Schneier on Security
A blog covering security and security technology.
« Essays Related to NSA Spying Documents |
| Trading Privacy for Convenience »
June 13, 2013
More on Feudal Security
Facebook regularly abuses the privacy of its users. Google has stopped supporting its popular RSS feeder. Apple prohibits all iPhone apps that are political or sexual. Microsoft might be cooperating with some governments to spy on Skype calls, but we don't know which ones. Both Twitter and LinkedIn have recently suffered security breaches that affected the data of hundreds of thousands of their users.
If you've started to think of yourself as a hapless peasant in a Game of Thrones power struggle, you're more right than you may realize. These are not traditional companies, and we are not traditional customers. These are feudal lords, and we are their vassals, peasants, and serfs.
Power has shifted in IT, in favor of both cloud-service providers and closed-platform vendors. This power shift affects many things, and it profoundly affects security.
Traditionally, computer security was the user's responsibility. Users purchased their own antivirus software and firewalls, and any breaches were blamed on their inattentiveness. It's kind of a crazy business model. Normally we expect the products and services we buy to be safe and secure, but in IT we tolerated lousy products and supported an enormous aftermarket for security.
Now that the IT industry has matured, we expect more security "out of the box." This has become possible largely because of two technology trends: cloud computing and vendor-controlled platforms. The first means that most of our data resides on other networks: Google Docs, Salesforce.com, Facebook, Gmail. The second means that our new Internet devices are both closed and controlled by the vendors, giving us limited configuration control: iPhones, ChromeBooks, Kindles, BlackBerry PDAs. Meanwhile, our relationship with IT has changed. We used to use our computers to do things. We now use our vendor-controlled computing devices to go places. All of these places are owned by someone.
The new security model is that someone else takes care of it -- without telling us any of the details. I have no control over the security of my Gmail or my photos on Flickr. I can't demand greater security for my presentations on Prezi or my task list on Trello, no matter how confidential they are. I can't audit any of these cloud services. I can't delete cookies on my iPad or ensure that files are securely erased. Updates on my Kindle happen automatically, without my knowledge or consent. I have so little visibility into the security of Facebook that I have no idea what operating system they're using.
There are a lot of good reasons why we're all flocking to these cloud services and vendor-controlled platforms. The benefits are enormous, from cost to convenience to reliability to security itself. But it is inherently a feudal relationship. We cede control of our data and computing platforms to these companies and trust that they will treat us well and protect us from harm. And if we pledge complete allegiance to them -- if we let them control our email and calendar and address book and photos and everything -- we get even more benefits. We become their vassals; or, on a bad day, their serfs.
There are a lot of feudal lords out there. Google and Apple are the obvious ones, but Microsoft is trying to control both user data and the end-user platform as well. Facebook is another lord, controlling much of the socializing we do on the Internet. Other feudal lords are smaller and more specialized -- Amazon, Yahoo, Verizon, and so on -- but the model is the same.
To be sure, feudal security has its advantages. These companies are much better at security than the average user. Automatic backup has saved a lot of data after hardware failures, user mistakes, and malware infections. Automatic updates have increased security dramatically. This is also true for small organizations; they are more secure than they would be if they tried to do it themselves. For large corporations with dedicated IT security departments, the benefits are less clear. Sure, even large companies outsource critical functions like tax preparation and cleaning services, but large companies have specific requirements for security, data retention, audit, and so on -- and that's just not possible with most of these feudal lords.
The feudal relationship is inherently based on power. In Medieval Europe, people would pledge their allegiance to a feudal lord in exchange for that lord's protection. This arrangement changed as the lords realized that they had all the power and could do whatever they wanted. Vassals were used and abused; peasants were tied to their land and became serfs.
It's the Internet lords' popularity and ubiquity that enable them to profit; laws and government relationships make it easier for them to hold onto power. These lords are vying with each other for profits and power. By spending time on their sites and giving them our personal information -- whether through search queries, e-mails, status updates, likes, or simply our behavioral characteristics -- we are providing the raw material for that struggle. In this way we are like serfs, toiling the land for our feudal lords. If you don't believe me, try to take your data with you when you leave Facebook. And when war breaks out among the giants, we become collateral damage.
So how do we survive? Increasingly, we have little alternative but to trust someone, so we need to decide who we trust -- and who we don't -- and then act accordingly. This isn't easy; our feudal lords go out of their way not to be transparent about their actions, their security, or much of anything. Use whatever power you have --- as individuals, none; as large corporations, more -- to negotiate with your lords. And, finally, don't be extreme in any way: politically, socially, culturally. Yes, you can be shut down without recourse, but it's usually those on the edges that are affected. Not much solace, I agree, but it's something.
On the policy side, we have an action plan. In the short term, we need to keep circumvention -- the ability to modify our hardware, software, and data files -- legal and preserve net neutrality. Both of these things limit how much the lords can take advantage of us, and they increase the possibility that the market will force them to be more benevolent. The last thing we want is the government -- that's us -- spending resources to enforce one particular business model over another and stifling competition.
In the longer term, we all need to work to reduce the power imbalance. Medieval feudalism evolved into a more balanced relationship in which lords had responsibilities as well as rights. Today's Internet feudalism is both ad hoc and one-sided. We have no choice but to trust the lords, but we receive very few assurances in return. The lords have a lot of rights, but few responsibilities or limits. We need to balance this relationship, and government intervention is the only way we're going to get it. In medieval Europe, the rise of the centralized state and the rule of law provided the stability that feudalism lacked. The Magna Carta first forced responsibilities on governments and put humans on the long road toward government by the people and for the people.
We need a similar process to rein in our Internet lords, and it's not something that market forces are likely to provide. The very definition of power is changing, and the issues are far bigger than the Internet and our relationships with our IT providers.
This essay originally appeared on the Harvard Business Review website. It is an update of this earlier essay on the same topic. "Feudal security" is a metaphor I have been using a lot recently; I wrote this essay without rereading my previous essay.
EDITED TO ADD (6/13): There is another way the feudal metaphor applies to the Internet. There is no commons; every part of the Internet is owned by someone. This article explores that aspect of the metaphor.
Posted on June 13, 2013 at 11:34 AM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I believe your logic is flawed. Governments need controlling because they possess a monopoly of violence over a given area. No so-called 'Lord' of the internet has a monopoly on any service, be it email, social networking or otherwise.
The barrier to entry to offer such services is very low. For example, a five second google search for private social networks yielded ten alternatives to facebook: http://mashable.com/2013/06/10/...
The onus is on *us*, the internet consumers, to control how much data we provide and to whom - after all, we do so voluntarily. Hopefully the aftermath of the government spying scandal will prompt people to be more careful with their data, and choose services which prioritize their privacy.
The feudal metaphor is even more powerful than that. Corporations are merely feudal kingdoms, abstracted away from geographic limitations, with the CEO as king, the VP's as Dukes, etc. right down to the employee peasants. Heck, interns are frequently even slaves.
The problem is that these geographically unbound feudal nations owe no allegiance to any place or institution. They cross national boundaries and view the resources of every nation as theirs to exploit in the most profitable way possible. And they are caustic to democracy. Allowing corporations and their money to influence how America - or any other traditional geographically-limited nation state - functions is a recipe for disaster. Corporations will consume all the resources they profitably can, and leave their waste for the nations to clean up. And by buying political influence - what was quaintly once referred to as "bribery" - these feudal corporations can arrange to make everything they do legal, pay no taxes, or in the case of the really big oil companies, receive payoffs as "subsidies" even when they are the most profitable institutions that ever existed.
Where this comes back to security is simply this - the things that are in the best interests of corporations are usually NOT in the long-term best interests of the nation-state where you reside. The age old battle of feudalism versus democracy that gave us the Magna Carta continues today on the Internet and in government. Your online privacy is compromised by feudal corporations bribing national democratic governments to allow them to contract out the monitoring of your communications. Your economy is compromised by feudal corporations bribing legislators to overturn conflict of interest barriers between banking and investment. Your safety is threatened by the erosion of food production regulations and enforcement. And when corporations eradicate the line between commercial press and editorial journalism, it makes it next to impossible to obtain information about what is actually happening in the world in order to make informed decisions.
Feudal corporations systematically undermine the Rule of Law in traditional democratic nation states. Without the Rule of Law there IS no security.
Bruce: Amazon has also erased books from Kindles, without user permission or input. The time that comes to mind is when some 3rd party sold a book to which they didn't own the copyright, so all copies of that book sold by that party were erased from the customers' Kindles. They received a refund, but they still lost the book they purchased. Wouldn't happen in the physical space.
The book? 1984.
Amazon may or may not have changed their policies in the intervening years, but the fact that they can, and that the user has no control, is worrisome.
The feudalism extends further, as large enterprises outsource more of their fundamental IT services, the very large IT services companies offer less and less insight into how they actually manage services for their clients. Reporting, detailed security requirements, processes and procedures, monitoring, patching, and more all become part of this is the way we do it at "LargeOutSourcedIT" and enterprises lose visibility into their security risk. negotiating a 10-, 100-, or billion dollar outsourcing contract puts security in a very small piece, and the outsourcers easily deflect security requirements and reporting with the hard work they are doing to just make your systems work and deliver.
The result is that enterprises are large merchants in your feudal security model, moving amongst the lands of the feudal lords. The merchants pay taxes for services not delivered (keeping the roads safe from bandits) but have limited influence on those lords. Their taxes do let them talk to a service rep, something we peasants can rarely do...
In what way could an internet commons be established and defended? This relates to a previous comment I made in a separate post, that if you have a commons, can sousveillance techniques be applied to engender trust and security in some measure.
Nations were a suitable for of governament when large armies and solid borders was enough.
Now corporations, IT companies and zealots of all kind can stole your money, your data, your freedom, your life without breaking more and more soft and complacent laws and without any supporting Nations be forced to declare a state of war against any other nation.
As social subject, nations are becoming more and more irrelevan every day, as are developed threats meant to dodge the essence of nation itself, call it terrorism, big data or international finance.
Obviosly, as a system of powers decay, other rises, IT walled garden feudal system is just one.
It would seem that there's no way the big corporations or the government can be forced to stop spying on people. What if everyone (or at least a large chunk of the population) had an app that at random times performed Google searches on random topics and selected random URLs in the response. User data collected by the network eavesdroppers would be useless. Wouldn't this result in destroying the industrial and government bureaucracies that feed on using personal data for their own ends? The industry and government have got to fear an app like this where users take over their own destinies. Has someone already developed such an app?
I agree with almost everything, except:
"Normally we expect the products and services we buy to be safe and secure, but in IT we tolerated lousy products and supported an enormous aftermarket for security."
We are not tolerating anything in IT that we don't in the rest of our lives.
What physical thing do you have thats safe and secure? Does anyone really think they have a car that cannot easily be stolen or a house that cannot be easily broken into?
There is a way to live in that realm (still). So far, the roads, waterways and seas connecting the various kingdoms and principalities are many, and those who tend these ways are mostly indifferent to what the horsecarts or vessels carry, as long as they toil along and pay the tolls.
So the way to live is to settle in an peaceful, remote countryside far from the lords' shiny cities and build your own house and stable, barn and shed. Timber is still available for those willing to do some woodwork, and getting cheaper all the time. Your home may not be as shiny and adorable as the ones ready-built by the lords for their peasants, but you may furniture it as you wish. The only problem is that often the roads leading to your ranch are few, narrow, long and boggy, and occasionally they lead through towns, which mayors tell their gatekeepers to stop horses of particular colour, or rummage your cart. Therefore you may need to swear some partial allegiance to some lord sometimes, to rent a patch of land from some prince or baron to put a small part of your business there, or to conceal the goods you carry.
Many of the essential services or goods offered "for free" by the lords in exchange for allegiance are to be found in similar form elsewhere, or can be made and performed in your own shed. In the past, those services were either commonly accessible in some communities or otherwise offered by diverse craftsmen for a reasonable fee. The Big Lords have destroyed the market by offering them "for free", thus putting the majority the craftsmen out of their business and attracting the majority of the folk to their allegiance. But you don't have to follow that flock; you may be a self-made man still.
Personally, I brew my own beer in my barn, keep my horses in my stables and my oddments in my shed. If I set off for a journey, I conceal the goods in my cart. If I embark on the sea and sail to faraway havens to seek some rare goods, or to trade some goods of mine, I use a vessel built to the proven plan of a well-know and skillful shipwright and I keep a look-out.
Because of boggy roads here at my place I have rented a patch of land with an access to a major tract from a vassal of a vassal of a not-so-important prince and built a stable and a cot there for my errand-running horses and my carrier-pigeons. I have a faithful servant there to sort through the mail and packages, burn the trash and forward the ones I really want. I don't need the "free" mailbox service of a gigantic, shiny post office, where postmen read all mail "to make your experience better". I can have my servant ride right to the home of whomever I wish to send a word, and he will deliver the letter straight to the right hands. Sometimes it means dropping the envelope into a mailbox in the Grand Post Office; well, that's the addressee's problem. The rented land is not very well protected and the landlord may throw me out one day but I can find another patch any time and move my business there with little effort. Indeed, it happened before - my landlord fell out of grace of his overlord and lost his fief. I had to move elsewhere.
I rent small sheds on guarded lands of some big lord or the other, to keep some of my stuff there; if ever my own shed gets burned, I can go there and fetch it. However, I put everything in impenetrable boxes with good locks, to keep it from prying eyes of the lord's minions. If one of these lords decides to take my possessions, he may well have it. All he would get is a bunch of boxes - he may drop them into a sea, crush them or burn them, but only loosing or destroying all the contents inside as well.
I rarely venture into huge and crowdy marketplaces run by Big Lords, carefully observed and guarded by their minions, where legions of folks loiter, trade, fraternize, chat and whatnot. I just don't like the crowds and don't need the gossip or the fake fraternity; but first of all I shun the prying eyes of the market guards. Indeed I avoid most of these places completely; and if I enter one or the other well-selected marketplace, I do it for a good reason only, I wear plain clothes, watch my steps, and I mind with whom I shake hands.
We (users of social networking and 'free services' on the Web) are not customers. We are product - or producers of product, offered to their real customers (advertisers, as well as any other entity interested in the product for sale). We, as users in this regard, are exactly like serfs. We are allowed to exist in a given place on the web because we produce, and what we produce is used at the discretion of the lords and nobles, not the serfs. If we don't like it why are their so many serfs? For $36 a year you can get a shell account that has web based email, social networking, as well as online storage. So then $36 must be the price we assign on what is too expensive to not be serfs..
And, finally, don't be extreme in any way: politically, socially, culturally.
Can you say "chilling"? I understand this is advice for flying under the radar, but sheesh ...
The issue of the commons is Marx's idea of feudalism, not actual feudalism - well, as much as it existed (it didn't) - during which there were robust principles of commons. It's medievalism, not medieval.
I think a lot of these have descended from ISP solutions, actually. Hard to traverse NATs and blocked port 80s were not a big deal a decade ago, when few were willing to take the effort to run a server. Nowdays, where it is easy to leave a server running 24/7 at your house, these limitations prevent us from buying a Facebook application and running it at home because we are second class citizens on the internet. Instead we are forced to rent space on commercially managed servers, paying either in cash or private data.
A few distributed clients, TOR and BitTorrent, demonstrate just how powerful the peasants would be if we were not oppressed by the ISPs.
"...moving to cloud based...."...ya know, you just can't tell people anything if it's not exactly what they want to hear..some nutter in the top tier insists on sorting and storing data in the cloud not because it's actually a good idea but because everyone else is doing it...which is often how we all consume stuff...then EVERYONE acts surprised and confused when it's all compromised...really? Really really? Yeesh..
"We need to balance this relationship, and government intervention is the only way we're going to get it."
I strongly disagree, and here's why:
The government can and does at times intervene to regulate the markets, but a lot of times they do a very poor job. And once started down that road, it's only downhill. In the long run regulation causes more regulation and innovation in the Internet age will be highly stifled. I mean look at the thousands of laws we have nowadays; no one can really keep up with them.
"These are not traditional companies, and we are not traditional customers"
We need to remember that we are not customers of these companies, we are their product and they want to squeeze the most value out of said products as they can.
You know what's messed up too? Is that we live in a world where potential employers rubberneck people's Private lives by, not surprisingly, checking out their Facebook page. Well guess what the reaction is if the applicant has no Facebook page? The reaction is suspicion of them LOL So the folks shopping for jobs become exceedingly aware that they are SUPPOSED to do that. Why? Uh, cause everyone does...that's it...that's all...lol ah, the theater of the absurd...sorry, but Facebook only has the power it's users give them...the herd followed willingly, not under a whip...read the agreement?.nope..just agree and play...well, of course...it's not like ms made their money that way...or Levis..lol at some point, people have to accept that a circus is really a circus...children get a pass for having problems blurring fact and fiction..but the rest of us? Come on...we're all culpable..
"Facebook regularly abuses the privacy of its users. Google has stopped supporting its popular RSS feeder. Apple prohibits all iPhone apps that are political or sexual. Microsoft might be cooperating with some governments to spy on Skype calls, but we don't know which ones. Both Twitter and LinkedIn have recently suffered security breaches that affected the data of hundreds of thousands of their users."
To quote Sesame Street, "One of these things is not like the other, one of these things just doesn't belong." You're comparing privacy violations and security breaches to a decision to discontinue a product. I am a Reader user and I'm as pissed as anybody about Google's decision to shut it down, but grouping it with deliberate privacy violations and security breaches is balderdash.
I get your point, but I think lumping in Chromebooks and Android phones with Apple is wrong. Google specifically permits user control over their devices, down to including a switch on the ChromeBook to disable boot-locking. It encourages hacking and sells unlocked devices (Nexus) Android devices can install apps from third party non-Play stores, etc. At Google I/O, they even had a session hacking and rooting Google Glass, e.g. how to install arbitrary code. Google also provides dashboards where you can monitor every bit of data they have on you, erase it, and download it to leave the service. (Google Takeout)
Also, what does dropping support for Reader have to do with privacy? I mean, must Reader be dragged into every conversation, even when it isn't relevant?
Disagree with your assertion that
"we have no choice but to trust the lords...we need to balance this relationship, and government intervention is the only way we're going to get it."
We most definitely DO have a choice when we decide which social network, computer manufacturer, or telecommunications company we choose. In fact, we have more choices than ever--all of which include very lengthy, detailed EULAs and ToSs. If we choose to ignore these contracts, we relinquish our claims against these feudal lords; if, however, if we find that our rights are being violated or our privacy is being impinged upon beyond the scope of a EULA, litigation is a viable means of punishing a misbehaving feudal lord. Your call for government intervention is precisely the wrong way to deal with this. As evidenced by the recent NSA leak scandal, government has no regard for your privacy online, and unlike these corporate feudal lords, are likely to be beyond reproach.
The rhetoric in the article is overblown.
Facebook is not a threat to anybody. Nobody has to use it. Perhaps the young, whose brains aren't mature yet, need to be taught about the folly of giving up all their privacy, but that's all. And parallels with the feudal system are ridiculous: a peon on a lord's estate had no choice, no way of escape. Facebook's "peons" enslave themselves. See the difference?
None of these commercial services deserve to be mentioned in the same article as the NSA's Orwellian surveillance. If I want to keep my emails out of Google's and Yahoo's databases, I can sign up with one of the zillion other email services (or set up my own using FOSS: cost about $45/year) and tell my correspondents to use gpg or PGP etc. But there is no way I can keep my electronic communications out of NSA's database. The best try to communicate privately with someone in another country is to write a letter and post it, but even that is less secure than it used to be, because of the decline in volume of postal mail in the last 20 years.
To me it appears that you emphasized the view on the web consumer. You mention "large companies" only briefly. Personally I think the pressures on companies are even larger than on the consumer. The consumer can choose not to use the services. Don't like Gmail, use a POP server.
The commercial organisation might not have a choice due to economic pressures. On a large scale it will be cheaper to buy commodity services and give up some of the internal restrictions i.e. increase risk. The drive to be cheaper than the next guy is too strong to be discounted. And the company who has nothing to do with your iPad or Facebook will take your data with them when building the next IT operating model using an external service provider.
"... can't delete cookies on my iPad ..."
What does this mean? Are you saying the "Clear Cookies and Data" button in the Safari settings does not do so? If so, how do you know?
What is the price of ennoblement? How much does it cost in time and money to become an Internet lord? It is surprisingly little. The same company that sells you a serf account (labeled residential) will gladly sell you one without restrictions (labeled business account). Servers are cheap and don't cost much to run 24x7. turnkey server appliance software packages are available to download and are improving in capability every month.
It would not be difficult to create a social network interoperability standard like CMIS does for content management so you can post to your own system and invite the facebook and twitter crowd in to converse. If there is demand for such, anybody who supports such a scheme will gain a competitive advantage over facebook and eventually draw away their member serfs.
So given all these facts, it is clear that the era of the Internet lords power to act in a feudal capacity will be relatively short lived once they abuse their position. The countdown has already begun.
I don't think the critics of this article read the entire article or they read it while distracted.
No metaphor is perfect, but this one is pretty good. When I began reading this, I had little hope of it holding up, but Bruce built a nice comparison throughout the article.
I think that the need for government involvement could be most important in involving the government in removing legal structures that enhance the feudal lords' proprietary interest in their subjects, eg EULA tarbabies, IP rules, and last-mile oligarchies
The problem with your analogy of using gov to reign in the feudal lords is you may be just adding a higher level of feudal lord, a king. The real key is competition, real serfs were not freed by having a king, they were freed when they were no longer tied to the land, and could run away to either a better lord, or a city. Gov should make some rules to make it possible to exit any provider for another, without losing everything, but otherwise they should stay out.
What these feudal lords don't realize is that they're really nothing more than a hashtag
"Facebook is not a threat to anybody. Nobody has to use it."
Obviously the writer of this is totally unfamiliar with terms like 'social pressure' and 'privacy breach' and as such, is totally misguided in every other aspect too.
"None of these commercial services deserve to be mentioned in the same article as the NSA's Orwellian surveillance."
Yes they do: Where is the difference? _Is_ there a difference?
All you have is a pseudo-option to choose any company, which eventually differs from Google (or NSA) just by name: Everything else, including the spying, is the same.
_Companies are even worse_ than NSA: While NSA keeps the results of the spying secret, companies _sell those results to other companies_.
Anyone who has money can buy your privacy, for ever.
Illegal of course but you think a company cares about that for a second?
As long as you can't prove anything, anything is legal. And secrets are always non-provable, that's why they are secrets.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.