Update 2019-05-17Adrian Cochrane, the developer of the Odysseus web browser, has also been working on a proposal for a post-Javascript web.

—————————

“If you’re seeing this message, that means JavaScript has been disabled on your browser. Please enable JavaScript to make this website work.”

- TechAsia.com

I use a browser add-on called NoScript, to choose if and when a website can run Javascript on my computer, and I’m getting pretty sick of websites refusing to even display text and images if I don’t agree to run their (often proprietary) Javascript. Let’s start telling both website developers and web browser engineers, loud and clear, that it’s time to #MakeJavascriptOptional!

Javascript is unique among programming languages, because the programs written in it are routinely downloaded and run on a person’s computer (in their web browser) without their knowledge or consent. It has been the subject of criticism by everyone from experienced software engineers and computer security researchers, to privacy campaigners and software freedom activists. Bad Actors can use Javascript to abuse people while they use the web, by tracking them (and there have been designs for tracking users with Javascript since 2006, if not longer), by spying on them (and this sort of spying has been going on since 2010 if not longer), by hijacking their computers, and so on.

Almost every time you open a browser tab and go to a website, another batch of invisible programs starts running on your computer, every one of them using up a bit more of your computer’s processing power and system memory. As each one starts running, it makes your computer a bit more sluggish and less responsive to you, like a kind of digital alcohol. Obviously, this degrades the user experience of the web, but most people don’t even realize it’s happening. They blame their internet connection, or assume their computer is just getting too old and they need a newer one, not realizing their computer could run much faster if it wasn’t carrying so much unnecessary Javascript. As well as using up system resources on the computers of web users when they run, the same Javascript programs are sent to millions of computers, over and over again, every time the websites that use them are visited, which is a wasteful use of both server resources and internet bandwidth.

So what can be done? Some people just disable Javascript in their web browsers, but that has the major downside of breaking the vast majority of the web, even a lot of ethical services running free code software (like CoActivate). Others use NoScript to tell us when a page wants to run scripts in our browser, and which web domain they are being served from, and allows us to choose if and when to let them run. Other add-ons focus on blocking specific kinds of threats that exploit Javascript, including anti-tracking tools like the EFF’s Privacy Badger (or the Privacy Possum fork) and adblocking tools like uBlockOrigin.

These kinds of tools are like wearing a suit of armour to protect against shark attacks while surfing, they can work, but they come with a fair bit of inconvenience. The long-term solution is to evolve the web so that we can eventually do without Javascript, just as the upgrade to HTML5 means we can add multimedia like audio, video, animations, and games, to the web, without proprietary plug-ins like Java, Flash, or Silverlight.

One recent trend in website design is to use a static website generator to create sites that display text, media, and links, with a sane page layout, using only basic web languages like HTML and CSS. This works fine for simple personal homepages, or  “brochureware” sites for community groups, public services, and businesses. But some web developers argue that the features Javascript can add to make web pages into “web apps” are arguably worth the costs. The federated photo-sharing app PixelFed recently modified its landing page to remove all the Javascript, which is a welcome move. But once you log in, you still need to allow the site to run some Javascript if you want to share photos and use the rest of the app’s features.

Other web developers have been coming up with proposals for replacing Javascript with other technologies that could provide the same benefits, the extra-for-experts features you can’t code in pure HTML/CSS, without its the downsides. New standards like WebAssembly have already been created to allow other, more robust languages to be used instead of, or alongside Javascript. Other developers argue that Javascript is fine for prototyping new kinds of web services, but before they’re rolled out for mainstream use, these features ought to be standardized, and build into the browser itself, or native apps. Like static sites, this would mean these chunks of code wouldn’t need to be sent over the net millions of times a day, every time users visit the same website.

One thing the developers of web browsers could do very easily to improve the situation, at least in the short term, is the same things they’ve done with cameras and microphones; ask the user’s permission. When a website wants to run Javascript, ask the user if they consent to that, and ask them if they want the browser to remember that decision next time it’s asked to run scripts from that source. In other words, build the functions of NoScript into every web browser.

It could also help to build a wiki to crowdsource information about what kinds of scripts websites are trying to fetch from this or that domain name, and what they do. Some scripts, like those from FontAwesome, just provide freely licensed fonts and icons, while others, like any associated with major web advertising companies, are almost always trackers of some kind, spying on website users. Making this kind of information available from a trusted source would help users that currently use NoScript to decide whether to allow them or not, and if opt-in Javascript does become a standard feature of web browsers, it would benefit everyone who uses the web.

Filed April 3rd, 2019 under free software, security

Happy solstice everyone. As I start doing a few bits and pieces of administrivia to get myself organized for the new calendar year, I find myself increasingly frustrated by some of the policies and practices I find on official websites. For example, take this compulsory password policy from a NZ government web service that allows users to access sensitive, private financial information, and send secure correspondence to officials. I won’t name names (yet), you know who you are:

” Your new password must be between 5 and 10 characters long, and include at least 3 letters and at least 2 numbers and may contain A-Z, a-z, 0-9 and any of the following characters #, +, -, _, @.”

For reasons explained in XKCD #936 “Password Strength”, adding numbers and other non-letter symbols to passphrases doesn’t make them much harder for computers to guess, but it does make them much harder for humans to remember (making them more likely to write them down or otherwise compromise them). This isn’t even very helpful as a suggestion, let alone as a compulsory requirement.

Secondly, why limit the length to 5-10 characters? That same XKCD comic shows that as a passphrase gets longer, it gets exponentially more difficult for a computer to guess it correctly (all else being equal). According to Troy Hunt, creator of haveibeenpwned.com, the Digital Identity Guidelines released in 2017 by NIST (US National Institute of Standards and Technology) recommends sites allow passphrases at least 64 characters long, and ideally as long as 256.

The policy on this website stops me following my preferred passphrase practice, which is similar to the method described in the XKCD comic, and results in easy-to-remember passphrases much longer than 10 characters. It’s a policy that urgently needs to be changed.

But when I went to the website feedback form to point all this out to the webmasters, I realized that I wasn’t even able to submit the complaint without allowing a third-party domain to run Javascript in my browser (mcxplatform.com.au owned by a US-based “customer experience” company Maritz LLC). This is a simple form with a few groups of tick boxes, a comment box, and a ’submit’ button. It does nothing that we couldn’t do on Indymedia news sites almost 20 years ago, and there’s no need for it to expose user-submitted data to an external service. I expect to be able to use all the functions of any official government website without enabling JS for any third-party domain. This too, needs to be fixed.

I also noticed that the site is running Javascript from three other third-party domains; doubleclick.net, google-analytics.com, and hotjar.com, owned by companies that collect data about website users (”analytics”). DoubleClick.net is owned by Google, and is usually used along with their analytics trackers, to help target their AdSense web ads at users. Hotjar.com is owned by a private company based in Europe. Is it really ethical to allow private companies, especially foreign companies, to collect data about NZ citizens - without their knowledge or consent - while they are using government services via an official website? This practice also needs to stop. If the website teams needs to collect analytics to improve the website, they can do it with their own instance of a free code tool like Matomo or AWStats.

Filed January 4th, 2019 under security

According to a piece on left-leaning kiwi blog site The Daily Blog, there’s more bad news looming for basic democratic rights. Both the Australian and New Zealand governments are considering passing new laws that would force people to hand over the keys to their encrypted communications. NZ already has some stupidly strict laws on “exporting” anything encryption-related from the country, and even publishing articles about it in academic journals requires special permission. A coalition of digital liberties groups, including InternetNZ and the NZ Council for Civil Liberties, has been defending the right to encrypt since at least 2016. A time when the debate over the technology was heating up around the world, thanks to the work of groups like Access Now. Back then, the Obama administration were saying that the US federal government would not be doing anything that weakened the digital security provided by encryption.

The problem is, encrypted communication is such an obscure thing for most people, and so far from their everyday concerns about paying the rent, keep dinner on the table, keeping the shop open, or whatever. There’s a risk that too many people will only understand why this matters too late, and start trying to close the stable door after the horse has bolted. So here’s a simple way to explain it.

You have a lock box in your house. In it, you might keep some cash for emergencies. You might keep important documents like your passport when you’re not travelling, or copies of your will, or a copy of your research on your family history. You might keep something harmless but embarrassing, like some saucy Polaroid photos you took with your lover, or something weird and sentimental, like a lace doily, or half a doughnut. It’s nobody else’s business what’s in that box. You have a fundamental right to keep it private. It’s a right that’s asserted in a bunch of other human rights conventions, including Article 12 of the Universal Declaration of Human Rights:

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

You don’t want anyone to see what’s in your lock box, but let’s say law enforcement officers want the key to it, because they believe it contains evidence of a crime. Traditionally, in democratic countries, the officers have to appear before a neutral third-party (like a judge) and the onus is on them to convince that person that they have a very good reason to be allowed to violate your privacy, not on you to prove that they don’t (”nothing to hide …”).

If they get permission - in the form of a judicial warrant - it only applies in this specific case, to you, to the private property they’re asking the judge for access to, in this case your lock box, and for a specific period of time. They can’t get a warrant to search anyone’s lock box. They can’t get a warrant to search anything you choose to keep private. They can’t get a warrant to violate your privacy any time they like from now on. A warrant is a temporary, specific exemption to the laws that normally protect your privacy. If law enforcement officers can just ask you for the key to your lock box, and threaten to arrest you and charge with obstruction if you say no, that’s “arbitrary interference” in your “privacy, home or correspondence”, and Article 12 says that’s something governments that respect human rights protect their people from.

An encryption key is like a digital version of the key to your lock box. Like your email or social media passphrase, it protects things you have reasons to want to keep private. In a tiny minority of cases, that might be communications about committing a crime. But in the majority of cases, they will be things you want to keep private because they are embarrassing (dick pics), or personal (love letters), or financially sensitive (online banking), or its your professional duty  (a doctor’s database of their patients’ medical records). Things that are harmless. Things that could even be harmful to people if their privacy is violated, like medical insurance companies getting access to people’s medical records, and charging higher premiums to people with unusual health problems, even though the whole point of insurance is to collect money off lots of people, so it can be paid out to those who need it.

The problem with the laws being discussed about encryption is not that they let law enforcement violate a specific person’s privacy, in specific ways, when they have good reason to think they will find evidence of a crime. The law already allows them to apply for a warrant for that. The problem is, these laws would let them search through anything that anyone chose to encrypt, any time they like. It would let them do so in secret, with no effective way for the public to hold them accountable for how they use those powers.

This is how policing works in a police state, not a democracy. Please contact your political representatives and urge them to do everything in their power to protect our privacy, by protecting our right to encrypt.

Filed September 7th, 2018 under News, security

Update 2018-05-23: I just read a highly misleading piece on The Atlantic called ‘Email Hackers are Winning‘, discussing a recent crack called ‘Efail” that proves encrypted email can be cracked, and claiming that Efail:

“showed that encrypted (and therefore private and secure) email is not only hard to do, but might be impossible in any practical way, because of what email is at its core”

Ummm … no. For the Efail crack to work, the receiver of the malicious email has to have HTML mail turned on in their email app. If HTML mail is turned off, Efail … well … fails. The core of email - the email protocols - have nothing to do with it. The author, security blogger Quinn Norton, who really ought to know better, also claims that the fundamentals of email have remain unchanged since the 1970s. Since that was before HTML was invented, if that was true, Efail wouldn’t work at all. Indeed, the email protocols are constantly being improved through standards work at the IETF (Internet Engineer Task Force). However, despite the weird fairy tale Quinn wraps around the story of Efail, it is yet another very good reason for activists not to use HTML mail.

——————————

I wrote a couple of blog pieces last year about how horrified I am when I find activist groups and other social change organizations helping surveillance capitalism tools like NationBuilder and MailChimp to track their supporters. In the MailChimp piece, I also took the opportunity to gripe about people sending HTML pages as emails. At the risk of sounding like the 1990s internet equivalent of people who moan about how nobody sends paper letters anymore, I just wanted to share a few resources about just how dodgy HTML mail can be.

To set the scene, here’s what I said in the MailChimp piece:

While we’re on the subject of mass email, the “service” that seems to make MailChimp so attractive is that is uses HTML to add a bunch of trackers to the email sent through its servers. Putting aside the ethics of enabling companies to use email to track people we like, I strongly discourage people from sending HTML by email.

Email is designed as a text-only medium, and works better this way. HTML email massively increases the amount of space email takes up in someone’s inbox, how much of their data allowance is used looking at it, and how much of the total resources of the internet are used by email that may not even be wanted or seen. HTML email also creates vectors for viruses and malware to spread through email, vectors which do not exist in plain text email.

If you want to show someone a page of HTML, it’s better to put that on a website, and include a link to it in a plain text email. That way people can read the email anytime, then look at the linked web pages when they are using fast, un-metered internet. This is also helpful to people still using dial-up connections, or slow rural broadband.

But hey what do I know? I’m just a guy who researches user-respecting software and writes a tech blog. I practically live in my Mum’s basement. How about we consults some experts?

Let’s start with George Dillon, a performance artists and web designer. Now we all know how much web designers love HTML, and George has been building his own websites since the late 90s. But his article on using HTML for email lists seven reasons why HTML mail is “evil”, or at least unhelpful and unnecessary, covering many of the points I touched on but in more detail. OK, it hasn’t been updated in about ten years, and some of the specifics may seen out-of-date (HTML mail exploits are the least of your worries if you’re still using Windows XP), but you’d be amazed how many people still use dial-up connections to access the net. As I forgot to mention in the MailChimp piece, many of the same issues that apply to dial-up also apply to people using mobile devices to read their email, on metered net connections they pay through the nose for.

Next, let’s pay a visit to tech writer M. E. Kabay, who wrote a 2004 piece about the growing use of HTML in email, for NetworkWorld.com, describing a number of specific security holes made possible by HTML mail, and dismissing it as a pointless source of …

“unwanted, mislabeled links, Web bugs, harmful active content, and outright worms and viruses”.

 Kabay sums up the piece with this advice:

“I urge everyone to send plain text instead of HTML as the default format for outgoing e-mail. If you need to send a message with features beyond text, you can always create a word-processing document and send that.”

Now I know what you’re thinking. Like me, these articles are showing their age. I mean, 2004 was more than a decade ago. Surely all these security problems have been solved by now, right? Nope. Here’s the conclusion of an article published on The Conversation in 2017, written with input from security researcher Robert Graham:

“Security-conscious users must demand that their email providers offer a plain-text option. Unfortunately, such options are few and far between, but they are a key to stemming the webmail insecurity epidemic. Mail providers that refuse to do so should be avoided, just like back alleys that are bad places to conduct business.”

The title of the piece is ‘The only safe email is text-only email‘. Need I quote further?

Finally, there’s StackExchange, a Q&A website where anyone can ask a question, and the answers from the communities of experts there get upvoted, and downvoted, and commented on, and edited, until only the best answers are left standing. A question about the security risks of creating a webmail that allows HTML mail was asked in the software engineering department, and my favourite quote from among the answers given is this one by one Michael Shaw, which pretty much sums it all up:

“Start allowing anything beyond presentational [HTML] tags and you are making assumptions that you know more about how these tags can be misused than the mal-ware writers. And believe me, that is a brave claim for anyone to make.”

Asked a question on the internet, actually got a useful answer.jpg

Filed April 12th, 2018 under security
  • Annual Events

  • Digital Freedom Foundation
  • LibrePlanet
  • Aotearoa

  • Aotearoa Indymedia
  • BallaNZ
  • Creative Commons Aotearoa/ NZ
  • Creative Freedom Foundation
  • DigitalNZ
  • Enspiral
  • Fair Deal Coalition
  • GreenStage
  • InternetNZ
  • Island Bay World Service
  • Living Economies
  • Localise
  • Loomio
  • Matrix FM
  • Nicky Hagar
  • No Right Turn
  • NZ Council for Civil Liberties
  • NZ Makers
  • NZ Makers Map
  • NZ Māori Internet Society
  • NZ Open Source Awards
  • NZCommons
  • OASIS
  • Open Government Ninjas of NZ
  • Open Source Society of NZ
  • Open Standards NZ
  • Open Ur Eyes
  • Pacific Media Centre
  • Permaculture in NZ
  • PledgeMe
  • Radio Chomsky
  • Regulation
  • Scoop
  • Tech Liberty
  • Timebank Aotearoa
  • Transition Towns Aotearoa/ NZ
  • Uncensored Magazine
  • Waatea News
  • Waikato Linux Users Group
  • What If
  • Wiki NZ
  • Zenbu
  • archives

  • ArchiveTeam
  • Critical Commons
  • Ibiblio
  • Internet Archive Community Software Collection
  • Open Archives Initiative
  • Blogroll

  • Abject
  • Access Now
  • Ars Technica
  • BadScience
  • Banjo - RoboBlog
  • Boing Boing
  • Born out of Binary
  • Centre for Media and Democracy
  • Choke Point Project
  • Copyrighteous
  • Create Digital Music
  • Creative Commons International
  • Cryptogon
  • Digital Standards Organisations
  • Disinfo
  • E-Democracy
  • Electronic Privacy Information Center
  • Ever Vigilant
  • Freedom Box Foundation
  • Freedom of the Press Foundation
  • Gaming On Linux
  • Global Indymedia
  • Gondwanaland (Mike Linksvayer)
  • Institute for the Future of the Book
  • Institute of Network Cultures
  • Internet Governance Project
  • InternetNZ
  • Island Bay World Service
  • Iterating Towards Openness
  • Knowledge Ecology International
  • LinkedListCorruption
  • Linuxed - Exploring Linux Distros
  • Localise
  • Moved by Freedom - Powered By Standards
  • Nanowares
  • New Zealand Māori Internet Society
  • Nicky Hagar
  • No Right Turn
  • NZ Council for Civil Liberties
  • NZCommons
  • O'Reilly Radar
  • OASIS
  • OERu Technology Blog
  • Open Educational Resources Foundation
  • Open Knowledge Foundation
  • Open Rights Group
  • Open Social Web
  • Open Source Conscious Intelligence Network
  • Open Source Food
  • Open Stand
  • Open Ur Eyes
  • OpenCollective
  • OpenDotDotDot
  • OpenSource.com
  • Permaculture in NZ
  • Plumi
  • Public Interest Journalism Foundation
  • Punk Rock Permaculture
  • Question Copyright
  • Replicant (OS)
  • Rob Meyers
  • Schneier on Security
  • Scoop
  • Shareable
  • Slashdot
  • Software Freedom Law Centre
  • Software in the Public Interest
  • SourceMap
  • Sustento Institute
  • Tech Liberty
  • TechRights
  • The Tin Hat
  • Tinkering Down Under
  • TorrentFreak
  • TransitionMovement
  • Translation Project
  • Trisquel GNU/ Linux
  • United Diversity
  • Waatea News
  • We Speak for Freedom
  • Why Your Boss is Programmed To Be a Dictator
  • code bank

  • Allura
  • BitBucket
  • FusionForge
  • GITHub
  • GITLab
  • Gogs
  • Internet Archive Community Software Collection
  • LaunchPad
  • NotABug
  • Savannah
  • Software Freedom Conservancy
  • Software Heritage
  • Sourceforge
  • community economics

  • Commons Transition
  • Fruit Tree Planting Foundation
  • In Our Back Yards
  • Institute for Local Self-Reliance
  • Libre-Living
  • Living Economies
  • Sensorica
  • Sustainable Economy Law Centre
  • Timebank Aotearoa
  • TransitionMovement
  • cooperative

  • Loomio
  • Snowdrift Coop
  • crowdfunding

  • ArtistShare
  • BountySource
  • Causes
  • CauseVox
  • Crowdfunder
  • Crowdjustice
  • Crowdrise
  • Crowdsupply
  • Flattr
  • Fundit.buzz
  • GiveaLittle
  • Goteo
  • In Our Back Yards
  • KickStarter
  • KissKissBankBank
  • Liberapay
  • Mighty Cause
  • OpenGift
  • Patreon
  • PledgeMe
  • PledgeMusic
  • Pozible
  • Snowdrift Coop
  • StartSomeGood
  • Taproot Foundation
  • The Working World
  • Tidelift
  • Events

  • IndieWebCamp
  • free code

  • April
  • Black Duck Open Hub
  • DistroWatch
  • Ever Vigilant
  • F-Droid
  • Free Software Directory (GNU FDL 1.3 or later)
  • Free Software Support Network
  • Free Software Support Network
  • Free Your Android
  • FreshCode
  • Gogs
  • Gun.io
  • Internet Archive Community Software Collection
  • LILA
  • LinuxTracker
  • NotABug
  • OERu Technology Blog
  • Peers Community
  • Plumi
  • PublicLab
  • Replicant (OS)
  • Software Heritage
  • Urchn Studios
  • Free Media

  • Communes Collective
  • Copyrighteous
  • Create Digital Music
  • Definition of Free Cultural Works
  • Dyne Foundation
  • FLOSSManuals
  • Free Culture Foundation
  • Ibiblio
  • Librivox
  • LILA
  • Open Video Conference
  • Show Me Do
  • Translation Project
  • Urchn Studios
  • WikiLeaks
  • freelancing

  • BountySource
  • Gun.io
  • independent media

  • Aotearoa Indymedia
  • BallaNZ
  • EngageMedia
  • Freedom of the Press Foundation
  • LILA
  • Matrix FM
  • Pacific Media Centre
  • Public Interest Journalism Foundation
  • Radio Chomsky
  • Radio Heritage Foundation
  • Uncensored Magazine
  • Waatea News
  • libre gaming

  • Gaming On Linux
  • Makers

  • GreenStage
  • Libre-Living
  • Mediamatic
  • NZ Makers
  • NZ Makers Map
  • Open ROV
  • Renewable PCs
  • Rob Meyers
  • Sensorica
  • maps

  • GeoForAll
  • GeoNames
  • Green Map System
  • Map Tools
  • Open Geospatial Foundation
  • Open Street Map
  • open governance

  • Crowdfunding
  • D-Cent
  • Deep Democracy Institute International
  • E-Democracy
  • Fight for the Future
  • Holacracy
  • Internet Governance Project
  • Kettering Foundation
  • Knowledge Sharing Toolkit (CC-BY-SA 3.0)
  • Open Government Ninjas of NZ
  • Open Policy Network
  • Open Space World (CC-BY-SA 2.5)
  • Open Stand
  • Open Standards NZ
  • Participedia
  • Sunlight Foundation
  • Transition Towns Aotearoa/ NZ
  • What If
  • WikiLeaks
  • open hardware

  • H-Node
  • Makey Makey
  • Meeblip Open Source Bass Synth
  • Open Hardware Summit
  • Open ROV
  • Open Source Hardware Association
  • Orgs

  • Access Now
  • Apache Foundation
  • April
  • Autistici/Inventati
  • Collaborative Knowledge Foundation
  • Commons Transition
  • Communes Collective
  • Computer Professionals for Social Responsibility
  • Creative Commons Aotearoa/ NZ
  • Creative Freedom Foundation
  • Critical Commons
  • D-Cent
  • Deep Democracy Institute International
  • Digital Due Process coalition
  • Digital Freedom Foundation
  • Digital Standards Organisations
  • DigitalNZ
  • Dyne Foundation
  • E-Democracy
  • Electronic Frontiers Foundation
  • Electronic Privacy Information Center
  • Fair Tracing Project
  • Fight for the Future
  • Foundation for Peer-to-Peer Alternatives
  • Free Culture Foundation
  • Free Network Foundation
  • Free Software Foundation
  • Free Software Support Network
  • Free Software Support Network
  • Freedom of the Press Foundation
  • Guifi
  • Ibiblio
  • Identity Commons
  • Institute for Local Self-Reliance
  • Internet Engineering Taskforce
  • Internet Governance Project
  • ISA Commons
  • Kettering Foundation
  • LEAP Encryption Access Project
  • LILA
  • Living Economies
  • Loomio
  • May First/ People Link
  • Mediamatic
  • NZ Māori Internet Society
  • NZ Open Source Awards
  • Open Architecture Network
  • Open Archives Initiative
  • Open Geospatial Foundation
  • Open Policy Network
  • Open Source Hardware Association
  • Open Source Society of NZ
  • Open Web Foundation
  • OpenADR Alliance
  • OpenCorporates
  • Outreachy
  • Participatory Culture Foundation
  • Peers Community
  • Permaculture in NZ
  • Privacy International
  • Public Citizen
  • Public Interest Journalism Foundation
  • Public Knowledge
  • Public Patent Foundation
  • Question Copyright
  • Radio Heritage Foundation
  • ReDecentralize
  • Reform Government Surveillance
  • Regulation
  • Rhizome
  • RiseUp
  • Science Commons
  • Software Carpentry Foundation
  • Software Freedom Conservancy
  • Sunlight Foundation
  • Sustainable Economy Law Centre
  • Taproot Foundation
  • Transition Towns Aotearoa/ NZ
  • Waikato Linux Users Group
  • Wiki NZ
  • World Wide Web Consortium (WC3)
  • Xiph.org
  • XMPP Standards Foundation
  • Peer2Peer

  • BitCoin
  • FreeCoin
  • Permaculture

  • Appropedia (CC-BY-SA 3.0)
  • Fruit Tree Planting Foundation
  • Future Scenarios
  • OrganicDesign
  • Permaculture in NZ
  • TransitionMovement
  • We Speak for Freedom
  • Privacy

  • Access Now
  • Digital Due Process coalition
  • Ever Vigilant
  • Fight for the Future
  • International Principles on the Application of Human Rights to Communications Surveillance
  • LEAP Encryption Access Project
  • OASIS
  • Privacy International
  • Reform Government Surveillance
  • What If
  • protocols and licensing

  • Definition of Free Cultural Works
  • Digital Standards Organisations
  • Greenlots
  • ISA Commons
  • Open Archives Initiative
  • Open Stand
  • Open Standards NZ
  • Open Web Foundation
  • OpenADR Alliance
  • Regular Events

  • Libre Graphics Meeting
  • Open Hardware Summit
  • science and datasets

  • AllTrials
  • Collaborative Knowledge Foundation
  • DigitalNZ
  • Fair Tracing Project
  • ISA Commons
  • Open Geospatial Foundation
  • Open Hand Project
  • SourceMap
  • Wiki NZ
  • Zooniverse
  • Tools

  • Autistici/Inventati
  • BitCoin
  • Black Duck Open Hub
  • CoActivate
  • Crowdfunding
  • DistroWatch
  • Dyne Foundation
  • F-Droid
  • FLOSSManuals
  • Fork the Cookbook
  • FreeCoin
  • GITHub
  • GNU Operating System
  • GreenStage
  • H-Node
  • How To Escape the GoogleMax Panopticon
  • Knowledge Sharing Toolkit (CC-BY-SA 3.0)
  • LEAP Encryption Access Project
  • LinuxTracker
  • Loomio
  • Map Tools
  • May First/ People Link
  • Meeblip Open Source Bass Synth
  • Monolith
  • Open Hand Project
  • Open Source Ecology
  • Open Space World (CC-BY-SA 2.5)
  • Open Street Map
  • OpenCorporates
  • OpenMailBox
  • Participatory Culture Foundation
  • Plumi
  • Renewable PCs
  • Replicant (OS)
  • RiseUp
  • Savannah
  • Show Me Do
  • Sourceforge
  • SourceMap
  • TransforMap
  • Translation Project
  • Web Platform
  • Zenbu
  • Transition

  • Green Map System
  • Health After Oil
  • Localise
  • OrganicDesign
  • Wiki

  • Appropedia (CC-BY-SA 3.0)
  • Foundation for Peer-to-Peer Alternatives
  • Instructables
  • LibrePlanet
  • Open (Government) NZ
  • Participedia
  • SourceWatch
  • WikiEducator
  • wireless mesh

  • Guifi
  • workplace democracy

  • Enspiral
  • The Working World