" /> net.wars: December 2021 Archives

« November 2021 | Main | January 2022 »

December 31, 2021

That was the year that wasn't

dumpster2020-doubleecreations.jpg"It's not the despair," John Cleese's character in Clockwise moans as he lies by the side of the road, frustrated. "I can handle the despair. It's the *hope*."

Two years ago at this time, we were seeing the first reports of a virus we hoped would not affect us. Last year at this time, after much grief and isolation, there was hope: vaccines! This year, many of us are vaccinated and we have some new treatments for this virus - but we are nonetheless facing a surge of a variant so contagious that normally-unflappable scientists sound frightened and holes are appearing in services we take for granted because so many people are either sick or isolating.

The result is that two years on we have vastly better tools and yet it feels like we've gotten nowhere after a fall when many had begun to believe it was nearly over. Last week, the Guardian reports4% of the UK population had covid. In the US officially there were 344,000 new cases; hard to assess its accuracy given the fragmented patchwork of US health care.

Yet we hope as we hoped last year: that this time *next* year, thanks to moves like the patent-free release and technology transfer of a new vaccine from Texas Children's Hospital, maybe the world will be far more widely vaccinated and maybe we'll be starting to see the end of this thing. (A someday child in history class reading this knowing what happened next may laugh...)


The computers, freedom, and privacy story for 2021 has had a lot of similarities with the covid story. We have much better tools, in the form of a US Federal Trade Commission led by noted antitrust reformer Lina Khan; the EU's power to issue fines over violations of the General Data Protection Regulation that are large enough to feature in companies' annual reports; sites like The Markup that are producing clever, technically-informed journalism that imposes transparency on companies in ways they don't like; and hosts of disaffected employees within those companies who are unionizing, leaking documents, and blowing the whistle generally.

And yet, so far nothing has really changed in any structural way. We've had surface tweaks. Twitter has banned posting people's pictures without their consent. Facebook's Oversight Board began operations, appearing to be composed of good people who don't want to be used as plausible diversions but are limited in their power to effect change.

All of that is on top of the story you could tell most years: governments are increasingly pushing for censorship of various kinds. Outages that should have been contained to single companies turned out to have knock-on effects all over the place. And the biggest companies - especially but not only Facebook - are seeing an increasing drumbeat pushing toward regulation, taxation, reformed and increased antitrust enforcement. Worse (from their point of view), their own employees are increasingly leaking documents and telling the world that some of our worst paranoid fantasies about how they operate are true.

So far, the only concrete punishment has been large fines relating to violations of either privacy law or competition law. In September, the EU fined WhatsApp $267 million for a lack of transparency about how it shares user data with other Meta subsidiaries such as Facebook. In November, Google lost its appeal against the EU's 2017 eyewatering fine of $2.8 billion over illegally favoring its own sites in shopping recommendations<./>. In July, Amazon's annual report revealed an EU fine of $877 million relating to cookie consent. In November, Italy fined Amazon ($77.4 million) and Apple ($151.3 million) for antitrust violations.

However, a new development: Russia has issued revenue-based fines against Google ($100 million) and Facebook ($27 million) for failing to remove banned content - chiefly apps, sites, posts, and videos relating to jailed opposition leader Alexei Navalny and his allegations of corruption at the top of Russian government. We've seen government censorship many times before; a fine this big seems to mark a new escalation.

This may be only the beginning; the UK's proposed Online Safety bill includes a provision for fines of up to £18 million or 10% of global turnover. Other new rules may be coming.

As we start 2022, the entertainment industry - or at least SnoopDogg and Paris Hilton - appears to be colonizing the "metaverse", which still sounds to me like any of a dozen things we have already. Second Life, or any of a number of game worlds.

Similarly, I can't see non-fungible tokens as the revolutionary concept some people seem to believe, at least as they have been used to date. I believe that with very few exceptions they will not improve the economic lot of starving artists. Based on personal experinece on the commercially-scorned folk scene, what matters is building and keeping an audience. I do not see how NFTs will help you do that.

But, as finance futurist Dave Birch pointed out in 2020 that digital currencies are being explored by serious people such as the Bank of England and central banks in China, Mexico, India, and many more. That is going to matter.

Happy new year.

Illustrations: Etsy seller DoubleECreations' 2021 dumpster fire Christmas ornaments

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

December 24, 2021


hockey-stick.jpgWeb3, the push to decentralize the net, got a lot more attention this week after the venture capital firm Andreesen Horowitz published guidance for policy makers - while British software engineer Stephen Diehl to blogged calling web3 "bullshit", a "vapid marketing campaign", and a "rhetorical trick" (thanks to Mike Nelson for the pointer).

Here, a month ago, we tried to tease out some of the hard problems web3 is up against. Diehl attacks the technical basis, citing the costs of the computation and bandwidth necessary to run a censorship-proof blockchain network, plus the difficulty of storage, as in "who owns the data?". In other words, web3, as he understands it, won't scale.

Meanwhile, on Twitter, commenters have highlighted Andreesen Horowitz's introductory words, "We are radically optimistic about the potential of web3 to restore trust in institutions and expand access to opportunity." If, the argument goes, venture capitalists are excited about web3 that's a clear indicator that they expect to reap the spoils. Which implies an eventual outcome favoring giant corporate interests.

The thing that modern venture capitalists always seek with (due) diligence is scale. Scale means you can make more of something without incurring (much) additional cost. Scale meant Instagram could build a business Facebook would buy for $1 billion with only 13 employees. Venture capitalists want the hockey stick.

Unsurprisingly, given the venture capital appeal, the Internet is full of things that scale - social media sites, streaming services, software, other forms of digital content distribution, and so on. Yet many of the hard problems we struggle to solve are conflicts between scale and all the things on the Internet that either *don't* scale. Easy non-Internet example: viruses scale, nurses don't. Or, more nettishly, facial recognition scales; makeup artists don't. And so on.

An obvious and contentious Internet example: content moderation. Even after AI has automatically removed the obvious abuses, edge cases rapidly escalate beyond the resources most companies are willing to throw at it. In his book Social Warming, Charles Arthur suggests capping the size of social networks, an idea echoed recently by Lawfare editor Ben Wittes in an episode of In Lieu of Fun, who commented that sites shouldn't be allowed to grow larger than they can "moderate well". It's hard to think of a social media site that hasn't. It's also hard to understand how such a cap would work without frustrating everyone. If you're user number cap+1, do you have to persuade all your friends to join a less-populated network so you can be together?

More broadly - a recurrent theme - community on the Internet does not scale. In every form of online community back to bulletin board systems and Usenet, increasing size always brings abuse. In addition, over and over online forums show the power law distribution of posters: a small handful do most of the talking, followed by a long tail of occasional contributors and a vast majority of lurkers. The loudest and most persistent voices set the tone, get the attention, and reap the profits, if there are any to be had.

The problem of scaling content moderation applies more generally to online governance. As societies grow, become more complex, and struggle with abuse, turning governance over to paid professionals seems to be the near-universal solution.

Another thing that doesn't scale: discovery, as Benedict Evans recently pointed out in a discussion of email newsletters and Substack.

One of the marvels of 2021 has been the reinvention of emailed newsletters as a paying proposition. Of course, plenty of people were making *some* money from such things way back even before email. But this year has taken it to a new level. People are signing six-figure deals with Substack and giving up ordinary journalism gigs and book deals to do it.

Evans points out that in newsletters, as in previous Internet phenomena - podcasts, web pages (hence search engines, and ecommerce (hence aggregation) - the first people who show up in an empty space with good stuff people want do really well. We don't hear so much any more about first-mover advantage, but it often still applies.

Non-fungible tokens (NFTs) may be the latest example. A few very big paydays are drawing all sorts of people into the field. Some will profit, but many more will not. Meanwhile, scams and copyright and other issues are proliferating. Even if regulation eventually makes participation safer, the problem will remain: people have limited resources to spend on such things, and the field will be increasingly crowded.

So, too, Substacks and newsletters: there are not only limits to how many subscriptions people can afford, but also to how many things they have time to read. In a crowded field, discovery is everything.

Individuals' attention spans and financial resources do not scale. The latter is one reason the pay-with-data model has been so successful on the web; the former is part of why people will sacrifice privacy and participatory governance in favor of convenience.

So, our partial list of things that do not scale: content moderation, community, discovery, governance. Maybe also security to some extent. In general: anything that requires human labor to be added proportionately to its expansion. Incorporating solving problems of scale will matter if we're going to have a different outcome from web3 than from previous iterations.

Illustrations: A hockey stick.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

December 17, 2021

Dependencies at scals

xkcd-dependency.pngIt's the complexity that's going to get us. (We're talking cyber system failures, not covid!)

In the 1990s and early 2000s Internet pundits used to have a fun game: what was going to kill the Internet? Or, what was going to kill the Internet *next*? The arrival of the web, which brought a much larger user base and comparatively data-hungry graphics (comparatively as in text; obviously much worse was to come), nearly did it for a bit, which is why a lot of us called it the "World Wide Wait".

Here's one example, a net.wars from 2002, based on a panel from the 1998 Computers, Freedom, and Privacy conference: 50 ways to crash the net. The then-recent crisis that had suggested the panel was a denial-of-service attack on the core 13 routers that form the heart of the domain name system. But also: the idea was partly suggested by a Wired article by Simson Garfinkel about how to crash the Internet, based on both the router incident and another in which a construction crew in Virginia sliced through a crucial fiber optic cable. As early as that, Garfinkel blamed centralization and corporatization; the "Internet" that was built to withstand a bomb outage was the old military Internet, not the commercial one built on its bones.

But that's not what's going to get us. People learn! People fix things! In fact, experts tell me, the engineering that underlies the Internet is nothing like it was even ten years ago. "The Internet" as an engineer would talk about it is remarkably solid and robust. When the rest of us sloppily complain about "the Internet" what we mean is buggy software, underfunded open source projects that depend on one or a few overworked people but underpin software used by billions, human error, database leaks, sloppy security policies, corporate malfeasance, criminal attacks, failures of content moderation on Facebook, and power outages. When these factors come into play and connections break, "the Internet" is actually still fine. The average user, however, when unable to reach Netflix and find many other sites are also unreachable, interprets the situation as "the Internet is out". It's a mental model issue.

A few months ago, we noted the fragile brittleness of today's "Internet" after an incident in which one person made a perfectly ordinary configuration change that should have done nothing more than alter the settings on their account and instead set off a cascade of effects that knocked out a load of other Internet services. Also right around then, a ransomware attack using a leaked password and a disused VPN account led to corporate anxiety that shut down the Colonial pipeline, leading to gas shortages up and down the US east coast. These were not outages of "the Internet", but without the Internet they would not have happened.

This year is ending with more such issues. Last week, Amazon Web Services had an outage service event in which "unexpected behavior" created a feedback loop of increasing congestion that might as well have been a denial-of-service attack. What followed was an eight-hour lesson in service dependence. Blocked during that time: parts of Amazon's own retail and delivery operations, including Whole Foods; Disney+; Netflix; Internet of Things devices including Amazon Ring doorbells, Roomba vacuum cleaners, and connected cat litter boxes; and the teaching platform Canvas.

Separately but almost simultaneously, a vulnerability now dubbed Log4Shell was reported to the Apache Foundation, which notified the world at large on December 9. The vulnerability is one of a classic type in which a program - in this case popular logging software Log4j - interprets an input data string as an instruction to execute. In this case, as Dan Goodin explains at Ars Technica, the upshot is that attackers can execute any Java code they like on the affected computer. The vulnerability, which has been present since 2013, is all over the place, embedded in systems that run...everything. Within a few days 44% of corporate networks had been probed and more than 60 exploit variants had been developed, with some attacks coming from state actors and criminal hacking groups. As Goodin explains, your best hope is that your bank, brokerage, and favorite online shops are patching their systems right now.

The point about all this is that greater complexity breeds more, and more difficult to find and fix, errors. Even many technical experts had never heard of Log4j until this bug appeared. Few would expect a bug in a logging utility to be so broadly dangerous, just as few could predict which major businesses would be taken out by an AWS outage. As Kurt Marko writes at Diginomica, the two incidents show the hidden and unexpected dependencies lurking on today's "Internet". The same permissionlessness that allowed large businesses to start with nothing and scale up means dependencies no one has found (yet). In 2014, shortly after Heartbleed reminded everyone of the dangers of infrastructure dependence on software maintained by one or two volunteers, Farhad Majoo warned at the New York Times about the risks of just this complexity.

Complexity and size bring dependencies at scale - harder to predict than the weather, in part because software is forever. Humans are not good at understanding scale.

Illustrations: XKCD's classic cartoon, "Dependency".

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

December 9, 2021


rotated-birch-contactlessmonopoly-ttf2016.jpgA few weeks ago, digital rights activist Amie Stepanovich was in the news for making a T-shirt objecting to the new abuse of "crypto" to mean "cryptocurrencies". As Stepanovich correctly says, "crypto" has meant "cryptography" for at least 30 years and old-timers do not appreciate its appropriation. I am enough of an oldtimer to agree with her, but fear she's fighting a losing battle. For decades "hackers" meant clever people who bent hardware and software systems to their will. Hackers built the first computers. Hackers made the Internet. "Hacker" was a term of honor, applied by others. And what happened circa the mid-1990s? It was repurposed for petty criminals running scripts to break into websites. Real hackers were furious. Did anyone respond sympathetically? They did not. Hackers are now criminals. So: "Crypto" is doomed. Exhibit A: Jeff John Roberts' 2020 history of Coinbase, Kings of Crypto.

This week, anti-monopolist author Matt Stoller unleashed a rant about "crypto", calling the whole shebang - which for him includes the non-fungible token (NFT) craze, cryptocurrencies, and the blockchain, as well as web3, which we tried to make sense of a couple of weeks ago - "a bunch of bullshit". The only use cases Stoller could find were speculation and money laundering; the tools that exist he dismissed as "don't work". He attributes its anti-monopoly zeitgeist to cryptocurrencies' emergence "out of the financial crisis", adding on Twitter that they were "invented about the same time as the iPhone".

This is when I realized: this use of "crypto" is less evolving language, more loss of culture. We all think the world started when we discovered it.


"Crypto", as in cryptography, is probably as old as humanity, basically because every time someone figures out how to protect a secret someone else tries to crack it. For that history read Simon Singh's Cryptography. The development of the specific type of cryptography the nascent Internet needed, public key cryptography, is thoroughly documented in Steven Levy's Crypto. For cryptography in military communications try David Kahn's The Codebreakers.

Cryptocurrencies as a digital equivalent of cash, are usually traced to 1991, when David Chaum described ecash in Scientific American. In the mid-1990s, Chaum attempted to commercialize ecash via his company, Digicash.

Nothing was ready. Commercial traffic on the Internet began in 1994, soon followed by the first ecommerce companies: eBay, Amazon, and Paypal. Graphical web browsers were slow and bare-bones. People were afraid to use *credit cards* online. Yet Chaum hoped they would opt to turn their familiar, hard-earned money into his incomprehensible mathematical thing and bet they could find somewhere to buy something with it. The web was too small, the user base was too small, and it was all so strange and clever, way too soon. Chaum was not the only one to discover this sad reality.

This timing was due to the unexpected democratization of cryptography, which began in 1976, when Martin Hellman and Whitfield Diffie published the basis of public key cryptography (later, it emerged that the UK spy agency GCHQ had already developed it, but the mathematicians couldn't tell anybody). Besides allowing strangers to communicate spontaneously in a trustworthy way, Diffie's and Hellman's work pulled cryptography out of the spy agencies into entirely new communities. By 1991, a single programmer in his home with a personal computer was able to write a piece of powerful encryption software that anyone could use to protect their data and communications, setting off 30 years of crypto debates. Phil Zimmermann's program, PGP, is still in use today, having withstood the tests cryptoanalysts have thrown at it.

These technical developments inspired the beginnings of the movement and the anti-government motivations that Stoller identifies. To many of this crowd, finding easier and more efficient ways to move money around was only part of its appeal. Many embraced the idea of being able to bypass banks, governments, tax collectors, and all the other trappings of the regulated world by using encryption to create untraceable forms of money. In her 1997 book, Close to the Machine, Ellen Ullman tells the story of her close encounters with one of the 1990s movement's leads, and their inability to understand each other's world.

Throughout the 1990s these ideas were swapped back and forth on the Cypherpunks mailing list. You can get the gist from this CrypoInsider tribute to Timothy C. May or May's Cyphernomicon. At Computers, Freedom, and Privacy 1997, May outlined BlackNet, an anonymous market for everything from assassinations to government secrets, all enabled by untraceable digital cash. May's information market is so like early Wikileaks, that at its inception I failed to take it seriously (Julian Assange has said he read the Cypherpunks list).

However: blockhain-based cryptocurrencies are not untraceable. The 1997 Internet was also awash in libertarian predictions, too - and what got built and who's profiting? Sure, some cryptocurrency nuts want to bypass banks and play anti-regulatory games. But some of today's experimenters with cryptocurrencies are central banks, governments, and credit card companies, as fintech expert Dave Birch writes in his book The Cryptocurrency Cold War. If there are winners, they will be the ones claiming most of the spoils. Unless Web3 works out?

Illustrations: Dave Birch, trying to figure out how to play contactless Monopoly.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

December 3, 2021

Trust and antitrust

coyote-roadrunner-cliff.pngFour years ago, 2021's new Federal Trade Commission chair, Lina Khan, made her name by writing an antitrust analysis of Amazon that made three main points: 1) Amazon is far more dangerously dominant than people realize; 2) antitrust law, which for the last 30 years has used consumer prices as its main criterion, needs reform; and 3) two inventors in a garage can no longer upend dominant companies because they'll either be bought or crushed. She also accused Amazon of leveraging the Marketplace sellers data it collects to develop and promote competing products.

For context, that was the year Amazon bought Whole Foods.

What made Khan's work so startling is that throughout its existence Amazon has been easy to love: unlike Microsoft (system crashes and privacy), Google (search spam and privacy), or Facebook (so many issues), Amazon sends us things we want when we want them. Amazon is the second-most trusted institution in America after the military, according to a 2018 study by Georgetown University and NYU Rounding out the top five: Google, local police, and colleges and universities. The survey may need some updating.

And yet: recent stories suggest our trust is out of date.

This week, a study by the Institute for Local Self-Reliance claims that Amazon's 20-year-old Marketplace takes even higher commissions - 34% - than the 30% Apple and Google are being investigated for taking (30%) from their app stores. The study estimates that Amazon will earn $121 billion from these fees in 2021, double its 2019 takings and that Amazon's 2020 operating profits from Marketplace will reach $24 billion. The company responded to TechCrunch that some of those fees are optional add-ons, while report author Stacy Mitchell counters that "add-ons" such as better keyword search placement and using Amazon's shipping and warehousing have become essential because of the way the company disadvantages sellers who don't "opt" for them. In August, Amazon passed Walmart as the world's largest retailer outside of China). It is the only source of income for 22% of its sellers and the single biggest sales channel for many more; 56% of items sold on Amazon are from third-party sellers.

I started buying from Amazon so long ago that I have an insulated mug they sent every customer as a Christmas gift. Sometime in the last year, I started noticing the frequency of unfamiliar brand names in search results for things like cables, USB sticks, or socks. Smartwool I recognize, but Yuedge, KOOOGEAR, and coskefy? I suddenly note a small, new? tickbox on the left: "our brands". And now I see : "our brands" this time are ouhos, srclo, SuMade, and Sunew. Is it me, or are these names just plain weird?

Of course I knew Amazon owned Zappos, IMDB, Goodreads, and Abe Books, but this is different. Amazon now has hundreds of house brands, according to a study The Markup published in October. The main finding: Amazon promotes its own brands at others' expense, and being an Amazon brand or Amazon-exclusive is more important to your product's prominence than its star ratings or reviews. Amazon denies doing this. It's a classic antitrust conflict of interest: shoppers rarely look beyond the first five listed products, and the platform owner has full control over the order. The Markup used public records to identify more than 150 Amazon brands and developed a browser add-on that highlights them for you. Personally, I'm more inclined to just shop elsewhere.

Also often overlooked is Amazon's growing advertising business. Insider Intelligence estimates its digital ad revenues in 2021 at $24.47 billion - 55.5% higher than 2020, and representing 11.6% (and rising) of the (US) digital advertising market. In July, noting its riseCNBC surmised that Amazon's first-party relationship with its customers relieves it of common technology-company privacy issues. This claim - perhaps again based on the unreasonable trust so many of us place in the company - has to be wrong. Amazon collects vast arrays of personal data from search and purchase records, Alexa recordings, home camera videos, and health data from fitness trackers. We provide it voluntarily, but we don't sign blank checks for its use. Based on confidential documents, Reuters reports that Amazon's extensive lobbying operation has "killed or undermined" more than three dozen privacy bills in 25 US states. (The company denies the story and says it has merely opposed poorly crafted privacy bills.)

Privacy may be the thing that really comes to bite the company. A couple of weeks ago, Will Evans reported at Reveal News, based on a lengthy study of leaked internal documents, that Amazon's retail operation has so much personal data that it has no idea what it has, where it's stored, or how many copies are scattered across its IT estate: "sprawling, fragmented, and promiscuously shared". The very long story is that prioritizing speed of customer service has its downside, in that the company became extraordinarily vulnerable to insider threats such as abuse of access.

Organizations inevitably change over time, particularly when they're as ambitious as this one. The systems and culture that are temporary in startup mode become entrenched and patched, but never fixed. If trust is the land mass we're running on, what happens is we run off the edge of a cliff like Wile E. Coyote without noticing that the ground we trust isn't there any more. Don't look down.

Illustrations: Wile E. Coyote runs off a cliff, while the roadrunner watches.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.