Policy vs. Technology

Sometime around 1993 or 1994, during the first Crypto Wars, I was part of a group of cryptography experts that went to Washington to advocate for strong encryption. Matt Blaze and Ron Rivest were with me; I don't remember who else. We met with then Massachusetts Representative Ed Markey. (He didn't become a senator until 2013.) Back then, he and Vermont Senator Patrick Leahy were the most knowledgeable on this issue and our biggest supporters against government backdoors. They still are.

Markey was against forcing encrypted phone providers to implement the NSA's Clipper Chip in their devices, but wanted us to reach a compromise with the FBI regardless. This completely startled us techies, who thought having the right answer was enough. It was at that moment that I learned an important difference between technologists and policy makers. Technologists want solutions; policy makers want consensus.

Since then, I have become more immersed in policy discussions. I have spent more time with legislators, advised advocacy organizations like EFF and EPIC, and worked with policy-minded think tanks in the United States and around the world. I teach cybersecurity policy and technology at the Harvard Kennedy School of Government. My most recent two books, Data and Goliath -- about surveillance -- and Click Here to Kill Everybody -- about IoT security -- are really about the policy implications of technology.

Over that time, I have observed many other differences between technologists and policy makers -- differences that we in cybersecurity need to understand if we are to translate our technological solutions into viable policy outcomes.

Technologists don't try to consider all of the use cases of a given technology. We tend to build something for the uses we envision, and hope that others can figure out new and innovative ways to extend what we created. We love it when there is a new use for a technology that we never considered and that changes the world. And while we might be good at security around the use cases we envision, we are regularly blindsided when it comes to new uses or edge cases. (Authentication risks surrounding someone's intimate partner is a good example.)

Policy doesn't work that way; it's specifically focused on use. It focuses on people and what they do. Policy makers can't create policy around a piece of technology without understanding how it is used -- how all of it's used.

Policy is often driven by exceptional events, like the FBI's desire to break the encryption on the San Bernardino shooter's iPhone. (The PATRIOT Act is the most egregious example I can think of.) Technologists tend to look at more general use cases, like the overall value of strong encryption to societal security. Policy tends to focus on the past, making existing systems work or correcting wrongs that have happened. It's hard to imagine policy makers creating laws around VR systems, because they don't yet exist in any meaningful way. Technology is inherently future focused. Technologists try to imagine better systems, or future flaws in present systems, and work to improve things.

As technologists, we iterate. It's how we write software. It's how we field products. We know we can't get it right the first time, so we have developed all sorts of agile systems to deal with that fact. Policy making is often the opposite. U.S. federal laws take months or years to negotiate and pass, and after that the issue doesn't get addressed again for a decade or more. It is much more critical to get it right the first time, because the effects of getting it wrong are long lasting. (See, for example, parts of the GDPR.) Sometimes regulatory agencies can be more agile. The courts can also iterate policy, but it's slower.

Along similar lines, the two groups work in very different time frames. Engineers, conditioned by Moore's law, have long thought of 18 months as the maximum time to roll out a new product, and now think in terms of continuous deployment of new features. As I said previously, policy makers tend to think in terms of multiple years to get a law or regulation in place, and then more years as the case law builds up around it so everyone knows what it really means. It's like tortoises and hummingbirds.

Technology is inherently global. It is often developed with local sensibilities according to local laws, but it necessarily has global reach. Policy is always jurisdictional. This difference is causing all sorts of problems for the global cloud services we use every day. The providers are unable to operate their global systems in compliance with more than 200 different -- and sometimes conflicting -- national requirements. Policy makers are often unimpressed with claims of inability; laws are laws, they say, and if Facebook can translate its website into French for the French, it can also implement their national laws.

Technology and policy both use concepts of trust, but differently. Technologists tend to think of trust in terms of controls on behavior. We're getting better -- NIST's recent work on trust is a good example -- but we have a long way to go. For example, Google's Trust and Safety Department does a lot of AI and ethics work largely focused on technological controls. Policy makers think of trust in more holistic societal terms: trust in institutions, trust as the ability not to worry about adverse outcomes, consumer confidence. This dichotomy explains how techies can claim bitcoin is trusted because of the strong cryptography, but policy makers can't imagine calling a system trustworthy when you lose all your money if you forget your encryption key.

Policy is how society mediates how individuals interact with society. Technology has the potential to change how individuals interact with society. The conflict between these two causes considerable friction, as technologists want policy makers to get out of the way and not stifle innovation, and policy makers want technologists to stop moving fast and breaking so many things.

Finally, techies know that code is law­ -- that the restrictions and limitations of a technology are more fundamental than any human-created legal anything. Policy makers know that law is law, and tech is just tech. We can see this in the tension between applying existing law to new technologies and creating new law specifically for those new technologies.

Yes, these are all generalizations and there are exceptions. It's also not all either/or. Great technologists and policy makers can see the other perspectives. The best policy makers know that for all their work toward consensus, they won't make progress by redefining pi as three. Thoughtful technologists look beyond the immediate user demands to the ways attackers might abuse their systems, and design against those adversaries as well. These aren't two alien species engaging in first contact, but cohorts who can each learn and borrow tools from the other. Too often, though, neither party tries.

In October, I attended the first ACM Symposium on Computer Science and the Law. Google counsel Brian Carver talked about his experience with the few computer science grad students who would attend his Intellectual Property and Cyberlaw classes every year at UC Berkeley. One of the first things he would do was give the students two different cases to read. The cases had nearly identical facts, and the judges who'd ruled on them came to exactly opposite conclusions. The law students took this in stride; it's the way the legal system works when it's wrestling with a new concept or idea. But it shook the computer science students. They were appalled that there wasn't a single correct answer.

But that's not how law works, and that's not how policy works. As the technologies we're creating become more central to society, and as we in technology continue to move into the public sphere and become part of the increasingly important policy debates, it is essential that we learn these lessons. Gone are the days when we were creating purely technical systems and our work ended at the keyboard and screen. Now we're building complex socio-technical systems that are literally creating a new world. And while it's easy to dismiss policy makers as doing it wrong, it's important to understand that they're not. Policy making has been around a lot longer than the Internet or computers or any technology. And the essential challenges of this century will require both groups to work together.

This essay previously appeared in IEEE Security & Privacy.

EDITED TO ADD (3/16): This essay has been translated into Spanish.

Posted on February 21, 2020 at 5:54 AM • 20 Comments

Comments

JakeWFebruary 21, 2020 7:13 AM

"differences between technologists and policy makers"

.

word choice is revealing.

use of the soft terms "policy makers" & "policy" conceals the true nature of the problem -- which is coercive application of arbitrary "government" power.

Policy-Makers are government politicians and bureaucrats.
Policy is government dictates.
Politicians are usually an obstacle to technology progress -- not necessary benefactors to be eagerly courted.

Few people trust politicians generally... or have a high opinion of government-policy efficiency & effectiveness.

Technology progress is not some major change in society -- the Industrial Revolution centuries ago was a bigger societal upheaval than today's ubjective perceptions.

wiredogFebruary 21, 2020 7:49 AM

"aws take months or years to negotiate and pass, and after that the issue doesn't get addressed again for a decade or more. "

Take a look at Rob Pegoraro's latest article on COPPA. The law, intended to "protect the children", was written in 1998. 22 years ago. Literal decades ago. A child who was 12, and thus "protected" by the law in 98, is 34 today, and may well have a 12 year old child of their own. And, surprise, the law is being applied in areas that weren't even thought of decades ago to cope with problems that didn't exist decades ago and causing problems that the parents of decades ago probably couldn't have understood when the law was written.

Clive RobinsonFebruary 21, 2020 8:26 AM

@ Bruce,

Technologists want solutions; policy makers want consensus.

Ever tried getting "consensus" with a rabid dog?, Rutting billy goat?, or psychopath?

You will quickly find you need a gun, high strong fence or prison cell respectively to prevent them harming society.

Policy is often driven by exceptional events, like the FBI's desire to break the encryption on the San Bernardino shooter's iPhone.

Firstly it was extreamly unlikely that there would ever be anything on that phone. The entire way the shooter had behaved had told any half blind analyst that would be the case. Therefor it had no sensible reason to be done. It was at best a very very extream corner case evidence wise even to try for a "conspiracy charge".

The use of extream corner cases and "think of the children" type appeals, is not "exceptional" in any way, it's a standard undermining attack by appeal to FUD on the uninformed and non rational thinking.

The real news and most notable thing from that was it nearly blew up in the FBI and DoJ's face. They had hoped to get favourable case law and wave a big big flag to the technologists saying "Don't mess with us or you will loose". But they picked the wrong technology target to attack. It was a typical "sociopath play" and thus entirely misjudged on ertza upside and did not consider what the downside would be. It quickly became clear that it was not the "slam dunk" they had hoped for and it was increasingly looking like they were not just going to loose but end up with the wrong type of case law for them thus the downside was immense. So eventually when reality dawned they jumped out of the doomed plane and pulled the rip-cord that had always been there and parachuted away as fast as they could. Leaving the tax payers to pick up the tab for their folly...

If you or I in a comnercial organisation had done that, well I think most can guess what would have been the consensus...

But not for the FBI and DoJ nobody was sacked nobody lost their pension, they did not loose funding, and I don't remember any "policy makers" bringing them to task over it.

The FBI & DoJ have absolutly no interest in consensus and with the types of "policy maker" you are talking about and they never will as the "policy maker" either has no power over them or will not use it. Either way neither the FBI or DoJ will loose by such folly.

The only way you will get consensus with the FBI or DoJ over encryption is when they have something major to loose. That is the real lesson from the "San Bernardino shooter's iPhone" case the FBI and DoJ only respect real power and losses.

As long as the politicians for whatever reason will not put them in that position of losing majorly then neither the FBI or DoJ will go for consensus, they will just play people off until they get what they want.

It's not "Policy" they care about but real "Power Politics". Forgetting thst is just going to lead to a world of hurt.

Oh and remember with 330million citizens probability makes "exceptional" a fairly frequent event, so the FBI and DoJ are always going to have one to milk for all it's worth with FUD. And remember unlike them each loss you have costs you and they know that.

There is some quite old advise about "knowing your enemy" and "picking your battle grounds" and the FBI and DoJ have the advantage of both.

AffenGeilFebruary 21, 2020 10:38 AM

@ Clive Robinson,

For God's sake just use your native German so we can all better understand you, nicht?

Impossibly StupidFebruary 21, 2020 11:01 AM

But that's not how law works, and that's not how policy works.

Maybe it should. Can a system of rules that allow blatant contradictions, inequity, bias, and corruption really be said to "work"? In technology, we call those "bugs", and struggle hard to eliminate them along with other exceptions/errors in the system.

Policy making has been around a lot longer than the Internet or computers or any technology.

So has religion and other superstitious mumbo-jumbo. That doesn't make them right. In fact, it makes them that much less trustworthy. More often than not, pre-scientific thinking has been just plain wrong. The only rational way to "work together" is to educate (or replace) the policy makers, not to "compromise" or work towards a "consensus" that is anything other than an evidence-based approach.

I'm all for technology in the public interest, Bruce, but we're only going to see progress when people open their eyes to the reality that science has revealed. I'd argue that it's especially important for the law not to fall for the fallacy that there's some ancient infallible wisdom that must be followed. You tried to make it sound like it was the technologists that were inflexible, but all you really did was expose just how poorly the policy makers do their job.

Simon TathamFebruary 21, 2020 11:29 AM

One of the first things he would do was give the students two different cases to read. The cases had nearly identical facts, and the judges who'd ruled on them came to exactly opposite conclusions. The law students took this in stride; it's the way the legal system works when it's wrestling with a new concept or idea. But it shook the computer science students. They were appalled that there wasn't a single correct answer.

You got the wrong technologists! Ask anyone who's tried to figure out whether some edge-case operation is legal based on the exact wording of apparently contradictory passages in the C or C++ standard, or the SSH protocol RFCs, or any other comparably complicated technical specification document, and they won't be nearly so surprised. Once you get into interoperability and standardisation, computing starts to look a lot more like law than it does when you're just debugging your own code.

rtFebruary 21, 2020 11:37 AM

I enjoy reading these columns and the comments from those who have an interest in both technology and policy.

It is no longer the case that government agencies no matter their affiliation, can be counted on to implement policy that is not heavily colored by the mask of national security and narrow self interest. Often one is used in aid of the other. That self interest includes accepting financial support from various and sundry corporate interests who want as little in the way of regulation as possible.

There are those who say we are under attack from all corners by those who would harm us. There is some truth in this. However it has always been the case and, the attack now falls more within the realm of economic rather than a physical attack, although there is a component of that we must consider. Attacks on the economy at large are of course serious but is not a justification for the draconian laws and expansive government power under which we now live. During the cold war, those accused of selling secrets were tried in open court with but a few of the details of their testimony withheld from the public. Now, we face Kafka like trials of those who expose government corruption and malfeasance and, witness the implementation draconian prison sentences.

Given this backdrop and the current state of politics, the defining factor in the passing of any legislation will be whether or not it fits a particular ideology or, corporate interest, not good public policy. I no longer believe we can have any degree of trust in our local police, government or federal agencies. I say this having spent 30 years inside the legal system.

The police have transitioned from a local organization, based firmly in the community, to one which has become a paramilitary force, with the acquisition of high powered weapons and surplus military troop carriers. The NSA vacuums every email sent in the country, followed by various corporations such as Google who appear to collect almost as much information. Corporations and government are so closely aligned now that the information in the public sector is routinely handed over with a few few exceptions, sans court orders. If you have the audacity to ask why, you will be told that it is in the interests of public security. More die in this country from contaminated water, illegal police and government use of force and and lack of health care than terrorism. Despite this, the budgets for the military, private contractors and security agencies now form the single largest portion of government expenditure.

While I applaud your efforts to insert technologists of various disciplines into the policy area, we are very near the point of no return. Bluntly put, you simply do not have the resources to compete with those who now control the public domain. The rule of law as we have come to understand it, has its genesis in public policy. Public policy should not be driven by ideology. That is why public policy worked, at least to some degree, in the past. The public for the most part, accepted and understood that regulation was to everyone's benefit. That is simply no longer the case and has not been so for some time. The laws as written are being rewritten to benefit someone - it is simply not us. This decline in the government administration has been ongoing for the past 30 years and, as someone on the inside of the legal system, I have watched this metamorphosis with some dismay.

Even if we were to accept that a particular piece of legislation was both reasonable and was good public policy, the most likely response to any government agency would be to either ignore it or find some way to circumvent it. While the FBI would have been chagrinned in the past for finding one of its own had violated the law, now the agency would do their level best to either justify it or cover it up. This is I believe, true of most in government. Not legal - then as they say: "black bag it". Simply put, violations of the law of any degree, no longer carry any meaningful consequences for those in government or those sanctioned by government. It is I suppose a manifestation of the old principle of the end justifying the means. The end now is a strictly political one - not a public one.

Should this be a reason for you not to engage? Certainly not. There is always hope I suppose but the tide I believe has turned and the concentration of power is such that it makes the fight to draft good public policy and then, to have it actually followed or adhered to, at best, an uphill battle. As I have said, I have watched this decline as someone inside of the legal system. What was once unthinkable, is now, unwritten policy.

PaulRFebruary 21, 2020 11:46 AM


Can't say I agree with this, very techno-centric. Confirmed by the fact that the comments are mostly anti-government, rather than supporting tech primacy.

'Technology rules', and policy must bow down! Policy makers must understand technology!'

Policy makers should stop trying to be drawn into the technology behind encryption, social media, quantum physics,... They should focus on policy principles that are best for the people they represent.

An analogy... Int'l accounting rules are principles-based, US are rules-based. So US companies & lawyers spend $$$ dissecting rules to (often successfully) avoid the principle that the legislators declined to put first. With Int'l accounting... forget the detail shit... you must abide by the principle.

Also... If the publicly supported policy is that law enforcement should be able to see into terrorists' mobile phones, to avoid (eg) more deaths on London Bridge.... 'make it so'. And if policy says they should not be able to... fine. In rare cases, it may be that the policy is difficult or even impossible to enforce (eg no concealed guns). That's a problem with technology, not public policy.

Electron 007February 21, 2020 11:58 AM

Gone are the days when we were creating purely technical systems and our work ended at the keyboard and screen.

That was the old work ethic. Whatever you did for a job, or made and sold as a product, that was where it ended. A cup of coffee didn't cost so much back then, and it didn't come with anything you didn't order in it.

Now we're building complex socio-technical systems that are literally creating a new world.

That's a sign that people aren't minding their own business, and that they are using technology to manipulate others for financial and political gain.

And while it's easy to dismiss policy makers as doing it wrong, it's important to understand that they're not.

That's because they're policy makers. Whatever their policy is, by definition, is the right way of doing things. Anything else is wrong because it's against policy.

Policy making has been around a lot longer than the Internet or computers or any technology.

In some sense, they're luddites, but in another sense the basic human needs of food, clothing, shelter, etc. have not changed since the dawn of civilization. If it worked in the Middle Ages in Europe, it'll work today in America.

And the essential challenges of this century will require both groups to work together.

And I have seen it happen: people are full of shit, and sometimes that's where the Army comes in with a stop work order, and a lot of boots and guns to enforce the stop work order, because the enemy is just too damn hard at work creating malicious "policy" which has the effect — not unintended — of destroying our lives, misappropriating our land, homes,money and goods, and denying us our freedoms and rights.

Keith DouglasFebruary 21, 2020 1:18 PM

I work for a Canadian federal government dept. in IT security. Some of what I do is "business needs for security", i.e., translating policy into security control requirements. It is amazing watching people say "but we didn't intend *that*" based on their own words. As someone whose training was originally in philosophy and/of computing, this is alas not surprising, for any number of reasons.

AlanS February 21, 2020 3:06 PM

Gone are the days when we were creating purely technical systems and our work ended at the keyboard and screen. Now we're building complex socio-technical systems that are literally creating a new world.
Gone are the days? I think you need to read a little more history of technology. Such days never existed.

Jonathan WilsonFebruary 21, 2020 4:17 PM

The Texas church shooting is the perfect example of law enforcement pushing for backdoor access when they don't need that access.

The shooter was dead and even if he wasn't there was more than enough physical evidence to convict the shooter of multiple counts of murder and send the shooter to death row for lethal injection. There os absolutely nothing useful that could be gained by law enforcement looking at that iPhone and its contents.

Does it really matter why this idiot shot all those people at the church?

BlairFebruary 21, 2020 4:25 PM

"The cases had nearly identical facts, and the judges who'd ruled on them came to exactly opposite conclusions. The law students took this in stride; it's the way the legal system works when it's wrestling with a new concept or idea."

I once argued both sides of the same case in mock trials (with different but similar juries of law students) and won both times. My classmate was infuriated that she had the same information as I did, and the benefit of my winning strategy from the first trial and still lost the second. This was an eye opener for many of the attendees and showed why we could have such diametrically opposed decisions and case precedent in the same nation.

Our justice system depends much more on personalities and the willingness to exploit any perceived advantage than it does on the black and white letter of the law.

The way laws and regulation (policy) have been fashioned over the last few decades facilitate this, purposely.

CuriousFebruary 21, 2020 5:10 PM

It seems obvious to me that policy makers don't do innovation, as a general thing (it could in specific cases I imagine, but not generally), which presumably is a crucial aspect to how technology can be thought of as for examaple running amok with consumer related products that shape society for better or for worse (drones and electrical wheeled boards). And so presumably, it would be a mistake thinking that 'innovation' is at odds with policy in terms of how one understand there to be a the process of things coming about in the world with products/tech and then bad things happening/risks happening, because 'innovation' as I see it isn't really the glorified phenomena that people refer to as being "innovation". I mean, I think 'innovation' couldn't be understood as a dichotomy (two mutually exclusive things) with policy/innovation, or, whatever goes for being 'innovation', unless one were to frame the two things as different by theory relying on such (but I would disagree with that). Point being, policy/innovation might appear to be two things necessarily arbitrary to each other, but I will argue as notions they would be a different in perception only, but not necessarily in reality, because there will probably always be a difference in how innovation is sometimes randomly happening and other times based on cultural interests. So, I will argue that any pretence of thinking of 'innovation' as solely nothing-to-do-with-policy-makers, is forgetting this third aspect to things as techonolgy in society advances. This third thing would be what is generally known as 'modernity'. Things changing basically, away from not only the old, but away from the classic or perhaps the institutionalized (imagine old ideas/styles/culture). So, if both policy makers, and tech people are willfully ignorant to modernity, no wonder things go wrong if nobody cares for what happens next. Things changing in society, ought to be something to be expected. This in turn have me wonder if policy makers and tech people just aren't aware of what their goals are, a lack of stratey basically. I guess, I am tempted to conclude that there are failed policy makers and a failed tech industry, in terms of acting responsibly (good, safe, secure products). I guess what I would expect, is society (whatever that is) moving on but based on common knowledge and not a greed for money or a disdain for end users, nor authoritarian policy bs.

CuriousFebruary 22, 2020 7:52 AM

After I wrote my comment last night I realized that I don't really have much of an example even of "policy bs", I guess I simply asssumed that such would exist, or perhaps, just lacking a policy where policy ought to have been in place. I guess, the only thing I could think of now was lacking regulations for seatbelts in cars in US in 50s 60s or something like that. I vaguely recall reading an article about the advent of mandatory seat belts in cars in the US, but admittedly I've forgotten the details.

Clive RobinsonFebruary 22, 2020 11:09 AM

@ Curious,

It seems obvious to me that policy makers don't do innovation, as a general thing (it could in specific cases I imagine, but not generally), which presumably is a crucial aspect to how technology can be thought of as for examaple running amok

Actually some policy makers, like some engineers, like some scientists, etc do inovate, and probably in about the same percentages as other groups.

Inovation in policy often touches more people more quickly than inovations in science and technology, it's just thst it touches them differently.

Take medicine for instance, the creation of Briton's National Health Service is an inovation that has saved more lives in a shorter time then penicillin ever has, which in turn has saved more lives than the medical electronics I've been involved with and innovated or the safety systems for the petrochem industry I've firsts for and certainly the award wining Fast Moving Consumer Electronics in multiple countries.

However each one of us who innovates in no matter how small away improves the lives of others, this in turn undoubtedly increases their longevity in many ways we could in no way forsee. But we generaly don't inovate for "grand reasons" we do it because it can be done and because others one way or another clear the path so we can innovate. The path to any worthwhile goal is strewn with rocks and holes, and we may stumble at any point, but those who move obsticals and fill the holes to make the journey smoother are no less deserving of thanks than those who innovate.

Unfortunately there are always those who for many reasons do not like innovation they see every forward step in mankinds progress with suscpicion and resentment and on occasions bitter hatred and active hostility. Some do it out of fear of the unknown, others of misplaced beliefs, others from outright greed, others for status and others for power. Whilst I can understand fear of the unknown, much of the rest of it is compleatly alien to me. I don't crave power, money, status, and I believe in mankind not gods invented by man to gain control over others. For what ever reason we live in a wonderous place we call the universe that runs like a complex machine by rules we have only just began to grasp. Is not exploring and improving this place in the short lives we have not enough?

I guess for some the answer is no, they would like to be short lived, permanently sick, injured, malnourished, and in fear of others like them as long as they can "lord it up" over others... That truely is a waste and such an outlook on life should be treated as a sickness of spirit.

The fact that such people get treated with deference by those who's spirit they have likewise tarnished is even sader. It's why we have authoritarian followers, who's sole purpose in life is to be mean of spirit lest those who's positions they crave are mean to them. We see it in guard labour, activiely encoraged by peverted incentive schemes, that encorage a "them and us" culture that like slow poison kills society a little bit more everyday.

Which flies in the face of the two basic rules of the universe as we understand it,

1, Entropy.
3, Evoloution.

Entropy is often seen negatively as the "Movment from ordered to disordered" or as the "Increase in redundancy" but infact that's the wrong way to look at it. Consider it instead as the "Movement from constrained to unconstrained" that is it opens up possibilities and opportunities.

Think about "redundancy" as not a waste but multiple ways of doing things. This means that there is a choice of ways to do things. Evolution at heart is evolving by making choices to do things in a better way. That does not mean in a more efficient way but a more optimal way to ensure continuation of the evolutionary process.

One of the failings of our endevors in security, technology, policy and much else is the mistaken belief that "efficiency is optimal" it's not. Nature has spent many thoudands of millennia proving without doubt that "efficiency is not optimal" as either a survival or developmental strategy.

Efficiency can be looked at as "achieving a minima" most assume that that must apply to energy input. However it is like trying to reverse entropy, you spend more and more effort trying to save less and less to make rigid order out of so many options that it looks chaotic. Thus efficiency applies more in reducing your options than it does in saving energy. Look at it this way, you cut a furrow to move water, over time the water movment wears the furrow into a ditch, with each passing drop the water course becomes more entrenched, but something strange happens any imperfection causes a slight change in course, over time just like a river your ditch will start to twist and turn eventually forming lakes and islands each becoming a site of opportunity. Nature wants to exploit opportunity, to stop it to keep it efficient you have to spend more and more resources reducing the opportunity the inevitable flaws give rise to. In short you enter a game you can not win when you chase efficiency, natural opportunity will prevail. Thus those that reject the highly ordered constraint of efficiency have the opportunity to exploit change more rapidly, because their opportunities are greater.

But opportunity and efficiency are not of necessity mutually exclusive. Innovation is actually grasping opportunity in an efficient way, unfortunatly too many people think that "consensus" is taking the best opportunity to achieve an efficient outcome. It's not it's actually a minimisation process putting a costly straight jacket on the future. One reason for this is "consensus" is actually a myth in most cases, it's an excercise in "power politics" to force others to back down and it is most definately a "fools errand" to chase consensus, because consensus like efficiency does not exist in nature, the flow of a river tells you that.

But unfortunatly we are about to find out the price of "efficiency" and "consensus"...

Our health care systems have been made efficient in the wrong way they have been stripped of resilience and become not just brittle but fragile. We have no "spare capacity" to deal with "exceptions", and we are facing a significant "exception". Whilst COVID-19 is not particularly infective, or fatal, it is sufficient of both to become a real threat. Because of thr desire for "consensus" we have alowed pressure from vested economic/power/status interests to have the upper hand thus we have not acted when we should have done. Thus something that was controlable within our limited capacity due to "efficiency" has quickly gone beyond that capacity. We are now in a race to play "catch up" and current indications are we are not running fast enough.

Do we have enough time? Well that depends on if we stop with the "consensus" and take the right opportunities fast. It's way beyond doing things "efficiently" we have to do things the old "brut force" way.

The big problem at the end of the day is if we succeed those that broke with "consensus" will be attacked by the vested interests that have had their "rice bowls broken". If however we loose, those vested interests will again blaim those who broke "consensus" claiming they took us in the wrong direction...

We have to "innovate" our way out of this mess of our own creating[1] and "consensus" policy just wastes time we do not have, in fact any existing major "policy" we have is fairly well going to fail us, because these days due to the power politics that hides behind "consensus" it's almost certainly designed to suit vested interests not society.

[1] The fact we are in this mess is because of the boat anchore of "conservatism" this stubborn clinging to kbown to be not just worthless but actual dandgerous traditions. It goes by various guises but we see it causing out breaks of dangerous to humans diseases over and over. Whilst there are very many coronaviruses out there, only a handfull effect humans, four give rise to a version of the common cold, , MERS from camels SARS-1 SARS-2, SARS-1 one is assumed to be now extinct, and SARS-2 is what is causing COVID-19. However reports from Iran are sufficiently different that the possability for mutation might have happened. I would seriously suggest you look at this video,

https://m.youtube.com/watch?v=VasccCzr2TY

And see what "Policy Consensus" has done for us this year...

vas pupFebruary 22, 2020 1:34 PM

@Bruce stated:"They were appalled that there wasn't a single correct answer.
But that's not how law works, and that's not how policy works."

Let me provide some input on that: when many years ago I asked my supervisor where is the logic behind new required policy, super said when you do application programming, it is based on math and logic (by the way laws of math and logic are universal regardless of country US,UK, Germany, Russia, China, Iran, and North Korea, meaning - 2+2 = 4 regardless of your demographics, political affiliation, social status, you name it), but policy is based on political biases, prejudices and other transcendent things and is usually made by political appointees and lawyers most of them never ever get technical degree - math is too difficult for them. So, just follow policy and keep you flipped bird in the pocket.

I have no idea how Law Schools is teaching logic in US, but in former USSR, Logic for Lawyers was mandatory subject on the first semester in University with (NB): logical exercises based on legal content. Meaning, if you want to be successful, the ONLY ONE answer could be logically justified.

Regarding Laws in general, many times on this respected Laws I try to promote the idea that Laws depending on their targeting population, should have different level of comprehension:
e.g. criminal laws (State or Federal) should match level of understanding of high school graduate, but Laws regulating establishing multi-national corporations, Stock Exchange, drilling oil of the shelf - should have level of understanding of particular specialized in that field Lawyers.
I would say, that language of the Laws and policy should NOT be legalize for former, but must be legalize for latter.

In former, you still need lawyer,professional to represent you during any interaction with LEAs, prosecutors,in the court, but you should have clear and square knowledge regarding material content of the Law upfront.

Vague laws create just milking source for lawyers, and opportunity for many violation of the rights by utilizing application of laws by the principle: for friends everything, for others laws or in short, double standard. Law should establish clear boundaries of discretion for judges as well.

Bruce, your example just remind me the case in forensic psychiatry when about seven prominent psychiatrists based on medical information collected, independently provided spectrum diagnosis from unable to stand a trial to absolutely sane.

Conclusion: folks who made Laws should understand that Laws could not overcome laws of math, logic, nature, biology, science in general but rather understand them and translate them into Laws. You may say in the law that sunrise is on the west, but Sun does not give a piece of stuff, and will do sunrise on the East regardless.


thatguyFebruary 24, 2020 4:46 AM

I actually wrote out a lengthy post with my opinions and thoughts from being a tech and security person relative to policy being drafted or at least debated. It was basically a harsh piece describing in detail why people with no technical background have any business drafting tech policy. However, the last paragraph I wrote made me delete all of it. At the end of the day, Information Security in this country, local, state, federal, municipalities, corporations, hospitals, creditors, and pretty much anything you can think of has been a complete and utter disaster. NSA, FBI, OPM hacked, Trillions of dollars worth of IP stolen by other countries. 4G cellular network knowingly compromised. I could go on but I think we all get the point. Lets be honest here, the best most of us and the industry are capable of, regarding cybersecurity is to mitigate the damage that can happen from an inevitable breach. From where im sitting that is a losing strategy. Lets not bash on Policy makers incompetencies when we dont even have it right ourselves.

Impossibly StupidFebruary 24, 2020 11:58 AM

@thatguy

Lets not bash on Policy makers incompetencies when we dont even have it right ourselves.

That's exactly backwards. In matters where it is difficult for even experts to get right, it is more important to call out those in power who seek to force their uneducated opinions on others. Not all ignorance is equal. It's not like scientists are being overwhelmed by requests from policy makers who are eager to make the most correct decisions possible. The reality is often the opposite, with politicians actively suppressing evidence that doesn't agree with the interests of their wealthy donors. As much as I'd like to be involved with technology in the public interest that Bruce champions, the truth is that the jobs just aren't out there because most policies are themselves not created in the public interest.

LarryFebruary 24, 2020 12:33 PM

"Finally, techies know that code is law­ -- that the restrictions and limitations of a technology are more fundamental than any human-created legal anything. Policy makers know that law is law, and tech is just tech"

How about: the laws of physics and math are the law, and code (tries to) abide by those laws... But policy makers can (sometimes) get so full of themselves that they think physics and math don't apply to them anymore. Need I say Indiana Pi Bill as the quintessential example? https://en.wikipedia.org/wiki/Indiana_Pi_Bill The supposed "crypto wars" threaten to be dangerously close to the same kind of thing, for example...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.