Security, Control and the Future of Everything
Two unrelated things clicked in my head today as actually being related on a theoretical level. Thing one I spent some time the other day looking over the websites of some potential vendors. I’ve done this sort of thing lots of times before. As per usual, I was unimpressed by the websites themselves (which may or may not say much about the company itself). Thing two: Someone cracked the algorithm for cell phone signal encryption (really a sort of hiding) to the internet. Both these things show the conflict between the old industrial era way of doing things (let’s call it web 0.5) and the newer Twitter-ified way of doing things (web X.0). It tells us a lot about the changing generations and the growing struggles of the information age.
After that slightly pompous lead in, it’s tempting to just stop but I’ll add some detail, starting with the cell phone encryption code, which is a pretty big deal news-wise. The biggest weakness of cell phone security – and it’s a very big weakness – is that, in order to work, cells broadcast their signal in all directions at once. It’s not like the old fashioned landline phones that send their signal down a wire. In order to intercept the signal of one of those old phones, you have to tap the physical wire. In order to intercept a broadcast signal, on the other hand, you just need to be within range with the right equipment.
For a couple decades now, most cell phones have attempted to evade broadcast interception by (somewhat) randomly changing frequency multiple times during every transmission. That way it’s very hard to intercept more than a single tiny portion of the signal, hopefully too tiny a portion to make sense out of the message. The flaw in this scheme is that for the message to be received, the other end (the cell tower) must be able to follow all the frequency hops and put the complete transmission back together. So both ends need to be synchronized. True randomness is impossible.
News came out the other day that Karsten Nohl, a researcher with the A5/1 security project, has developed a way to crack that frequency hopping protection and released it to the public (See here and here and especially here or just google “GSM crack” for a horde of other sources). The first question that came up was, “Is it ethical to make dangerous information public?” This is an old debate in security circles. On one side are the people who believe that it is always wrong to make life easier for hackers, that keeping systems and methods secret is an essential part of protection. On the other side (and the side I’m on) are those who say that secrecy gives mostly the illusion of protection and that learning from failures is an essential tool to building better systems.
But there’s another, more basic, way of looking at this conflict, which brings me to the other thing I mentioned, looking at the websites of vendors. What the vendors were for is unimportant. What is important is that I found all of the websites to be visually very nice, sometimes using state of the art technology, professionally designed and almost completely devoid of useful information. I’ve done these sorts of surveys numerous times both as part of my job and through the course of formal education and there is nothing unusual about these findings.
Companies tend to design their websites as very fancy advertising brochures. They have a link for investors. They have a link to logos or names of famous clients. They have a link to information about “our team” or some such. They may have a link to their blog, though it’s not much like a real blog because it contains almost exclusively corporate cheerleading and marketing approved advertising copy. They might have a link to a twitter stream but that’s just another promotion channel to them. What they don’t have is the kind of information customers really want and that was once envisioned as being available through means like Amazon customer reviews and ratings. There’s no way to find out anything about the products, services or company that is not directly approved as part of the “corporate message.”
Ten years ago none of this would have been a big issue. Companies were considered to be riding the wave of Internet innovation if they had a website at all. The marketing brochure approach to web communication was considered a professional and effective thing to do. This is no longer true on an Internet where Facebook and Twitter are generating more traffic than every other corporate website combined. But note my criticism above of the way that blogs and twitter feeds are usually implemented. Even when they do them, they don’t do them in a way that seems to me to give people what they want: Actual communication.
If you’re one of those people who says things like, “I don’t get Twitter. Who cares what you’re about to have for lunch?” You may have a future in corporate communications – if there is such a future to be had. Because what ties together the current state of corporate websites AND the hacking of 20 year old cell phone code AND the debate over disclosure vs secrecy is the thing that seems to me to separate a successful Internet presence today from the methods and even personalities of the last century:
The old way emphasizes control. Control of the message. Control of presentation. Control of the program code and the way people interact with the product and the other people. The new way demands giving up a large measure of control in favor of more fluid and fluidly evolving communication.
I highlighted that point because I believe it is key to success on the Internet as it is developing and is something even very large companies need to understand and cope with over the coming years. Probably because of the presence of the Internet in their lives, younger people seem to be much more likely to take the less control is better side of most issues (we’re talking about technology and interacting with others and with companies, here, not about politics). This has profound implications for the future, both near term and long term.
It means, I believe, that attempts to maintain complete control over the corporate message or even over source code of products are, over time, going to become harder to do (there will be leaks and hacks) and more repugnant to the public. As the older generations (ie: mine) grow old, retire, die, the people who will become the prime consumers and decision makers, will have lived most of their lives under the assumption that the old levels of control are both impossible and undesirable. Sure, as they age, they will want more control. But they will be aiming at a lower bar than previous generations. Someone who grew up with twitter will never have the same view of communications (corporate or otherwise) as people who used to buy newspapers printed on physical paper.
I mentioned newspapers for a reason. I believe the failure to understand the loss of control is one of the central problems the newspaper industry has right now. I don’t know the answer yet but, hopefully, I’ve framed the problem in a way that will help people work on that.
LinkedIn
Technorati Favorites
I think in part what we need is a way to distinguish various sources of information. The ability to rate and categorize information sources will at least allow us to filter out the noise. Similar to how Amazon allows people to rate user comments on whether they were useful, but on a larger scale.
Preventing the initial outflow of information could be a little more difficult. DLP can help, but it can only protect so much, and can only protect the systems that are channeled through it. Thomas Jefferson often spoke about the freedom of information and the idea that information should be free for the sake of the universal good. Maybe information wants to be free, and should be free, but it isn’t its own master. It’s enslaved to those who find value in its content.
Beyond whether information is free we have the problem of what qualifies as meaningful information. Newspapers are still operating under the broadcast paradigm where the only information that counts is what they tell you. Sources beyond their own self contained articles are generally ignored.
Likewise, most corporate websites want to show you only a narrow slice of the info available about their companies and products and people’s interactions with them. In a way, with those attempts at control they’ve forced the creation of hate sites (ie: yourcompanysucks.com), which they then often sue in the mistaken belief that the Internet has no effect on word of mouth. They think they can suppress information they don’t like. That is simply no longer possible.
That’s an illustration of what I mean about loss of control. Whether people want to admit it or not, they have to deal with more information, including the spurious (what I had for lunch today) and the harmful (yourcompanysucks.com). Embracing that – such as having a built in complaint forum to head off hate sites – is something everyone has to learn now.