What might government regulation of infosec look like?

“Terrible” is the most likely answer. But let’s assume we’re talking about regulation that is effective and sound (from both a technical and civil liberties perspective).

On Sunday’s episode of This Week in Tech, the panel discussed the possibility of government regulation of internet security. I’m not fully convinced that any regulation is necessary, but the case for some form of consumer protection grows with every breach. And I don’t think it likely that companies will self-regulate.

So as neither a policy nor technical security expert, what sort of plan would I draw up?

Good infosec regulation

Any workable laws or regulations would have to be defense-oriented. It may sound like victim-blaming, but I don’t see any other path. Companies must meet some minimum standard of protection or face non-trivial fines in the event of a breach. But if a breach occurs and the company met the standard, I would not punish them. Even the best organization is going get compromised in some way at some point.

In an ideal scenario, the punishment would instead be on the bad actor. The international nature of the Internet makes that a near impossibility. And given that a company is acting with some degree of public trust, I don’t find it unjust to demand a certain level of security compliance.

In order to avoid a heavy administrative burden, I wouldn’t require external audits (at least not for companies below a certain size). It could be something as simple as “document the security plan and show that you’ve kept to it”. The plan would have some number of required elements (e.g. customer passwords aren’t stored in plaintext) and a further list of suggested elements maintained by an expert body. So long as your plan isn’t garishly incompetent and you stick to it, you’re in the clear from a government punishment perspective.

Of course, certain systems would still be subject to heavier burden. I wouldn’t do away with HIPAA or PCI in favor of this new model. But you can see how less-sensitive services would be nudged toward better consumer protection.

Bad infosec regulation

So what wouldn’t I include? I certainly would not require any encryption backdoor (I might even prohibit it) or prohibit users’ use of encryption. That’s an obvious choice in light of the civil liberty requirement.

I also would not include any specific technology or process in the law/regulation itself. The technology landscape is too dynamic and diverse for that to be effective. The best we can hope for is to set broader principles that need updated on the order of years.

The reality of regulation

I don’t see any meaningful regulation happening in the near future. For one, it’s a very difficult problem to solve from both a technical and a policy perspective. More importantly, it could be politically hot, and we all know how pleasant the current environment in Washington is.

At most, we may see a few laws, probably bad, that nibble around the edges. But as the digital age continues to change society as we’ve known it, the law must catch up somehow.

Twitter’s public roadmap: I’ll believe it when I see it

Full disclosure: I own a small number of shares in Twitter.

Trello is a very important tool in my workflow, so I read their blog for tips and news. I started reading a recent post by Leah Rider and everything was fine until I saw this:

As one of the most dialed-in companies to the pulse of the people, Twitter…

I’m sorry, what? Twitter is notoriously bad at knowing what people want, be they users (an edit button and less harassment), developers (the ability to develop apps), or investors (I’d settle for breaking even at this point). Twitter may be where the pulse of the people is expressed, but that doesn’t mean the company has a clue.

The post goes on to say

Through a simple public Trello board, Twitter is redefining their relationship with the developer community and setting a precedent for other platforms.

If Twitter wants to define a relationship with the developer community, they could start by having one. The only reason I maintain a Twitter client is because Twitter drove away the original developer. Twitter’s rise was due in part to the ecosystem of great (and not-so-great) third-party applications. Twitter was a platform that people could build off of.

That’s no longer the case. Many features are not available via the API. Polls and GIF searches are two that come right to mind. It takes more than a public Trello board to have a community. And the Trello board isn’t even impressive. It is publicly visible, but not editable. What’s worse, the last update was almost a month ago. The last activity before that was over two months ago.

So if Twitter is ready to develop a robust third-party app ecosystem again, that’s great. It can only benefit the platform. But you’ll forgive me if I wait to see some evidence before I believe it.

Do you have an expectation of privacy from the Geek Squad?

In May, a federal judge excluded evidence from a child pornography case because the search warrant was based on impermissible evidence. Setting aside the abhorrent nature of the alleged crime, I think this was the right decision. While the accused did surrender his laptop to Best Buy’s Geek Squad technicians, that doesn’t give the techs carte blanche to search for incriminating material.

It’s not as if the images were in a folder called “Here’s my kiddie porn!” on the accused’s desktop. They were apparently deleted files recovered from the unallocated part of the disk drive. Now it’s entirely possible that they were the accused’s files that he had deleted. It’s also possible that they were from a browser cache after clicking on a risky link. Or that they were from the previous owner of the hard drive (if there was one). As the judge noted, there’s no clear possession.

Furthermore, because the Geek Squad technicians were acting as agents of the government, the standards are a little higher. The fact that the FBI, when applying for the search warrant that lead to the discovery of more illegal material at the accused’s house, omitted key facts did not help.

On This Week in Law (episode 387), one of the panelists (I believe it was Matt Curtis) said reasonable people can disagree, but he doesn’t think there’s a reasonable expectation of privacy when you give your property to a third party. I agree, but it all comes down to the definition of “reasonable”. Unless specifically requested, I don’t see that a reasonable person would assume technicians would search inaccessible parts of the hard drive. After all, he sent in the laptop for repair because it wasn’t working, not to recover data.

The digital era changes the framework for how we consider privacy, both culturally and legally. Nevertheless, the fourth amendment provides a key safeguard to the liberty we hold dear. It should be difficult to prosecute someone for a crime, even when that crime is despicable. Particularly when the crime is despicable.

Mario Marathon 2017

That’s right! Your favorite video game charity marathon is back again! By the time this post goes live, I’ll probably be getting ready to drive down to Indianapolis and play my part. Not playing the games, of course, but reading tweets and generally interacting with the audience. I really like that part.

So, my ones of readers, I strongly encourage you to go to MarioMarathon.com, tune in, and donate if you can. As always, the money goes directly to Child’s Play Charity which provides books, toys, and video games for children in children’s hospitals around the world.

This year features a new location, and some great surprises. You won’t want to miss it.

Who gets your Facebook messages after you die?

Last month, a court in Germany ruled that Facebook should not be compelled to give access to the account of a teenager who died to her parents. The girl died after being struck by a train. Her parents, trying to determine if it was a suicide, wanted to look for evidence that she had been bullied. The initial court ruled in favor of the girls parents, but Facebook prevailed on appeal.

This is an excellent example of the “hard cases make bad law” adage, though I think the court arrived at the right decision here. The girl’s parents argued that it was the digital equivalent of a diary, which is an interitable item. I understand their argument. As a parent myself, I don’t doubt that I would make the same argument were I in their case. But I think the appeals court made the right decision here, although it took some thought to get to that.

It’s more than just a diary

The “it’s the same as a diary” argument makes sense only if you intentionally exclude the ways it’s not. Yes, people use Facebook to share personal musings and reflections the same way they might in a diary or journal. However, Facebook (and other social media) have an interactivity that a diary does not.

This goes beyond the fact that others may leave comments on posts. The owner of an account is not necessarily the originator of the content within the account. What I mean by that is that the messages may be initiated by someone else. Granting account access to the girl’s parents is not really about protecting her privacy, it’s about protecting the privacy of those she has communicated with.

But that’s the point, right?

The girl’s parents wanted to find evidence of bullying. Why should the privacy of the bullies be protected (in the very narrow context of their messages to the girl)? Because they’re probably not the only people who sent the girl messages. What if another friend had confided in the girl about personal matters? What right do the girl’s parents have to that communication? None, of course.

I have a hard time justifying why the girl’s account should be made available to anyone given the risk of harm to innocent third parties. If the situation were different – if the police or prosecutor were ask for specific searches as part of a case – that would be more reasonable, in my opinion. In that case, the structure and process of the investigation would minimize the harm of disclosure.

This is a hard problem

In the pre-digital age, it was less complicated. Conversations that didn’t happen face-to-face (or on the telephone) probably happened via letter. Any letters that were not destroyed became part of the estate. Some heirs probably destroyed them, others not. And though there are many threats to privacy these days, the electronic age has made possible a form of privacy that was hitherto unknown.

I’m certainly in favor of people being able to explicitly opt in to allowing someone to inherit their accounts. And not all accounts are created equal. When I die, I’d like to think someone would keep my meager website around in order to provide a legacy of sorts. But I’d also like to think that my death won’t result in the correspondence my friends have sent me in confidence. It’s not my privacy I want to protect after I die, it’s the privacy of my friends.

Book review: Startup

The best books are the ones that leave you mad that they’re over too soon. Doree Shafrir’s Startup did just that. Startup focuses on the rise and potential fall of a fake-but-plausible New York City tech startup, and the people involved. Were it not for the unresolved ending, this could easily be seen as a documentary work.

The journalistic feel makes sense, since Shafrir’s day job is as a technology journalist. But instead of giving the book a sense of dryness, it has the feel of a well-crafted story. The characters are fully-developed human beings, but there are no extraneous details.

The plot isn’t immediately evident. I was probably about halfway through before I was convinced that I knew the general direction it was taking. But it didn’t matter because I had long ago committed to following the story wherever Shafrir decided to lead me.

Some will undoubtedly criticize the book for its “social justice warrior” undertones (or overtones in a few places). They’re certainly right that it has those, but that’s only because the industry has so many injustices. None of the characters exist to advance an agenda. Some of the are certainly more likeable than others, but they’re all real people with real complexities.

I would love to see a sequel that follows the story through to “completion”, but I suspect it remains better left unresolved. At any rate, I hope Doree Shafrir continues to write fiction.

My friend Emily Chapman recommended this book in her “Shit from the Internet” newsletter. I’m glad she did, and encourage you to subscribe.

The free market will never fix technology policy issues

Over the weekend, I was listening to “This Week in Law” episode 384 as I mowed the front yard. While the panel was talking about the public relations fiasco that Unrollme experienced after reports surfaced that they sold user data to Uber. The conversation revolved around the terms of service for free services and how users can protect themselves and their data. Host Denise Howell asked if the free market could address the issue instead of requiring government intervention (e.g. by Federal Trade Commission regulations).

My first thought was “no”, but after giving it further consideration, it’s a more developed “no”. Here’s the thing:

The free market will never fix technology policy issues.

And why is that? An effective free market solution requires informed consumers. But consumers are not informed when it comes to technology services. As one of the panelists mentioned, it would take 76 work days per year to keep up with the privacy policies for the average user. That’s entirely untenable, and it’s probably gotten worse since that article was published five years ago.

One possible solution is a standard TL;DR (too long; didn’t read) format for privacy policies. This would at least allow users to “read” policies in something approaching a reasonable time. I’m not convinced that the industry could develop and widely adopt such a standard. It would probably take at least some degree of nudging from the FTC or other regulatory body. In likelihood, it would probably be more like the FDA’s requirements for nutrition labels.

But let’s assume that a privacy TL;DR standard developed and gained wide adoption without government intervention. It still doesn’t fix the problem. Access to information is not sufficient. Being informed also requires having the sophistication to process the information. Does the average user have the necessary knowledge to understand the implications of the privacy policy?

So a basic premise of a free market solution does not apply. But there’s another issue, too: competition. For services like Unrollme, it’s relatively easy for new competitors to spring up. If Unrollme does unsavory things with data, users can switch. That’s less the case with services like Facebook where the whole point is to be in the same place as your friends. Ask the Google+ team how easy it is to be an effective competitor against Facebook. Where there’s a network effect, there’s an effective lack of choice. Everyone these days wants to develop a network effect because that’s how they hold on to users.

The point of all of this is to say that it will probably never be reasonable to expect market effects to prevent user-hostile terms of service. While the free (or free-ish) market may be effective in some areas, technology policies is not one of them. User protection will only happen by way of regulation or legislation.

Does anyone at Twitter use Twitter?

Full disclosure: I own a small number of shares of Twitter.

Earlier this month, Twitter announced deals to bring more live content to the platform. Bloomberg will provide an original stream 24/7 and many other sources will generate technology, news, sports, and other content. Which makes me wonder if anyone at Twitter actually uses Twitter.

There’s something to be said for telling your users what they want instead of letting them tell you. It worked well for Apple, and of course there’s the famous Henry Ford quote about a faster horse. But this doesn’t seem like a product vision so much as grasping for something that might turn around the stock price. Twitter is a great place for near real time conversations about breaking news and live events, but is it the place to watch those? I’m not convinced.

It’s worth noting that Snap is working on similar deals for Snapchat. Snap is coming off a disappointing earnings report (its first since going public) that saw a 25% drop in stock price. Snap is facing a lot of pressure from Instagram, which is adding features that look very similar to Snapchat’s with the added bonus of being a Facebook property.

Facebook has been strong in user-generated live content, but they don’t seem to be that interested in pursuing Content. Given the success of Facebook, this is either a glaring oversight or a wise decision that other social networks might want to take a lesson from.

But getting back to Twitter, I recently joined the “Twitter Insiders” community. They asked for feedback on a potential new threading feature last week. It’s basically native tweetstorms. One of the survey questions asked what I’d call such a feature. I said “Medium”.

The cloud is more than just someone else’s computer

“The cloud is just someone else’s computer” is a common phrase in tech circles. An otherwise excellent article last week on Opensource.com opened with this line: “A personal web server is ‘the cloud,’ except you own and control it as opposed to a large corporation.” Let me be unambiguous here: that’s bullshit.

The context of the “someone else’s computer” saying is generally one of data ownership. Why let someone else own your data when you can own it yourself? I’m sympathetic to that point, but it glosses over a very questionable assumption. Namely, that people have the skills and desire to run the services themselves. That may be true in the tech sector, but it’s certainly not going to be true in the population at large.

What’s even more frustrating is the comparison of a Raspberry Pi to a multi-replica distributed environment. A Raspberry Pi has no redundancy, so if a component fails, you’re out of luck until you can replace it. If your house floods, sorry about your data. Granted, you can address these issues yourself by having redundant hardware and an offsite copy, but the effort goes up dramatically with each layer of protection you build in. Maybe it’s worth the effort to you. And maybe you have the skills necessary to do it. Good for you.

It’s absolutely a good thing to make sure people are aware of the costs and benefits of any technology solution. But one of the benefits of cloud offerings is that some portion of the stack is maintained by competent professionals that can aggregate the demands of individual customers to build a pretty robust and reliable offering. You know why it’s big news when Amazon Web Services has a major outage? 1. Because it’s rare. 2. Because their services are good enough that a lot of people have said “it doesn’t make sense for us to do this ourselves.”

I liken “the cloud is just someone else’s computer” to saying “the grocery store is just someone else’s farm”.

Putting the “F” in “FCC”

Ars Technica reported earlier this month that Comcast is bringing an app to Roku. Cool! Now people who want to use their Roku instead of a set-top box for cable can do that. Here’s the trick: once it exits “beta”, Comcast will charge users an outlet fee — essentially treating it the same as an additional set-top box.

What Comcast is doing, then, is charging its customers for the privilege of watching the content they already pay for. I can understand their reasoning: it could lead to additional simultaneous viewings, which means more bandwidth. But given the cable industry’s history of unfriendliness to the consumer, I’m not inclined to be sympathetic. Futhermore, given the trend toward cord-cutting, it seems to be in the cable providers’ best interests to not alienate an increasingly disinterested customer base.

Former Federal Communications Commission (FCC) Chairman Tom Wheeler favored a rule that would require cable providers to make such an app available for free. It did not pass and the new chariman, Ajit Pai, has no interest in pursuing it. Many in the tech community worried when Wheeler came on board (he had been a cable industry lobbyist), he turned out pretty well. Pai was a Verizon lawyer before joining the FCC in 2012, but I have less hope of him becoming a consumer advocate.

Pai opposes net neutrality, which is a philosophy that has been the foundation for the Internet. De-regulation of an oligopoly, which the ISP market unquestionably is, will spur entrenchment, not innovation. The FCC will likely become much more favorably to industry than to consumer, and that is a real disappointment.