarounds for those. Hopefully this essay could help to make grass-roots web sites more accessible to people who cannot afford "up-to-date" hardware, and starts a discussion about the contribution of the Internet to the staggering amount of e-waste humanity produces. ------------------------------------------------------------ As "Degrowth&Strategy" (2022) states, "engaging actively in the international degrowth networks demands a priviliged position", with one of the things mentioned being access to a computer and a decent internet connection. I decided to evaluate this claim, or, rather, how poorly things are in reality, with the help of my budget laptops and a handful of smartphones I could access. The links to the various degrowth communities were provided in the chapter five of the said book. I also checked out the site of my favourite magazine, Low Tech (solar version), as well as Google search engine. Looking at my findings, I realised that the root causes of the issues I have identified with degrowth web might be interesting outside of the scope of the degrowth or even low-tech areas alone. So, I decided to expand the essay to make it more accessible for people far from IT, trying to offer a balanced (but inevitably biased) view on the state of web, especially in the contexts of building online grass-root communities and reducing e-waste. == Why does it matter? - Computers and people == Before giving you the raw results, I would like to explain my reasoning behind doing this little "research". Humanity has been mass-producing computers for over seventy years, and by today we have enough computers to satisfy all personal computing needs for many years to come. According to the data I found online, in the years 2007-2021, only smartphones alone make 14.4 billion computers produced, with some 1.5 billion smartphones added to this number annually. Add 374 millions of laptop and desktop CPUs sold in 2022 alone to this whopping mountain of computers. And now add to this 20+ billions of microcontrollers manufactured every year for the last ten years or so, with most of those as powerful as personal computers and game consoles of the 80s. I mention microcontroller devices comparable to 40-year-old personal computers intentionally. While computers of the 80s were not capable of playing HD video and generating impressive fake news articles, they were successfully used for text editing, home budgeting, research and science, education, play and - yes - accessing the internet services. There is little doubt a significant portion of controllers humanity manfucatures is internet-capable; we use them for "Internet of Things", after all. Even putting the question of microcontrollers aside, we are left with at least two powerful computers per every person alive today. If these computers were sufficient to satisfy our needs of personal computing, we could just stop making new ones. If only they were sufficient to access the resources about degrowth and low-tech... == Quick glossary for non-techies == Feel free to skip this section for now, and return to it if you meet a term you don't know. * HTML - hypertext (text with links) mark-up language, a way to explain to the browser how you want it to display the text on the page. * HTTP - hypertext transfer protocol, a way for two computers (server and client) to send and receive HTML and other files. * SSL - secure sockets layer, a way for the server and the client to exchange encrypted data in a way that should be fairly safe from wiretapping. * TLS - basically the same thing as SSL, but newer. * SSL certificate - a digital document, usually issued by some sort of authority, to verify that the owner of an encryption key is indeed who they say they are. * HTTPS - Secure HTTP, as in HTTP inside of SSL or TLS. * RSA, 3DES, ECDH - families of encryption algorithms. * CSS - cascade stylesheets, a technology that allows the same HTML documents to look differently; to enable "the separation of content and presentation". Examples of CSS usage are: different fonts, colors and page layouts. Extreme example: CSSZenGarden.com * JavaScript (JS) - a programming language that can be understood by many web browsers; it is used to convert a HTML page into an application that is run in a browser's tab. If you have buttons or input fields on the page, and they work without refreshing the page or redirecting you to a different one, the site is using JavaScript. Extreme examples: https://macos9.app/ or JSLinux. * MHz, GHz - million of Hertz, billions of Hertz. A unit of frequency. In computer science it is often used to describe the performance of a computer processor, as it is related to the number of operations this processor (CPU) can perform in a second. * KB/kB, MB - kilo-bYte, mega-bYte. A unit of information. For western script in most computers, one kilobyte equals 1024 plain-text characters. For other script systems and computers, one kilobyte might fit as little as 512 or 256 characters. A megabyte is 1024 kilobytes. * kb/kbit, mb/mbit - kilo-bIt, mega-bIt. A unit of information, in modern computers one bit equals 1/8th of a byte. If it wasn't confusing enough, 1 kb = 1000 bits, and 1 mb is 1000 kbit. Hence, "one megabit per second" roughly equals "122 KB per second". == Reality check - Degrowth networks == Main test device: * My laptop. I use it for everything, from drawing to games * Model of June 1998 * It's Pentium II 266 MHz with 192 MB RAM * I have a stable Internet connection (GPRS) * For this test, I used Windows 98 SE with patches to add Windows 2000 and XP compatibility * Guesstimated number of devices with comparable capabilities manufactured: over 500 million * People who still use similar devices: ~60 million Browsers (the latest working or recommended version), and the codes used in the table below: * IE: Internet Explorer 6 (with security patches) * D+: D+ (a variant of Dillo browser) * O1: Opera 10 * KM: K-Meleon 1.6 (based on Mozilla engine) Secondary test device: * A laptop I could borrow for a short time * The cheapest laptop on eBay * Lenovo Thinkpad X131e (2013) * Intel Celeron CPU, two cores at 1.5GHz * 4GB RAM * Locked ChromeOS; support stopped in 2018 * CR: built-in Chrome browser * Guesstimated number of devices with similar capabilities: about 2 billion devices * People who still use this version of Chrome: ~45 million Mobile test devices: * Windows Mobile 6 smartphone (2008) - CPU 500 MHz, 128Mb RAM - WM: Internet Explorer 7 * Android 5.1 smartphone (2017) - Sold as a budget model in 2017 - Popular second-hand model in Pakistan (~$30) - 4 CPU cores 1.1GHz, 1Gb RAM - AC: Chromium-based built-in Browser - About 1.5 billion Android 5-capable devices were manufactured - Android 5 is still used by 100 million people * KaiOS 2.5 "feature phone" (2019) - Based on "low-power hardware", as Wikipedia states - Very similar to cheap (~$30 for a new one) JioPhone - 2 CPU cores 1.1GHz, 512 Mb RAM - KO: Powered by Mozilla browser engine (ex-Firefox OS) - 170 million devices manufactured - 100 million people keep using them Legend: * S - superb, works great * + - works with minor issues (i.e. slow but readable) * - - loads, but isn't readable or useable * x - does not load at all IE D+ O1 KM CR WM AC KO Google.com S + + + S + S S degrowth.org x + - - S + S + degrowth.info x + - + + + S - degrowth.net x - - - - - S + lists.degrowth.net x + + S S + + + lists.riseup.net x x + S S + + + lowtechmagazine.com x x x + S + S + I also have checked a few international communities with a reduced set of browsers. D+ CR WM KO decrescita.it x S x + ipe.hr + S x + descreimiento.org x S x + iss.nl x x x + As you can see, the test results are not great, but they are better than I expected. Before you jump to the conclusion that I am here to unnecessary critique portals run by pure enthusiasm of their creators, first I want to inform you that most websites are struggling with the same issues, and second, I would like you to take a look at the elephant in the room. == Key findings, or "Why Google works everywhere?" == As you might have noticed, Google works on all and every platform I have tested. Ine fact, it works even with the oldest Netscape and Internet Explorer browsers, and in some Mosaic versions, too. There are two reasons for that. First, Google can afford this. They can and do test their main site using many different devices, and go as far as serve different version of the site depending on the device you use. Second, Google can afford this. Starting 2014, they demote sites without HTTPS (encrypted HTTP) in the search results. But the reason Google still works in Internet Explorer 6 or Netscape 3 is that they serve an "insecure" version of Google with HTTPS disabled to such devices. Who is going to punish Google for using such a trick? Google? I have to note that the commonplace usage of SSL and HTTPS is not a bad thing per se. On sites that handle any sort of input from users (logins, passwords, comments), secure connection prevents malicious third parties from snooping and stealing private information. The sites serving any sort of information that can be perceived as dangerous by people in power (governments, service providers, and even employers), the usage of HTTPS prevents the alteration of the information by the third party while this information is on the way to the end user. Finally, HTTPS prevents a practice of inserting unwanted advertisment right into the website's content by your Internet provider. But the practice of using SSL and HTTPS brings death to the devices that still could have been useful today. There are two major routes for that: * Dropping support for older encryption algorithms - For example, RSA-256 is considered insecure, as it can be cracked in a few minutes using an 8 or 16 core desktop CPU. - While updating the encryption algorithms of the devices is possible in theory, in reality it does not happen after the device stops receiveing updates from the manufacturer. - Today (March 2023), all the devices running Android 4.3 and below, Chrome 30 and below, Firefox 26 and below, Internet Explorer of all versions except for IE11 on Windows 10, and Safari 8 and below (iPhone 4) do not support any algorithms that can be considered secure, according to SSLLabs. - Newer algorithms require more CPU power. Software implementations of ECDH algorithms can require seconds to establish a connection when used on devices with CPUs running at dozens to hundreds MHz. There are research papers suggesting that efficient implementations of secure encryption on devices with CPU power comparable to personal computers of the 80s is achievable, though. * Dropping support for root certificates - Asymmetric encryption used as a basis of SSL and HTTPS relies on the system of "root certificates" pre-installed on the devices by the manufacturer. The root certificates are used to confirm that the site you are visiting was not replaced by a hacker. - It is fairly normal for root certificates to expire eventually. If your root certificate was issued in 2003, chances are it was compromised by 2023. - A recent example of root certificate expiration is Windows 7 (released in 2009). One of its important root certificates has expired in September 2021. - It is usually possible to add new root certificates, or ignore the error message about the expired certificate. It is possible that the new root certificates will be using an algorithm not supported by the manufacturer of the device, though. ~~ What can be done about it ~~ * If you hope that your website can be used from a device older than a few years, try to find the balance between security and compatibility. * Your web server can detect the SSL capabilities of the user's browser. In many cases, it might be acceptable to serve a version of your site with weak encryption (3DES for ~60 million people who still use Internet Explorer), or without any encryption at all. * Please be mindful of privacy needs of the visitors of your site. If you offer a forum board or comments section, it would be a very bad idea to give a false sense of security, privacy or anonymity when your site uses weak encryption or no encryption at all. * A site called SSLLabs has information about algorithms supported by different browsers running on different operating systems, and can also show you what algorithms are offered by your web server. It can help you to decide what algorithms (and what SSL/TLS protocol versions) you want to offer to your site visitors. * When it comes to checking whether the site is going to load, nothing beats trying out your site from a target device. Check your attic, find your previous laptop or phone, and try to use it. If this is too much of a hassle, or you want to check multiple OS+browser combinations, computer emulation can be handy. For a wow-effect (and a ridiculous display of power), check out Fabrice Bellard's JSLinux from a web browser of your computer or phone. It can boot to Windows 2000 with Firefox, Internet Explorer and D+ preinstalled. But, most importantly: * The right to repair must include the right to replace the software shipped with the device. It is imperative for manufacturers and operating system vendors to provide a simple way of updating SSL libraries and root certificates on any device. Otherwise, billions of smarthpones and hundreds of millions of computers will end up mostly useless. == Pretty/Useless == Some feel-good browsers, including D+, Links and K-Meleon, can handle HTTPS and SSL business separately from the operating system. But even when the browser can establish a HTTPS connection and load the site's data, there are no guarantees that the site will be useable. Even the support of HTML, CSS and JavaScript standards cannot guarantee that: there are sites that work in lightweight D+ (no JavaScript, limited CSS), but refuse to work in Acid3- compliant K-Meleon (with HTML5, CSS3, JS and so on). What is going on here? If you have too much CSS and JavaScript on your site, it can result in two seemingly contradictory symptoms: the site might not work without a certain level of CSS and JavaScript support, AND it might start working again when such support is missing completely. Originally, all the web pages used only HTML, as a way to add links and images to the text. When WebKit (Safari) and its "fork" (spin-off) Chrome became monopolists on the arena of web browsers, it became commonplace to "enhance" sites with lots of JavaScript and CSS. Some uses of these technologies: - changing the appearance of a site when mobile device changes its orientation (i.e. landscape to portrait), - adding accessibility customisation options, - showing site search results without changing the page, - adding a comment or a post without changing the page, - loading new content without changing the page, also known as "endless scroll" or "endless feed". When a site is using CSS features not available in the browser you are using, it is possible that some or all the content of the site will be displayed incorrectly, covered by other site elements, or invisible altogether. Turning off CSS will "reset" the appearance of the website to defaults (usually black letters on white background, with blue hyperlinks); the images resized by the means of CSS will be displayed in their original resolution, even if it's too small or too big for the screen. Complex navigation menus hidden by CSS will be displayed as a list. Examples: - K-Meleon misinterprets CSS features of degrowth.org, showing only an empty white page, despite loading all the text and images from the site. - D+ ignores most CSS features of degrowth.org, so the site doesn't look the way it was intended, but all text and images are perfectly readable. When a site is using JavaScript features not available in the browser, some menus and buttons might not work correctly. If the site is using JavaScript to load new content on the fly, and JavaScript isn't working correctly, then parts of the site or the whole site will not be available. Examples: - JavaScript content on degrowth.org causes Opera 10 to crash and close by itself in a second or two when a mouse cursor is hovering over a link. - D+ doesn't support JavaScript, which is used by degrowth.net for navigating the site and changing the content shown on the screen, so all the content is displayed on the screen at the same time. We might not be that surprised that browsers released less than a decade ago cannot properly display sites, even sites that aren't any different from the sites we've used ten and sometimes twenty years ago. But it is likely that browsers that were released only a few months ago aren't working correctly with some of the sites created today. Standards of CSS and JavaScript are ever-evolving, with new features added with every release of Chrome and Firefox, every month or so. New standards of CSS and JavaScript are regulated by a not-for-profit organisation "World Wide Web Consortium". Many chairs and participants of the W3C standard working groups are experts employed by Microsoft, Adobe, Baidu, Alibaba, Apple, Google, Intel, Samsung, Huawei and many other companies. Independent participants, university researchers, representatives of socially important projects (Wikimedia foundation, for example) seem to be a minority in the World Wide Web Consortium today. I will not speculate that capitalist mega-corporations are acting with malicious intent towards the Internet and the grass-roots movements using it. After all, there is a much simpler explanation: mega-corporations need these new standards for the new features of the new versions of the solutions they produce. It would have been hard or even impossible to release new versions of products many of us use today. You see: JavaScript paired with endless possibilities of CSS allows creating large applications that can be run inside of a browser, like Google Docs or Mozilla PDF viewer. The temptation to use powers of JavaScript is so great that many desktop and mobile programs today are written in JavaScript and shipped with its own version of a browser (for example, Discord, Twitch, Visual Studio Code). Web browsers of 2023 are de-facto operating systems, and JavaScript and CSS are their core parts. Web browsers are even shipped as operating systems at least in three very popular product groups: Chromebook laptops, KaiOS phones and Fitbit OS watches. While big tech has their reasons to push for newer versions of JS and CSS, among groups of people who suffer from overuse of JS and CSS disproportionately are not only people who cannot afford a new computer, but also people living in areas with expensive or unstable internet access and people with disabilities. ~~ What can be done about it ~~ * Most sites, including degrowth networks, are not meant to be run-in-browser applications. There is no pressing need to use the latest browser features for them, especially if you hope to make your site accessible to people using "obsolete" computers (note that Chrome won't be updating on Windows 7 and Windows 8 anymore). * If you still believe your visitors absolutely must have CSS and JS to see your site, consider this: Google and Amazon are among the sites that will work without either. If mega-corporations can make this work for their money-making products, we can do this for our grass-roots web, too. * Ready-to-use solutions for building websites can be tempting for their simplicity, but it's worth checking how they behave in browsers that aren't up to date. * Using "obsolete" browsers can be dangerous, as they are not protected from known security vulnerabilities, and should not be encouraged. Unfortunately, most browsers do not provide updates for "obsolete" computers and phones. The browsers that support such devices and still provide security patches and updates, on the other hand, often lack not only "bleeding edge" features, but well-established standards like CSS 2.1 (2011) or JavaScript ES5 (2009). * Check out the essay "Command Line Programs for the Blind" by Karl Dahkle, the developer of edbrowse, a text-only browser focusing on accessibility. Strive to make your online presence accessible for people with text-only browsers, screen readers, adaptive controllers, color blindness, and so on. Hint: if your site is readable without CSS and JS, has alt text for images and correct markup for menu and links, you are on the right track. == A biased analogy == My overall impression of the situation? It reminds me of the American car culture of the 1950s. "Americans were spending more [and more] time in their automobiles and viewing them as an extension of their identity", writes Wikipedia. When new features of the new cars weren't impressive enough to convince the customers to buy a new one, sellers were trying to make cars a kind of fashion. But a car is still a car. If you replace an old car with a new one, sure, you might get new safety and entertainment features. It doesn't automatically mean you will be able to travel faster, further, or cheaper. And the destination of the majority of your trips, the closest shopping mall and your office, isn't going to magically change, either. Many similar things can be said about computers and smartphones. They are undoubtedly extensions of our identities: "iPhone user", "Android owner", "PC gamer". Maybe the hype around new iPhones isn't as common as it used to be. Maybe mobile phones are not a fashion statement anymore. But the changes they brought to our lives are going to last long. To rephrase economist Richard Porter, "the smartphone made today's Web possible, and today's Web made the smartphone essential." == Conclusion == I hope this essay was as useful to you as it was insightful to me. Despite writing so many words, I realised that I barely scratched the surface of the digital inequality question. Topics that were left uncovered include, but aren't limited to, accessibility, connectivity speed and stability, censorship, state and corporate survelliance and internationalisation. Well, perhaps, I will cover those some other time. == Bonus level: Google Fonts == One of the things that seem to break K-Meleon and Opera 10 are Google Fonts. This might not be a good enough reason to stop using them, though. Google Fonts are free and easy to use, and they come as a default option in some popular web page "factories", including WordPress. But Google Fonts come with a catch. If you use the default way to add them to your website Google might receive some interesting data about your site's visitor, including: the site they are visiting (yours), their language, their IP address, their web browser version. Current Google Fonts terms of service insist that while the Fonts might track user behavior, this data will be used only in analytical purposes, and won't be sold to third parties or used for advertisement. Trick question: how often do you check whether Google has updated their Fonts API terms and conditions? ------------------------------------------------------------ Please send your comments and questions to: * my email: usagi[at]sdf.org * my Mastodon: https://mastodon.sdf.org/@usagi Links to share this essay: http://usagi.sdf.org/digital-inequality-and-degrowth-web.htm gopher://sdf.org/1/users/usagi/diary/2023-03-09-DI-DW.txt gemini://sdf.org/usagi/diary/2023-03-09-DI-DW.txt