Back from hiatus. I had wanted to simply send a note yesterday saying "Dan Hon is on holiday," but instead I can blame it on having a Human Accident, yet another entry in the ongoing series of "Stupid Things Baseline Humans Do To Injure Themselves".
Friday night, and I managed (don't laugh) to topple myself, in slow-motion and glacier-like, over the bannister on our porch as I leant over to drop the compost into the compost bin, breaking a tooth off and concussing myself. One trip to the ER and a trip to an emergency dentist, the threat of a root canal (something that apparently is nowadays significantly less scary than it actually is) and instead a temporary crown later (my teeth!) and I'm back on a plane on my way to DC to speak at the HOW Interactive Design Conference.
So: no newsletter on Friday night due to being stuck in an ER, no newsletter on Monday due to slow recuperating and it was also Labor Day in the US. Instead: newsletter today! High fives all around.
1.0 Not Doing A Nick Bilton
I'm not going to "do a Nick Bilton" and victim blame - but what I do think is worth taking is what I hope comes across as a nuanced position.
Given that a) we find it hard to gauge risk in the first place and b) that we find it even harder to gauge risk when we don't have the information (and we acknowledge that it's hard to find time to properly educate ourselves int he first place) and c) the vast majority of the "information" and understanding in the celeb-photo-hacking is in "how invisible infrastructure works", hence all the Explainers in today's media about WHAT IS THE ICLOUD (calling to mind instantly Nightvale-esque Dog Park/Glow Cloud feelings): what did we expect?
We could say that celebrities are a higher-profile target so the risk profile for them is different than your ordinary joe. On the other hand, the rise of doxxing as a vigilante technique for those wronged on the internet seems to open up the opportunity for anyone to be treated in the same was as a celebrity - as a target. So you could even look at it this way: means, motive and opportunity to try to break down where, and what, type of failings were involved in this latest hack.
Motive is perhaps the easiest one to get out of the way if we're just looking at technology and its effects on society. The targets were female celebrities, doing nothing other than living in a toxic, misogynistic environment that treated them as objects to be pawed and masturbated over - the latter brought starkly into relief in a yeah-we're-winking-and-it's-self-referential-so-it's-ok through the usage of the #thefappening hashtag.
But means and opportunity are where it falls down, for me. For those saying "don't take nude photos of yourself, and don't store them online", I feel that, aside from victim-blaming, we're just opening up a can of worms in terms of risk assessment and how we expect people to live these days.
In other words, and as I said to a friend: we can point at one of the new wonders of the world, the most democractic communications networks that we've ever built, that is relied upon for secure financial transactions and that we trust implicitly in some regards, and we say that you shouldn't use that self same network for private photographs? Really? (The fair point here is that certain aspects of information are one-shot, binary all or nothing. Financial transactions are reversible and money can be returned, not so something that can't be unseen - Suw Charman-Anderson has written particularly well on this point regarding the one-shot nature of irreplacable biometrics)
So it all comes down to trust: one of the people I was talking to last night remarked (somewhat sarcastically, I think) that apparently the little green lock icon in a browser bar apparently means nothing these days, and they're not half wrong.
Password security doesn't even come into it in this situation, at least not if the current best-guess of a vulnerability in iCloud in its lack of rate-limiting login attempts is what happened. A better password wouldn't have helped. iCloud's login design at that particular entry point was defective. There's no other way to say it. It wasn't a bug - it was designed badly, like a bridge that was going to fail - a structural failing.
At what point as technologists are we able to allow our users to expect basic security? If it had been a zero-day, fine, if it had been heartbleed, then Apple's fault would be different. But in my position as self-appointed armchair internet pundit in the sky (I'm nothing if not aware of my mouthing off of nothing more than my own opinion), this *was* Apple's fault.
You can point to things like warranties and disclaimers and the fact that if you actually read the terms and conditions to all of these services there's not a lot you can do about it. But, as Sarah Jeong pointed out last night, "WE BUILT A SHITTY INTERNET AND YOUR ONLY CONSTRUCTIVE SUGGESTION IS SEXY PEOPLE SHOULDN'T USE IT."
So, here's a suggestion: design practices for good security to build trust with users. If users have a responsibility to be informed then at the least we have the responsibility to build systems that they can trust. And I'm not saying that we have the responsibility to build one-hundred-percent secure systems because such things are impossible to build. But what we can do is make sure that we don't make basic mistakes and show that privacy and security are important to us in the products and services that we build.
Things like: two factor auth should be available as an option. Logons at all entry points should be rate-limited. No emailing passwords in the clear. SSL, all the time.
What's potentially frustrating is that these are not brand new security or privacy principles that have suddenly been derived in the last year or so. These aren't new ideas. They should be basics.
For example, we should aim for consistency. When a user knows that their iPhone will lock if the enter the wrong password five times in a row, it is reasonable that their assumption would be that anything else tied to that account - for example, their iCloud login on a web portal - would also lock upon five logon failures in a row. Whyever not? Apple, after all, pride themselves on their hardware and software integration.
Sometimes I get a bit narrow-minded, so I idly asked on Twitter how libertarians (a vague term if there was one, and not being helpfully specific) got common infrastructure projects done, to which Danny O'Brien was kind enough to send me an email that was really, really long and really, really helpful. Now I know what it's like reading one of these, I think. In any event, at least one of the things that he did was to point out a bunch of examples where you don't need a coercive power like a government to get things done and produce things for the common good.
O'Brien reminded me about bits of pre-World War 2 infrastructure that have since become codified. Trains, canals, roads (but not motorways) and electricity standards, never mind more recent innovations like TCP/IP, keyboard layouts, the Twenty-Foot-Equivalent Unit of shipping containers, and Blu-Ray (whether or not you think they're *good* standards) have all come about through self-interested groups acting together and figuring a way to hash things out.
So yes: all of that's good, but I think what I lack in the ability to express myself in 140 characters is something like this: I'm specifically thinking about the example of compulsory purchase orders in the UK, or eminent domain in the United States - what happens when someone decides that the best place to put a road, on balance, for everyone, is right through where your house is? And this is where O'Brien helped to clarify the crux of my thinking: is it better to force everyone to behave well, or is it better to never use the power to force people do something?
There are probably spoilers for Peter Watts' novels Blindsight and Echopraxia in this section.
I finished Peter Watts' latest, Echopraxia, shortly after it came out, doing that kind of binge-reading that author-devotees get thanks to the frustrating publisher release cycle (as in that particularly first-world problem of just not having enough *patience* to wait until something comes out). Pretty much straight after finishing Echopraxia I went on to re-read Blindsight, because the former helped me figure out the bits I liked about the latter.
Turns out the bit that I liked about Blindsight were the Big Smart/Dumb Object and its inhabitants and the idea that there can be these *things*, in much the same way that we might be thought of as Big Dumb Objects by all the flora that live on and inside us. Are we just a giant spaceship for gut bacteria? Or even for the tiny mites that live in the pores on our faces?
I felt like the consciousness stuff got a bit thin - not necessarily repetitive, but that it wasn't what I was getting the most enjoyment out of. That was for the idea of Portia, the idea of consciousness as time-sharing, that when you have just a bundle of neurons all you did is slow reality down and do all of your processing up front. Portia may well do all of that planning, but that's a hell of a lot of planning. I liked being confronted with that kind of alien and unfamiliar, and it was the same kind of deal that you got with the Primes in Peter F. Hamilton's space opera series.
It's a hard book - there's a lot going on and a lot to keep in your head, but it's not like one of Hannu Rajaniemi's Quantum Thief series or Stephenson's Anathem where there's a bunch of new language you need to figure out just to make sense of what's happening in the world. But there's also an element of waiting for the other shoe to drop - by now, we know enough of the world that Watts has painted for us that Bruks' presence isn't an accident and you're kind of sitting pretty trying to figure out why everyone's so eager to keep a baseline pet on board.