Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Possible Squid Eyeball Found in Florida |
| Roger Williams' Cipher Cracked »
December 3, 2012
It’s a feudal world out there.
Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft do it all. Or we buy our music and e-books from Amazon, which keeps records of what we own and allows downloading to a Kindle, computer, or phone. Some of us have pretty much abandoned e-mail altogether … for Facebook.
These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them -- or to a particular one we don't like. Or we can spread our allegiance around. But either way, it's becoming increasingly difficult to not pledge allegiance to at least one of them.
Feudalism provides security. Classical medieval feudalism depended on overlapping, complex, hierarchical relationships. There were oaths and obligations: a series of rights and privileges. A critical aspect of this system was protection: vassals would pledge their allegiance to a lord, and in return, that lord would protect them from harm.
Of course, I'm romanticizing here; European history was never this simple, and the description is based on stories of that time, but that's the general model.
And it's this model that's starting to permeate computer security today.
I Pledge Allegiance to the United States of Convenience
Traditional computer security centered around users. Users had to purchase and install anti-virus software and firewalls, ensure their operating system and network were configured properly, update their software, and generally manage their own security.
This model is breaking, largely due to two developments:
- New Internet-enabled devices where the vendor maintains more control over the hardware and software than we do -- like the iPhone and Kindle; and
- Services where the host maintains our data for us -- like Flickr and Hotmail.
Now, we users must trust the security of these hardware manufacturers, software vendors, and cloud providers.
We choose to do it because of the convenience, redundancy, automation, and shareability. We like it when we can access our e-mail anywhere, from any computer. We like it when we can restore our contact lists after we've lost our phones. We want our calendar entries to automatically appear on all of our devices. These cloud storage sites do a better job of backing up our photos and files than we would manage by ourselves; Apple does a great job keeping malware out of its iPhone apps store.
In this new world of computing, we give up a certain amount of control, and in exchange we trust that our lords will both treat us well and protect us from harm. Not only will our software be continually updated with the newest and coolest functionality, but we trust it will happen without our being overtaxed by fees and required upgrades. We trust that our data and devices won't be exposed to hackers, criminals, and malware. We trust that governments won't be allowed to illegally spy on us.
Trust is our only option. In this system, we have no control over the security provided by our feudal lords. We don't know what sort of security methods they're using, or how they're configured. We mostly can't install our own security products on iPhones or Android phones; we certainly can't install them on Facebook, Gmail, or Twitter. Sometimes we have control over whether or not to accept the automatically flagged updates -- iPhone, for example -- but we rarely know what they're about or whether they'll break anything else. (On the Kindle, we don't even have that freedom.)
The Good, the Bad, and the Ugly
I'm not saying that feudal security is all bad. For the average user, giving up control is largely a good thing. These software vendors and cloud providers do a lot better job of security than the average computer user would. Automatic cloud backup saves a lot of data; automatic updates prevent a lot of malware. The network security at any of these providers is better than that of most home users.
Feudalism is good for the individual, for small startups, and for medium-sized businesses that can't afford to hire their own in-house or specialized expertise. Being a vassal has its advantages, after all.
For large organizations, however, it's more of a mixed bag. These organizations are used to trusting other companies with critical corporate functions: They've been outsourcing their payroll, tax preparation, and legal services for decades. But IT regulations often require audits. Our lords don't allow vassals to audit them, even if those vassals are themselves large and powerful.
Yet feudal security isn't without its risks.
Our lords can make mistakes with security, as recently happened with Apple, Facebook, and Photobucket. They can act arbitrarily and capriciously, as Amazon did when it cut off a Kindle user for living in the wrong country. They tether us like serfs; just try to take data from one digital lord to another.
Ultimately, they will always act in their own self-interest, as companies do when they mine our data in order to sell more advertising and make more money. These companies own us, so they can sell us off -- again, like serfs -- to rival lords...or turn us in to the authorities.
Historically, early feudal arrangements were ad hoc, and the more powerful party would often simply renege on his part of the bargain. Eventually, the arrangements were formalized and standardized: both parties had rights and privileges (things they could do) as well as protections (things they couldn't do to each other).
Today's internet feudalism, however, is ad hoc and one-sided. We give companies our data and trust them with our security, but we receive very few assurances of protection in return, and those companies have very few restrictions on what they can do.
This needs to change. There should be limitations on what cloud vendors can do with our data; rights, like the requirement that they delete our data when we want them to; and liabilities when vendors mishandle our data.
Like everything else in security, it's a trade-off. We need to balance that trade-off. In Europe, it was the rise of the centralized state and the rule of law that undermined the ad hoc feudal system; it provided more security and stability for both lords and vassals. But these days, government has largely abdicated its role in cyberspace, and the result is a return to the feudal relationships of yore.
Perhaps instead of hoping that our Internet-era lords will be sufficiently clever and benevolent -- or putting our faith in the Robin Hoods who block phone surveillance and circumvent DRM systems -- it's time we step in in our role as governments (both national and international) to create the regulatory environments that protect us vassals (and the lords as well). Otherwise, we really are just serfs.
A version of this essay was originally published on Wired.com.
Posted on December 3, 2012 at 7:24 AM
• 80 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I thought we were an autonomous agrarian collective.
I like the analogy very much. Pretty clever.
The one thing that came to mind when I read
"Today's internet feudalism, however, is ad hoc and one-sided..." and "This needs to change. There should be limitations on what cloud vendors can do with our data; rights, like the requirement that they delete our data when we want them to; and liabilities when vendors mishandle our data."
Is that a lot of this services are offered for "free" to end users. I'm sure that would play a role in terms of negotiating power when it comes to rights and responsibilities.
Nearly time for the Magna Charta---we are not peasants to ignore what our masters are doing, we are Dukes and what we say and do matters if and only if we say and do what is needed...
I agree with the general concept of your argument - the new Internet cloud ecosystems are similar to feudal lords providing protection.
However, there are two significant flaws in your essay.
First, we're actually more like mercenary warriors than serfs. We can choose a lord to work for, if we like the benefits. We don't have to choose any, and we don't have to be 100% committed.
And second, some of our new feudal lords are better than others, and so we should carefully consider who to choose. You write as if all these companies are basically the same. That's not helpful or accurate. In particular, your statement "They tether us like serfs; just try to take data from one digital lord to another" is not fair.
Have you not seen https://www.google.com/takeout and http://www.dataliberation.org/?
You may also want to compare the privacy policies of each of the companies you've mentioned, their data retention and deletion policies, etc. There are very real, important differences.
And then, choose wisely which lord you will "swear allegiance" to - and how much.
That's a much more interesting question. Perhaps you'll consider a followup essay.
"I thought we were an autonomous agrarian collective."
I've always had a deep suspicion of putting all my data in the cloud, and couldn't quite put it into words why. This resonates deeply with my intuitive sense.
Stainless Steel Rat
There were several science fiction books by Harry Harrison about a character called, "the Stainless Steel Rat", modeled after the rats and other "unsanctioned" life forms that live down in the cracks of every city. This character lived an interesting life, which of course is the stuff of fiction, or at least fiction that sells.
In a more practical sense, it may well be a good idea to participate in the feudalism to some extent. In a way it lowers one's profile, makes one look more normal. You can always choose how much you share through Facebook, Flickr, Google+, and the like. You can also choose to keep some things private. If you're active on the internet and participate in none of the above things, you may well stick out as being unusual.
My daughter has a very good Facebook presence. It's the kind of thing that might actually impress a prospective employer, and she's very careful with the information she shares. She's also using gmail for the convenience - after trying lavabit for a while and deciding she's not hipster enough to put up with their limits.
Perhaps some "Pledge Allegiance to Feudalism and Convenience" is a good idea, as long as you know what you're doing. It might add some useful noise to ones net presence.
And keeping with the metaphor, a "cyberpirate" would correspond to a "pirate" - or its romantic idea of freedom in the high seas. Everything fits in!
It's a little sad, that whatever legislation that does come about is usually aimed at keeping the users in line, rather than the lords.
I'm thinking of course about various copyright enforcement schemes that emerge in different forms all over the world.
When will we see the laws protecting the serfs agains abuse by the lords?
Last I checked, most governments and regulatory bodies decidedly did *not* have the people's best interests at heart. So perhaps instead of advocating control over those companies, you should advocate for more of them and greater competition in that space.
Because unlike feudal society, there's nothing forcing you, as an individual, to maintain your allegiances or even tying you to the system. If you want to take your data and go home, you can. If you want to take your data to a more favorable service, you can do that too.
Instead of making the companies behave through "rule of law" when the lawmakers don't even really understand the rules or the environment or the underlying problems, let's try making them really have to compete instead.
"I thought we were an autonomous agrarian collective."
If you were referring to the Monty Python skit, did you mean anarcho-syndicalist commune?
"step in in our role as governments (both national and international) to create the regulatory environments that protect us vassals"
How? The history of regulatory agencies can be summed up in two words: "regulatory capture." cf. https://en.wikipedia.org/wiki/Regulatory_capture
There is evidence that the same two words also describe the history of every government ever established.
When will we see the laws protecting the serfs agains abuse by the lords
The simple answer is "Not in your life time, or that of anyone yet alive".
But it's more complicated than that, because you have not defined what a serf or lord is or how you recognise them, and track/hunt them down.
Further you have the thorny problem of accountability, that is who is and who is not accountable and to whom and why.
You oftern hear the faux statment that "The President of the United States of America is the most powerfu man in the world". It's as some one once observed "a steaming load of...".
Do you want to know what the major preocupation of the elected representatives of the US is? It's selling themselves for the price of re-election. That is they take money in return for favours, and unlike those promises they make to electors who vote, these promises are binding or next time they don't get the money and are out of the job and lifestyle that goes with it.
So the US president is subservient to the people who hold the purse strings on his campaign funds.
But in theory there are laws to make those that pay into the campaign funds visable and thus possibly accountable, but they don't work.
Why because the people that pay the money also can afford the best of legal minds who draw up draft legislation that looks good but does not deliver. This draft legislation is then given to your elected representatives who then out of self interest enact it, and so the game continues.
Historicaly people took to arms to deal with this sort of behaviour and it was once a very real threat. Now our elected representatives would laugh if you suggested that revolution might happen.
But lets look at the middle easst they have had some revolutions there but guess what, they are discovering that they hhave ousted one despot for another.
This is not surprising, a look at the history of Mexico and other South American Countries will tell you a lot. The politicians come and go more as pupets than heads of state, however those "controling families" are still there still living the same old privileged life style buying and selling politicians, chiefs of police and generals as they see fit.
Seems to me the general issue of privatization of the public space.
What should remain a public space, neutral of any commercial interest, is fragmented among a few land lords. Like if the street itself was a commercial space where one could redirect only to a few specific shops.
Instead of providing a neutral framework for a given social and commercial model, the governement are giving up. And private sector is empowered with a para-democractic role for providing the basic services. The compagnies are even forced to invent some mantra to give some meaning to their actions: "don't do evil", "transparency everywhere", etc.
Digital is the new political ecology. Call it political digital citizenship. How to fight for another endangered space for our children to live in.
Comparing feudalism and vendor dependency is just plain wrong. Perhaps better comparison would be employee and employer relation, with mortgage and health insurance tied to your job.
A brilliant essay.
Here a part of the news item I just
posted at askemos.org:
This essay essentially covers the topic of our background conversations mentioned in "about". He applies the same reasoning and even analogy. Askemos does just one thing here: assuming that there is an "evolutionary advantage" in civil societies above "state of nature"; and apply this recipe to networked security.
Sorry, posting from tablet with "fat fingers".
Wanted to point you to the
origin of the idea.
The article is mostly really good, but the conclusion is pretty much the opposite of what I would suggest. The serfs are free to select their feudal lord, but the feudal lords are not playing on an equal playing field - due to insane intellectual property laws. IMHO what we need to do is reduce government's ability to enforce IP so that the feudal lords can compete against each other more fully. Then the serfs will be more able to choose a feudal lord that fits their preferences.
In a way it lowers one's profile, makes one look more normal.
--True. I have lost contact w/ a lot of people since "deleting" my FB; and telling new people I meet that "I don't do that" anymore makes for a nice awkward moment. If people sanitize their posts, it's boring and insincere to read. I didn't like how they were posting what I read and did on FB, it kept becoming more intrusive. I didn't really find much pleasure in looking at other people's dinner pictures and not sharing useful/brainstorming ideas for problems; maybe I had the wrong friends. FB made it easy to stay in contact, but I didn't like how they were becoming a "monopoly". Plus they are now a publicly traded company and they make money by selling your data (you're the product) to adverts. Then say I want to exchange numbers and pull out my flip phone, again looks "weird"; my friends give me a hard time. All I want in a phone is calling, text, and alarm clock; and a "dumb" phone is the closest thing to it. People who call me "not normal", I respond with "And you are?".
Thanks for this accurate analysis of the current state of affairs.
However, I believe their is a better solution than those listed in your conclusions - own a personal cloud. I've written a post in response to a related Forbes article.
Hopefully, this will soon be a way that the everyday conscientious users can take responsibility for themselves.
I disagree, if you want "FREE" stuff then yes, you get what you get...with virtually no privacy or rights...you're getting it free after all. If you want to maintain your privacy and/or personal security then you do have an option...do it yourself...
You could make an argument that most people don't have the necessary knowledge to "do it yourself", to which I will agree. But I would counter that there are plenty of places that will give you the same services if you pay them. But what about the people who can't afford it...ok, what about them?
Technology is not a right!
Email is not a right!
Having a smartphone is not a right!
They're all privileges, privileges you earn with your money.
Otto: Last I checked, most g/o/v/e/r/n/m/e/n/t/s/ a/n/d/ r/e/g/u/l/a/t/o/r/y/ b/o/d/i/e/s/ corporations decidedly did *not* have the people's best interests at heart.
Bruce: You get a distinctly higher overall quality of comments here than at WIRED . . .
This is SO weird! I just wrote something eerily similar to this on my new blog - I'm a Cybersecurity student (my third and hopefully FINAL degree!) in NY. I was actually referred to you by another blogger - The Tech Thoughts buy Bill Mullins. He seems to think I have said a lot of the right things - on my blog and in conversations with him. I love writing - this new 'career path' is the most challenging one in my personal academic history - I went from no tech background to where I am now in Lamborghini mode! Writing and content aggregation have become a black hole addiction for me! Truth is - I'm going to need a paying job (or internship) soon - after 4 years of unemployment!
I would LOVE to hear from you if you have a moment. I have a feeling I'll be (with your permission) using your material (re-blogged) on my blog... if that's ok. Everyone wants me to write a book - but I've only had one semester of cybersec courses... Even my professors think I should. Maybe for kids - Something like "Coming of (Digital)Age"- something simple that won't be obsolete immediately... about how to put some gloves on those electronic fingers :-) Because Google and Facebook do NOT have our best interests in mind - being a-moral companies with the deepest darkest data mines ever created.. I said that even THEY haven't even invented the ways in which they will use the megatonnage of data that streams into their grasp every single second of every single day! They're not evil - they're just businesses - I liken them to magicians in my post - slight of hand and misdirection that fools almost all of the people almost all of the time. Publicly pronounce that they are creating new security measures for all of us folks - but the reality is, as you know, quite the opposite. But - the worst aspect of technology right now in my opinion (other than this) is the simple existence of plaintext email. 2 million per second sent.
Feudalism also brought us ius primae noctis or the “right of the first night.” In exchange for using a feudal lord's land, a peasant's wife knew she could be screwed by a distant stranger and could do nothing about it.
"I thought we were an autonomous agrarian collective."
You're fooling yourself. We're living in a dictatorship. A self-perpetuating autocracy in which the working classes--
I like the analogy with feudalism, but what does it say about your proposed solution of having the government regulate? Historically, as feudalism evolved, the power of the monarch (the analog of the government) was continuously reduced and that of the feudal lords was increased. That doesn't bode well for having the government decrease the power of the "internet feudal lords" with more regulation.
@Josh Hamit: "However, I believe their is a better solution than those listed in your conclusions - own a personal cloud."
This works if you are a corporation with experienced IT personnel. This does not work if you are the typical man/woman on the street.
What Joe Doe, Grandma, and each of us needs is a "personal Facebook" [or fill in your favorite social networking app], not a personal cloud. Something with the same capabilities as Facebook [or whatever], but with all the data stored on one's own computer in one's own house under one's own control.
"You're fooling yourself. We're living in a dictatorship. A self-perpetuating autocracy in which the working classes--"
We're an anarcho-syndicalist commune. We take it in turns to act as a sort of executive officer for the week; but all the decisions of that officer have to be ratified by a simple majority in the case of purely internal affairs, but by a two-thirds majority in--
Or, of course, we could just cut right to the bottom line:
Help! Help! I'm being repressed!
'When will we see the laws protecting the serfs against abuse by the lords?'
After Supreme Court decision 'Citizen United' - no chance.
I prefer to use the peer-to-peer lord:
rate with movim.eu, jappix.org, friendica.com, status.net, identi.ca, diasporaproject.org, ...
search with www.seeks.fr or yappi, ...
Of course, this lord has to be popular to be useful.
"... it's time we step in in our role as governments (both national and international) to create the regulatory environments that protect us vassals..."
This was an incredible surprise from someone who frequently criticizes governments. Asking the federal government and the UN to help regulate corporate internet use is like asking a mugger to help you carry shopping bags. You may like the assistance at first, but soon you've lost your bags, your wallet, and your cell phone.
I guess I'm the odd duck because I still buy physical products: books, cds, etc. 99% of the time I consume them digitally, but I always have the physical copy such that I'm beholden to no one (any more).
I will digress a bit and explain: sometime back someone contacted all my customers with "hacker" information I had on my website. I started a custom 'blog before there were blogs - daily updates, all hacked together with php includes from files for different categories, lots of custom stuff. Content was typical geekish stuff like hacking my DirectTivo, or anything I owned that I could get into and dink with. I linked to ESR's definition of hacker, etc. to clarify what I'd meant by hacker. Problem was I also merged posts of my customers signs on my blog ("Working at such and such today"). Actually, should not have been a problem at all - they were always outside public signs, nothing ever inside or NDA-violating (typically stuff like, "Ripping out a room-sized PBX and replacing with a rack of equipment" or "connecting multi-homed BGP routers" or "turning up city-wide WAN" or whatever).
But then in 2-3 days I was contacted by dozens and dozens of upset folks, called into my the office to meet with my boss, asked to remove all customer content, etc. While I was able to talk to all but one customer (and all the end-technical resources I worked for totally got it), the problem was the external contacts who had escalated things to high executive-levels caused such a ruckus with some places (such as where I worked in a sat. office, but the main office was in NYC and I didn't have any contacts there, lots of public and government agencies, etc.). Basically a week was spent doing little work and mostly a lot of damage control.
Anyway, from that time forward, I pulled all my content, and stopped putting any real content online. Sure, I post pics, and vague info ("got a Christmas tree today"), but nothing at all very interesting. I used to post very detailed technical information on obscure bugs or deployment issues, etc., and generated a large amount of folks who accessed my site (often as I found clever work-arounds or fixes, or my site had better public info then the vendors' were releasing).
Point I'm really trying to make is you really want to limit what you put online, and limit photos of yourself and your full name or anything tying it back to you and keep a line such that you have very public info completely isolated from private info (name, identifying photos), because otherwise, at some point, you will make someone mad, and they'll use everything they can to cause you grief.
I still don't know how they found out, as I'd limited things I'd say online, but ever had anonymous calls to potential land lords telling them ackward half-truths about you? I still don't know to this day if one person or a number of people suddenly got really mad at me, but it was... hah, ackward.
To this day, I still run all my own personal services (dns, email, private web, private vpn/storage). I use third-party services just to minimally interact with family.
@ Henrik, Clive
When will we see the laws protecting the serfs agains abuse by the lords
I quote from the preface to the laws of the sixth king of Babylon, also known as the Hammurabi Code, dated 1772 BC:
... then Anu and Bel called by name me, Hammurabi, the exalted prince, who feared God, to bring about the rule of righteousness in the land, to destroy the wicked and the evil-doers; so that the strong should not harm the weak; so that I should rule over the black-headed people like Shamash, and enlighten the land, to further the well-being of mankind...
Trusting a cloud provider with your data is pretty much like trusting a bank or other financial institution with your money. It may take out the complexity of handling things yourself, but we've all seen what lack of regulation and accountability can lead to in that particular sector.
Surely, the only power that companies have over us is what we give them? They're not governments.
Most people don't seem to have anything particularly interesting to put online. Frankly I'm far more worried about the rise of DRM and stuff that can pull the aps off your phone. The idea that you don't really control your device. And that's not really convenience sake, that's just that those terms weren't enough to drive most people away from the services that offered them, and now they're more or less the only terms being offered. People wouldn't put up with it, so it happened.
"It is the common fate of the indolent to see their rights become a prey to the active. The condition upon which God hath given liberty to man is eternal vigilance." - John Philpot Curran, 1790
I'd hope, if it's abused far enough, people will still have the capacity to back out in the future. That's the only real card I see in their hand.
I don't trust any institution to act in my best interest, especially government. If a business oversteps reasonable bounds, it can at least sometimes be hauled into court, but the government is immune. So if there are threats to my security out there, I'll look to the market to fix them. Even the best governments are simply not to be trusted.
Beyond that, I find your serf metaphor lacking in many ways. Serfs were not allowed any weapons, or any possibility of upward mobility. They also couldn't leave their lord's property, and were helpless against anything the lord wanted (this last sounds too much like modern government, but not at all like anything private companies do except to their employees).
@Otto: "If you want to take your data to a more favorable service, you can do that too."
No, I tried, you cannot do that at full extent. You can only get what you explicitely posted/published.
I even just tried with Torrey's links, they won't work:
@Torrey Hoffman: "Have you not seen https://www.google.com/takeout and http://www.dataliberation.org/?
These links say that Google does not have any browsing history. I have opted out of customization of search results and ads based on my browsing history (http://support.google.com/accounts/bin/answer.py?answer=54057) but I believe that they still keep my history for government access.
Google say that I do not have any youtube history. I have seen a lot of videos though on youtube. Maybe google means that I did not post any video, but it is not what I mean by "taking my data".
I really liked this article. Concise and encouraging. This analogy is very suitable. Thank you.
Found the following on SlashDot.org:
Who Owns Your Health Data?
I believe the owner of the data should ALWAYS BE the one who generates the data, permanently. Everybody else needs permission or should pay for the data.
The above is indicative of the classic end run around health care laws. Organizations want to collect data about your health without being subject to the restrictions of the law, and then use that data to market health care products/services to you, including setting your health insurance coverage rates, denying coverage, constraining your job opportunities, perhaps restricting your use of certain transportation capabilities (too unhealthy to fly for example), and maybe even what foods you can buy/eat or what entertainment/vacation venues you might choose.
Examples include an auto company attempt at using your captive time in a car seat to collect data from your body, as well as data logging sleep monitors, pedometers, and general purpose blood pressure reading devices (if not already being done with insulin sampling devices). Othere data collection already exists for your computers, thermostats, and household appliances, with TV viewing being a prime target. Your phone and spending data is already anchored in concrete.
I absolutely love this article. Extra points for recalling the Holy Grail sketch in so many readers' minds.
@Criminal Minds Cast "Surely, the only power that companies have over us is what we give them? They're not governments."
Governments only have the power we give them too, unless they also abuse the guns we foolishly gave them. However, back on topic...
The problem is that there is no competition, no alternative that isn't just another feudal lord, that isn't deemed illegal. Often the product in question is the only one of interest on the market to start with.
For example, take video gaming & Steam - it's reached a point where if you want to play some games (which are by definition unique entities), you must be beholden to the feudal lord or you can't play it at all. Same with books; if the author publishes on Amazon only, you're out of luck for legal alternatives.
It's all very well to say 'well this stuff is being touted as free, but clearly it isn't' but there aren't many services out there that say 'you know what? we'll be nice and not sell your data in return for a monthly fee'.
Hugh - The Magna Charta was a revolt by the barrons not the plebs:-)
As Terry Pratchet comments
"peasants had wanted to stop being peasants and, since the nobles had won, had stopped being peasants really quickly."
Very provocative premise and great comments. I was thinking along these lines just the other day, wondering who will supplant Microsoft as the OS megavendor. We have all been vassals of MSFT since Windows 3.1 ... at least until Apple had the good sense to return Jobs to his rightful place (yes, yes ... I know he was an OOC PITA there for awhile).
I am going with the 'spread-it-around' strategy, having email now with all 3 of the big boys, and devices with all 3 now. We shall see who provides the best security and privacy, at least for my limited needs.
@Johns ... thanks much for the reference to 'jus primae noctis', which I did not remember, but I certainly remembered and immediately thought of this horrible degradation when I read the line 'that lord would protect them from harm.'
@MingoV ... spot on: 'I'm from the guvmint, and I'm here to hep you ...' I have seen so much bait and switch, where the title of the legislation leads one to a particular perception, when in truth the legislation sneakily does pretty much the opposite. And, of course, that famous line from the Speaker: 'You have to pass it to find out what's in it.'
@kashmarek ... and your own DNA, fluids, and tissues do not belong to you, either, as you might demand royalties from the blockbuster treatment they find after studying your corporeal essence, this coming quietly from the wake of the HeLa tissue line litigation, where the descendants of Henrietta Lacks DID receive some compensation. And the response from many quarters of government and private research? 'Oh, no ... we can't have this happening all over the place ...'
Excellent thread, Bruce ... brought me out of the lurkwood ... (g)
Good points so far. Something not mentioned is that you sometimes are forced to participate.
Example one. Not being compliant enough and having a TSA agent literally screaming in my face. I wasn't moving fast enough. Sorry I'm disabled, takes a second and yelling rapid fire in my face isn't likely to help. I thought he was going to blow a gasket and drop dead right there.
Example two. Buy a lighter at Target and they will scan your drivers license or want to . "We just want to make sure you are over 18" Really, the grey bald head didn't clue you in? Well, you know that is going into a database to be sold for advertisements....
I toyed briefly with a small Android tablet a few months ago and the insistence that I had to log into Google to download apps or almost anything (can't use Firefox instead of Chrome if you don't sign into the Play store...) made me feel like I was pwned.
But at this point I need a more up-to-date phone for various reasons. So far (a day or two) I've managed to work with it without tying it to a Google account, but it does mean there are a lot of things I can't do. I resent this situation enormously.
Great point, Wendy G - with Android-based devices it's:
Want to have security patches for all these useless apps your service provider loaded the phone with (NASCAR? Facebook?)? Well then agree to our shiny new Terms of Service that you really don't want to read for your own peace of mind
Bruce, Followed you for years, and this is, I think, your greatest work. One little quibble, something that really seemed not right for you, at the end. " it's time we step in in our role as governments (both national and international) to create the regulatory environments that protect us vassals (and the lords as well). Otherwise, we really are just serfs." Actually, in the Feudal system, the lords were the government. Not much changed in 400 years. The lords are the government. To trust them to protect you is insane.
Also, don't know how this fits the scenario, but it does. It was the Plague that broke Feudalism. With fewer peasants, the smarter ones picked up and moved. The new lord, who was short peasants, for some reason didn't report him to the old lord. Right now, we have the right to change our allegance. Do not, ever, ever, expect the government to protect this right. Government exists to pick winners and losers. That means the government has the right to pick your lord. THAT is what government is all about.
For those looking to get out from under the thumb of certain Data Robber Barron's you might want to have a shufty at this very recent article,
I don't think the analogy with feudalism is appropriate. Back then, in order to avoid becoming a vassal, you had to be as powerful as a feudal lord. But this is not the case here. You don't have to invest the resources of Google and company to access your properly secured webmail service running on a server in your basement. Thanks to open source software, you don't even have to pay anything for that.
Of course, not many individuals and small companies do that. The reason is that they believe that the costs to acquire the needed expertise are higher than the costs they associate with outsourcing their data. Which is fine, as long as they don't enforce their views on others who choose to live outside the feudal system.
The real change is currently underway: consumers are starting to value privacy. We're starting to see teenagers paying more attention to what is public and what is not. We're seeing people cultivating web personas that are flattering.
If this process continues, we'll find the "free service, in exchange for your data" model to diminish. Soon the data will be less valuable as we craft it to be only what we want employers to see.
Historical feudal lords asked that you fork over a significant portion of your total economic output to them in exchange for personal security. Outside of hardware offerings and shrink-wrapped software; Google, Microsoft, and Apple charge nothing (or next to nothing) for most of their services for most of their users. Proportional to your total income, it's a drop in the bucket relative to the agricultural yields vassals had to give up. If anything, the modern network services increase your overall productive output - not take a portion away. Did historical feudal lords offer serfs cheap services to sharpen tools, give discounted rates with town criers, help track seasons or weather, lookup trade rates with allied kingdoms, find for-hire laborers, timeshare during offpeak hours with the military forges, etc.? Nope. The promise of personal security ITSELF is what was offered. People don't flock to Google et al for security. "I am going to sign-up with Apple so these files won't get stolen!" said no one ever. In stark contrast, EVERY serf said, "I am going to pledge allegiance with this lord so my farm won't get ransacked!" The main impetus to use network services is to CREATE and ORGANIZE things, NOT protect things!
One word: Linux!
I have iStuff, I have Androids, I have accounts on Gmail, Google+, Facebook, Twitter and a host of other feudal Lords' domains and I use them all the time (except Twitter -- that's just stupid, and Micro$ith -- one has to draw the line somewhere); but all my serious work lives in a number of cheap Linux boxes that back each other up and eschew the Cloud.
Live in the mansion, why not? But always keep an escape route to the little off-grid house in the country. I don't mind telling you this because I'm not doing anything the Lords could legally object to, other than maintaining my independence.
I believe this is the flaw in your analogy: Lords had ultimate sway over serfs because the latter needed land to grow food or starve, and land has always been precious. The equivalent commodity in computers is hardware (cheap; you already have it, or you wouldn't be reading this) or software, of which a lot is free. You just have to learn how to use it. If you are enslaved by your own laziness, you deserve to be a serf!
This is a very nice article! I think the analogy is very to the point: with the power and authority of the nation states declining, we are going back to the situation as it was in the European middle ages, not only regarding the computerized world, but for the whole commercial system, in which we already have companies bigger than some states.
What we need is a new common law for these new feudal relationships, like the Magna Carta in England and the Roman law on the European continent. Unfortunately, nowadays we can't expect much from the states, not only because their knowledge is still far behind, but also because their laws regarding these issues are most often meant to preserve what is left of their own power.
But what we can do, is take all the principles and rules which the western civilization produced for protecting people against the powers of the past, and rewrite them in order to create a new rule of law for these feudal relationships of the future.
I don't know 'bout the rest of ya, but that whole becomin' a vassal thing sounds purty good. I reckon if I had a steel hull an' a coupla deck guns, the guvvermint'd back right off.
What are you talking about Jess? Mansion? Lord?
First off for all those saying Linux etc a salient point for you to consider HARDWARE and the lack there of.
The PC Desktop is becoming antiquated and the amount of money in it for manufactures decreasing because there is no "value added" aspect to it and net pad and mobile devices are rapidly caatching up if not surpassing speed/power on acceptable desktop performance.
We've seen this before with games consoles in that they are in effect sold at zero profit or less with the income derived from a percentage on the "value added" games so they are locked down in the software dept to protect revenue streams (the 3DS apparently has a built in anti tamper feature where it "bricks" it's self if it detects tampering). Likwise mobile devices are sold at or close to zero profit or bundeled at zero profit in with a service package. The net pad and higher end smart phones are all locked so you have to go to the OS owners "walled garden" to get applications. This is just like the old idea of the "Company Store" where workers had to buy everything at vastly inflated prices, and anyone trying to open a rival store was discouraged in various ways (one of which was to pay workers in "company coinage" or tokens not real money).
If you look back at the history of computers prior to the Apple ][ every "office usable" computer was sold with some kind of "lockin" where you had to go back to the manufacture/supplier cap in hand to pay exhorbitant sums of money.
For those that are unaware of this the "old iron" "lockin" attitude is still around and certainly so for highend servers and I don't see that trend reversing in fact the opposit
Part of the cost reduction on net pad and mobile devices is "kitchen sink designs" where you build everything in. Thus as a consumer you do not get to have the ability to modify the hardware beyond a very very small amount. As an example the Apple mobile devices currently lack Near Field Communications (NFC), a four man company has developed an add on to do it via the audio connector. It's far from pretty as a solution it looks like a childs lollipop sticking out the top. It looks silly and is fragile, thus they are trying to crowd source development costs to make a fit around case to make it a more elegant and robust solution. The problem for them is it's a technological dead end, because if Apple see NFC as taking of they will build it into their future designs, if it does not then they are developing a product without much of a future (typical catch 22 / pact with the devil situation).
But even the desktop is now becoming locked via the Microsoft driven UEFI, whilst MS will sign your code currently it's got a 99USD fee, but that's only for Intel platforms. For ARM platforms it's Windows RT and as MS consider ARM systems "devices" not "PCs" you are locked out from day one.
Secondly those making arguments about surfs and Magna Carta etc, history is way way more complicated than you are making it out. And of the three parts of the final "Magna Carta" (there were very many) still in law only one is in effect for the common man in the UK these days. The rest of it is effectivly repealed in a process that started in the 1800's.
But Magna Carta did not start with King John and the Barrons it started a hundred years prior to that with Willian II as the price to his succession to the thrown but that was in turn actually based on what Edward the Confessor had willingly given in setting up the legal system in England.
So a very scant (and thus not fully accurate) overview of part of the feudal system, which by the way was still inforce in parts of Europe untill just befor 1900 and in other parts of the world untill the 1960's.
In the Medieval period the whole system was one of patronage and fielty where those in power could give (and take away) Lord rights over parcels of land known as Mannors (Thus all land in theory belonged to the crown and technicaly still does which is why nation states have the right of "compulsory purchase" etc).
Tha manorial system predates what we now call surfdom (a term coined in the 1800's) it was as a result of the Roman Vilar system. The tying of people to the land arose because of the falling birthrate in Rome and other places (which was one of the primary reasons the Roman Empire colapsed and what was left of it became what is now the Roman Catholic Church).
There were three main parts to the Saxon (English) state and the laws recognised them, The Church, The King and Lords with mannors to support them and the Mannors with peasants tied to them. There were also various people outside of this patronage and land system and they were in efect what were later "outlaws" which back then did not mean they were criminals (although as they had no ties to land in what was a mainly agrarian system often were). As certain skills such as metal working and stone working were trades, those who were out side the mannorial system could ply their trade as and where they wished as could vagabond labourers.
Importantly although the word surf derives via from the French word derived from the latin for Slave (French was the Courtly Language, latin the language of the Church, and English the language of the peasent etc), surfs were not slaves they were bound by oaths of fielty that effected not just them but their families and decendents. Although the oath was given to the Lord of the Mannor they were actually pledging alegience to the Mannor. Thus if the Mannor changed it's Lord for whatever reason their oath automaticaly transfered to the new Lord.
Now the Barons did not control as much land as you might think the job mainly fell to the Lords of the Mannor who were often knights and had fielty of arms (ley) directly or indirectly to a Baron who in turn had fielty of arms to the King who controled the vary numerous forests and through other fielty systems the major towns (boroughs) and cities.
In England a "surf" was a person who worked the land and had fielty of labour and tith (tax and rent) to a Lord of a Mannor and in return (untill the enclosures Act) had land and foraging / grazing rights on common land and rights not just to protection from the Lord but compensation (in efect alms) from the Mannor. Unlike a slave they could not be sold they "belonged to the Mannor or land" not the Lord. There were several tiers of surf from freemen to villain, cottager etc. A freeman had significant land rights and few if any duties to the Lord and responsability for their own live stock, a villain had lesser land rights and had more significant duties to the Lord although in practice this was only during harvest, they usually did not have non meat livestock this was provided by the mannor. A cottager got a cottage and between 1 and five acares of land formalised to 4 during the Elizabethen period when surfdom was ended. The labour and duties were usually for the common good of the mannor such as tending live stock and common areas and property. Yes the Lord got a share of the crops of the land (but usually considerably less than modern taxes) but had to provide poth protection and relief in the event of disaster to the surfs as well as maintain the mannor fences ditches, path ways and common resources such as common grazing land and woods ploughing oxen and the mill and other "social good" necessities such as the courts and those responsible for keeping the peace etc (including in some cases the brewing of beer etc). In most cases the harvest labour to the mannor was something that could be looked forward to as the lord provided food and other sustinance as well as rewards at harvest end (which remained with tenant farming well into the Victoriam era with Harvist Festivities and other high days).
A surf could become a "free" by evading his "lord" in the forest or in chartered towns and cities (or on other Lords property) for a set period of time (a year and a day). However the price was to lose all entitlement to land protection and relief. Which if you had a marketable skill or trade might make the risk worth while but otherwise not.
The Black Death caused a significant displacment of people trying to avoid it and the lose of a significant fraction of the population gave rise to a chronic shortage of labour and this gave rise to a lot of people becoming itinerant labours as the market for labour became significant. This caused a significant backlash and much repression.
However with the ending of surfdom in western europe came much economic prosperity which would eventually lead to industrialisation. However to the east of the Rhine it was a very different story and although surfdom started a lot later and was initialy fairly light it become more represive as the west of europe became more industrialised and much money was to be made from exporting grain from the east (it's one of the reasons why communism although thought up in Victorian England became a dominant force in Russia and Eastern Europe at the turn of the century and spread southwards through Italy and Spain prior to WWII).
I recently read "The Art of Not Being Governed - An Anarchist History of Upland Southeast Asia".
It is an interesting take on the history of the area and explains how those living on the fringes of "civilization" deliberately structure their lives to prevent being subsumed by the state. They grow tuber crops and leave them in the ground until needed rather than storing grain that can be raided, they are distrustful of anyone seeking to impose hierarchy, they maintain oral cultures but don't keep written historical records, etc.
But living on the edge they also may choose to participate in the civilization when it serves their interests. For example trading material harvested and foraged in their mountain highlands for rice grown in the "civilized" low-lands of the state. If the local lord starts getting too oppressive they just head for the mountains.
I'm not sure what the equivalent would be in facebook/gmail/etc world. Maybe using a gmail account for encrypted file storage? :)
Facebook says this about deleting your account:
"Copies of some material (photos, notes, etc.) may remain in our servers for technical reasons, but this material is disassociated from any personal identifiers and completely inaccessible to other people using Facebook."
Since they "disassociate" personal identifiers from the photos, surely that must mean they remove all the faces.
@nick, Bruce, Clive.
This is interesting. I have thought this but to have someone say it with some credibility is some confirmation.
The threat of feudalism with the sword. What was it somone once said? you commit 3 felonies a day just going about your business?
@RT Yes people are beginning to catch on to loss of privacy. Remember when you could just buy something and walk out? Now they want your name, address, email. Hey they'll give you a card for discounts (foodlion) in return they track what you buy. Credit card companies sell info to others. Even political campaigns can buy information to glean whether they should call you...
Waiting for the camera for everybody to wear in exchange for money/discounts. Well, at least some will do it. uh, hold on isn't that what facebook does? smirk
@clive. Good points. part of the problem was the enclosure laws. Ireland's potato famine was made worse by wheat laws (read royality). The Royal hands were covered if looked at carefully.
I have always thought it humorous when people looked at Prince Charles and his water colours...don't judge the past kings/princes by the current royals...Back then, say William the Conquerers' day it was the the meanest, biggest SOBs that got the castles, serfs, land... ;)
"The United States has it's own propaganda, but it's very effective because people don't realize that it's propaganda. And it's subtle, but it's actually a much stronger propaganda machine than the Nazis had but it's funded in a different way. With the Nazis it was funded by the government, but in the United States, it's funded by corporations and corporations they only want things to happen that will make people want to buy stuff. So whatever that is, then that is considered okay and good, but that doesn't necessarily mean it really serves people's thinking - it can stupify and make not very good things happen."
- Crispin Glover
Yes RT are a nice counterbalance on much we see on US-24H-News and likewise on the BBC, and I tend to watch them in prefrence to the US channels because they atleast take time to find people who are not just "talking heads" or "paid for mouth pieces".
As to the story it's self you have to ask a simple question "where's the backup facility?". As described it's an "all your eggs in one basket" solution currently and for various reasons that is realy unwise.
Further knowing the location (if it is singular) helps identify where the taps and backhaul are and quite a bit of other info.
There is an old joke about defence and agency funding that says "Why build one when you can build two at thrice the price."
Thus I suspect the facility is actually the secondary site a bit like a data warehouse where the primary site(s) still remain active and will continue to do so for quite some time into the future (before anyone asks no I don't have an inside scoop, just a gut feeling having spent quite some time back in the days of old working on Mil Comms and the various forms of ComInt both traffic and content).
As for the Constitutional violation aspect, I'm not surprised, back in the Pre-Thatcher years when Labour were in power they were upto their eyeballs in misusing Government records etc for political reasons and it was very much suspected that both 5&6 along with Special Branch were keeping fairly close surveillance on the entire Gov. From Harold Wilson (then PM) down through the cabinet and various ministers aids and ordinary party hacks, especialy female aids who were regarded as being more personal than political...
It was also fairly obvious during the Thatcher years that 5/6/SB were very active on the perceived threat of the "Unions" and their leaders and many journalists (Duncan Campbell etc) because "the establishment" regarded them as threats anyway and Maggie Thatcher was handing out very large sliices of TAX money for them to upgrade their capabilities.
I've always asumed that it was happening to any one who "came to attentiion" because it was the UK Gov through the GPO (later BT) when developing the first "digital switches and trunks" as part of System X had requirmentss for turning on the microphoone remotely as a fundemental part of the specifications which is still there in the likes of GSM etc.
It's even happened to me, a part of OfCom under the guidence of Clive Corrie out of their Birmingham office decided to use their powers under RIPA to get at "Pirate Radio" when it failed to work on the Pirates themselves, OfCom switched tactics to those supplying revenue via advertisers and it was fairly obvious from OfCom's ham fisted approach that they would fail there. So OfCom's next logical choice would be those they suspected (mainly incorrectly) of supplying equipment to the Pirates (in actual fact the Pirates used "cut out companies" and plain simple theft of BBC and Independent Radio Stations equipment as well as DIY kit). It was fairly easy to check OfCom were listening in, just saying a few choice things in a way that Clive Corrie was to stupid to realise were "hooks" resulted in him gettting hooked and landed in very short order. Mind you he was quite happy to break the law as well and perjuring himself was just par for the course as well. As has been observed before "Clive Corrie's not the brightest light bulb in the corridor by a very long way" but his thug like behaviour has proved usefull to his superiors in OfCom for political reasons.
I am surprised you recommend government control of the Internet. I don't believe government control will produce anything remotely recognized as the "common good". Government control might sound good on paper, sound good in the words of the laws written to create and enforce it, but when executed, it has proven to be political almost without exception.
Did I misunderstand your article?
If so, please ignore my concerns.
"People are aware that Windows has bad security but they are underestimating the problem because they are thinking about third parties. What about security against Microsoft? Every non-free program is a ‘just trust me program’. ‘Trust me, we’re a big corporation. Big corporations would never mistreat anybody, would we?’ Of course they would! They do all the time, that’s what they are known for. So basically you mustn’t trust a non free programme."
"There are three kinds: those that spy on the user, those that restrict the user, and back doors. Windows has all three. Microsoft can install software changes without asking permission. Flash Player has malicious features, as do most mobile phones."
"Digital handcuffs are the most common malicious features. They restrict what you can do with the data in your own computer. Apple certainly has the digital handcuffs that are the tightest in history. The i-things, well, people found two spy features and Apple says it removed them and there might be more""
Richard Stallman: ‘Apple has tightest digital handcuffs in history
I think the solution would be to make all these feudal corporations into worker-owned cooperatives. Worker co-ops democratically let their employees decide the business model that it chooses to implement to control its customers. It overcomes the problem of letting average users who do not know much about security decide how their platform gets shaped because the employees are industry experts in their fields of work, particularly suited for the task because they work for the same company who makes the platform. It also overcomes the problem of letting lords control the users in the same way democracy overcame, well, the monarchy, but I'm sure democracy can overcome feudalism as well for the betterment of the users since the major executive decisions of worker co-ops are democratically decided by the employees, so the abuse of a lord in controlling the users with his platform would be less threatening if the responsibility of the design for the platform is shaped by the majority rule of the industry experts: the employees.
so we should hope that governments have our best interests at heart and will regulate private space so that google can't turn us up to ..governments.
Sure, that'll happen.
You're completely right about malicious devices and about network
services, but software you installed on your own computer is not
necessarily better. With software, either the users control the
program (free software) or the program controls the users (nonfree
software). The iThings and the Swindle control their users because
the software in them is nonfree.
To do your computing in freedom, you must do it with your own copy of
a free program. That's what the free software movement aims for.
Please join our fight for freedom in computing (see fsf.org).
RMS, for the love of GNU, please please please adapt to the realities of the cloud and mobile.
If you really believe that cellphones are Stalin's playthings, then why aren't you conducting phone interviews over GNU SIP Witch secured by GPL'd OpenVPN? If you can't get this stuff to work on mobile, what hope is there for others?
It's not like the world will stop using small, networked devices anytime soon.
The discussion of feudal lords articulates a welcome discussion. In more recent history, robber barons, such a railroad magnates, used Trusts as an anti-competitive tool.
Under the economic model of capitalism, whereby we capitalize on opportunity, the identified reason that Trusts were bad, was vertical integration.
Syllogistically, if Trusts were bad because of vertical integration, then excessive mergers are bad for the same reason. If they are bad for some other reason, they are still bad, but the solution given might not be a good fit.
If the US, as a nation, employed mergers as a globalist business strategy, that is yet another discussion. Under the constitutional model, sovereignty and rights oscillate on a Federal v State pendulum. Internationally, there appears to be a similar continuum developing, between national sovereignty, and centralized global government.
My argument is this: If we re-visit the the trust busters discussion, it might show a way out of our current predicament.
UNITE THE CLANS! - Braveheart
It's funny to see the total cognitive dissonance between this post in my RSS reader and the "IT for Oppression" post two back. We're serfs to private companies... let's use governments to fix that... but governments use it to make us serfs again.
Oh, but we just need more democracy...
If we were serfs, there would be no outcry and no change when Instagram nearly took control of all photos. But when a government does something horrendous, nobody changes, no one gets in trouble, etc... Big governments and big corporations are the same... there needs to be more competition to diffuse the concentration of power...
Lose networks lying around around in bodies of Data distributing packets is no basis for a system of technology - true power comes from the mandate of the User...........
Johns: Lords have often gotten away with rape, but is there any evidence that ius primae noctis (aka droit du seigneur) ever existed as formal law?
I don't want to sound too self-promotional, but at FileRock we are trying an "anti-feudal" security philosophy, at least for cloud storage.
Basically, we are telling users: "You don't have to trust anybody to use our service, not even ourselves". We do that by:
- Using zero-knowledge encryption: we have no way of looking inside the files stored by the user, even if we wanted to.
- Verifying the integrity of the data: the user is able to check if the data has been tampered.
- Releasing our client with an open-source license: this enables users to see that we haven't put any malicious code in the client. Since the client does not trust the server with which it communicates and always checks the integrity of files, no trust is necessary.
We'd be interested to know what others think of this philosophy, and if it can be applied to other services...
Given what Google have done with their SafeSearch feature (namely, turned it on for all searches and removed the ability to disable it), I wonder if our trust is badly misplaced.
Worse, I have no recourse against these new feudal lords. In centuries past a serf could, in theory, appeal to the king. If I have a problem with Google now (which I do) who do I go to?
The the analogy with feudalism is interesting, and it has caused a lot of discussion. Good. However, there is one other perspective it may prove not that successful: historical. Especially in combination with the hope that national governments can save us, serfs. We know from world history that feudalism was replaced by captalism eventually; not just because serfs decided that enough is enough, and certainly not because of government intervention - but mainly because captalism proved to be more efficient and dynamic economic model.
I wonder if the historical analogy is actually reverse: we started with wild capitalism, where we were on our own, and then we became serfs. What's next - slavery?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.