January 20, 2017


tesla-model-s.jpgOne of this week's entertainments was the story of venture capitalist Ryan Negri, who set off with his family in his keyless-entry Tesla S for a snow-finding drive through the desert. Absent a cell signal, when he stopped the car to make some adjustments to his children's seats, he couldn't start the car back up again. So let's understand the super-convenience of this: to unlock the car door and start the engine, his phone has to send a request to Tesla, which then unlocks the car for him. It reminds me of an old Usenet signature that used to ask whether your message was really worth all the computing time and energy expended by the servers you sent it through.

One of the biggest digital class differences may be the difference between those who assume that they are always connected, and those who assume that they may abruptly be abruptly shunted offline at any given moment. The former trust they can always edit and read their webmail and get driving directions from their phone. The latter suspiciously download everything for offline access, buy paper maps, emergency flares, and a spare tire, and carry cash - oh, the horror! - in case of emergencies.

petergneumann-homepage.jpegThere are a number of ways to patch Negri's problem, of course. Tesla could embed Bluetooth or NFC (near-field communication) so phone and car can talk to each other directly. Negri has apparently decided to always carry the which point you figure you might as well just always *use* the key, maybe keeping the app for backup in case you lose it. But these do not change the fundamental problem, which is that many modern "conveniences" are being designed by people whose experience of the world is so limited that they can assume that everything works at all times. They should be - but aren't - reading Peter G. Neumann's RISKS Forum.

What interested me more in this story - aside from the sheer pointlessness of using all this technology and energy to solve a ridiculously non-problem - is that it is another example of a personal transaction into which a technology company has successfully inserted itself. In the mid 1990s, when all the talk was of how the internet was going to "disintermediate" everything, I recall predicting that instead we would get a new set of intermediaries.

You could argue that both predictions were right. A newspaper like The Guardian can distribute itself directly to readers as well as through the more traditional wholesale-distributor-retailer route. Its more successful columnists can also communicate directly with their readers and eliminate the newspaper-as-middle-man-slash-gatekeeper-slash-employer. But, as any privacy advocate will tell you, this situation has been thoroughly colonized by new intermediaries, whose myriad trackers and algorithms collect and swap masses of data about who you are and what you're interested in, mostly in the interests of feeding you advertising. At The Verge, veteran journalist Walt Mossberg explains that quality news sites lose out here, too, as they are only of interest to these intermediaries as a way to find cheaper places to advertise to you (story found via Charles Arthur's invaluable The Overspill).

A couple of weeks ago, at The Long and Short, Brett Scott made a similar point about the war on cash, an issue we revisit here with similar views every spring during the Tomorrow's Transactions Forum. The way cash replacement is presently practiced means that anything that used to be a private transaction - I hand the shop around the corner some coins and they let me walk out with some groceries - perforce becomes one involving at least three parties. This process has been accelerating for so long that few of us even see it as the addition of an intermediary.

This process of reintermediation is everywhere you look: in our friendships (Facebook, other social media); our news (Twitter), navigation (Google), and so on. When it benefits them, these companies show us bigger horizons than we ever had before they existed; but eventually growth makes those horizons unwieldy, and they begin making decisions for us that narrow them again.

At a panel organized this week by ORG Cambridge to follow a screening of Oliver Stone's movie Snowden, an audience member asked this question: How can we get people to care about the issues Snowden's revelations raised? We, the panelists, had lamentably few ideas beyond continuing to try to make the case, particularly to vulnerable groups who really do have skin in this game. But so much of this reintermediation is about convenience and deliberately obfuscating the intermediary's existence and interests. So the answer I didn't give is this: I'd start by making the intermediaries visible. Maybe the receipt you're issued for point-of-sale transactions should include a list of all the parties involved; instead of those stupid cookie banners, perhaps a list of all the trackers and data collectors that populate even the most apparently innocuous of library sites. I know: alert fatigue. And these intermediaries aren't, though they may aid, government spying. But it would be a start.

As for the movie: skip it and instead see the less-intermediated CitizenFour.

Illustrations: Tesla Model S, Peter G. Neumann.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

January 13, 2017

The long tail of the bit bucket

Hot_Air_Balloon_Shadow.jpgBecause I've been writing about the internet for a long time, I have a trail of partially used email addresses following me around. One of the most prominent of these is, which dates to 1993, when I wrote one of the very first articles published in Britain about how to use the internet. This week, I discovered that Demon has been rejecting my password, for how long I'm not sure. Since 1993, however, Demon has been sold several times, and the last person I knew to call who worked there left at least five years ago. The last time this happened, I was told it would never happen again, but that was at least one owner ago, and who knows what code someone tweaked? Wikipedia provides the likely explanation, that the Demon Internet service was wound down last year to migrate customers to Vodafone products. I had, because of that previous experience, migrated the important things that still used one of those addresses to the domain I started using in 2003, but now it was clearly time to migrate the rest. Pause to mourn the passing of one of the UK Internet's most significant early ISPs.

demoninternet.jpegIt took most of a day. And yet: I recommend it as an exercise. Most people, granted, don't have all these old email addresses. But I bet most people do have old accounts they've forgotten about or have at least a few sites they signed up for with addresses they've forgotten about. I found accounts so old they had *dictionary words* as passwords because in 1995, when they were created, we weren't all so worried about that. Changing those was probably worth the time the whole thing took.

Sites vary enormously in how they process these requests. The good ones - however inconvenient it may be - ask for confirmation of the change. Facebook, for example, sent a confirmation email with a one-time code I had to type in to confirm the newly added up-to-date email address. Once that was done, it was simple to set that as the primary address and delete the other. Ideally, for really good security, you'd want a confirmation sent to the old email address, but there's an obvious problem with that. At the other end of the spectrum, the UK railway ticket seller TheTrainline was happy to change both email and password in one pass, and if they sent a confirmation email I didn't see it. In many cases, I found that I had actually changed the email address back in 2012. At a few sites, changes failed for reasons I couldn't determine.

But email archives are only a partial guide. Probably every web user of more than a few years' standing has accounts they've forgotten about: media sites that require logins just to read one article; retail sites that require an account for a single purchase, or sometimes even just to find out the delivery charge. I would never see email from these accounts because I typically used an address directed straight to the spam bucket. When I eventually thought to look at one of the internet's older media sites, for example, I discovered I'd given it an AOL address, which should tell you something about how long ago I created it. And herein lies one advantage of a standard password for sites you don't care about: you can successfully guess it. So now: do I want the New York Times to have a functioning email address for me, or do I want all the tracking they do of what I read to be diverted to a decoy?

And then I remembered there are all those old press directories...and...

The point about this very boring task is that except in unusual circumstances most of us never bother to audit the many dozens of accounts we accrue. Most discussions of online privacy focus on the major players who amass vast quantities of detail about all of us, but few of us think about the long tail of our data exhaust that's made up of forgotten, aging bits and pieces. My guess is that is plenty of revelatory, though possibly misleading, information there for anyone who cared to assemble it. Worse, the older it is the more likely it is to date to a more innocent moment when we knew less about how intently we were being watched.

Under the data protection laws - which will continue to apply in the UK for the most pragmatic of reasons no matter what the country's EU membership status is - we have the right to delete or view the data that's held about us. Probably more of us should use these rights - but the first requirement is knowing what accounts we have and who, after mergers, bankruptcies, and acquisitions, owns the data now. Have I Been Pwned? can help identify forgotten accounts if they've been hacked (using it reminded me of several more languishing examples). But if you've lost access to the associated email address and can't remember the password you may not be able to do much more than make a note that once upon a time, in a universe far, far away, you briefly flirted with MySpace.

Illustrations: Balloon shadow (source: Wikimedia Commons, public domain); Demon Internet logo.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.