Yahoo! This will happen again

Yahoo!The breach of over 500 million accounts at Yahoo! has caused a number of my friends to deride the company for not applying sufficient protections of private consumer data.  While it’s hard to argue with that claim, one thing is certain: this will happen again.  Maybe not to Yahoo! but to some other giant web site, like Amazon or Facebook or Google or Twitter.

We have concentrated so much trust into so small a percentage of sites that if any one of them has a breach, it can impact hundreds of millions of people.  Americans have previously spoken of banks that are too big to fail.  Social networking sites are similarly so big that when they have an incident, it perturbs our lives in all sorts of ways that we only begin to understand after the fact.

These sites have an interest in maintaining their customer interest, and the network effect helps them: the more people who visit Facebook, the more people Facebook will attract.  This is how the Internet and telephone networks came to be in the first place.

This vast concentration of consumers into a small number of sites also has its upsides: because they are regularly attacked, they have developed very strong expertise to fend off bad guys.  That’s something the average consumer – and even most enterprises – will never have.

This form of market concentration is not an easy problem to solve.  Imagine a world in which we all had software that sat on in our homes instead of in Facebook’s cloud (for instance).  If the software were all the same, then one bug would impact everyone in much the same way as if the software were centrally located.  The only question is how long it would take for an exploit of a vulnerability to propagate, and how long it would take someone to notice.

We know that such distributed software is a problem because one of the key vectors for infection these days is unused and out of date virtual machines or WordPress instances.  This puts aside all the issues of cost of maintaining a WordPress site.  How much does it cost you to maintain your Facebook account today?

One approach would a healthy exchange of social information across a reasonable number (perhaps in the thousands) of well managed sites.  That requires a rethink about how we consider privacy and who is responsible.  It also requires that incentives be aligned for that sharing to occur.  We would in essence be suggesting that Facebook advertisers go elsewhere.  That doesn’t seem like something Facebook would want to see.

Our Supposed Healthcare System

Let’s do a brief comparison of the U.S. to the civilized world, when it comes to healthcare insurance and what actually happens when a child is born.  In Switzerland, when a child is born, both the mother and the child may stay up to five days in the hospital.  For even the slightest complication that time gets extended for both.

In the U.S., an insured mother and her child are entitled two days.  If there is a problem with one, as was the case with my new niece (she was jaundiced and required an extra day), she is separated from the mother, who in this case herself spent the night in the hospital lobby so that she could nurse her newborn daughter, three days after having given birth.

Which would you want for your wife, sister, or daughter?  U.S. or civilized?  If you answered “civilized”, then you get to answer another question: who are the people who should supervise our profit-oriented health insurance industry, and where are they?  I personally would like to know.  By the way, here in Switzerland my family and I pay less than most Americans our ages for healthcare, and we’ve not been turned down for anything we needed (in fact we’ve never even had an argument about it).  Now- does that change your answer?

Net Neutrality Deal near betwen FCC and Telcos?

Today’s Wall Street Journal reports that mega-telcos Verizon and AT&T are in discussions with senior staff of the Federal Communications Commission (FCC) over a compromise for enabling legislation for the FCC to regulate access to the Internet.  This is no small deal.  Chairman Julius Genachowski has made very clear for quite some time that he thought there was a need to provide for some form of net neutrality to protect customers against service providers, and to insure openness.  Another thing is perfectly clear to everyone: the rules of the 1980s and 1990s certainly are antiquated.

However, one problem with net neutrality is that it can mean different things to different people.  To some it might mean protection from service providers charging for services that they themselves do not provide.  To others it might mean an inability for service providers to manage what they deem as excessive use of a shared resource (their network) by some consumers, as their cost models are all structured on the notion of over-subscription.  That is– if everyone tried to use a vast amount of bandwidth at once, we would all get very little, and not those megabits/second in the advertisement.

Here are a few facts to think about when you hear the term net neutrality:

  • The tools service providers might use to give themselves some sort of market advantage are the very same ones they may need to use to protect consumers against denial-of-service attacks: it is in the average consumer’s best interest that bandwidth from rogue BoTs be limited.  Differentiating between protection against BoTs and protectionism may prove difficult to regulators.
  • Bandwidth on the Internet is not the same as a phone call.  If you’ve ever been in a disaster situation, such as an earthquake or a hurricane, you’ll remember that there may have been times when you picked up the phone and got no dialtone.  That is not how the Internet works.  Most applications make use of Transmission Control Protocol (TCP), which is designed to share whatever bandwidth there is.  While voice and video require a minimum to function properly, even modern day tools like Skype & iChat AV can step down their use of bandwidth when they see quality degrading.
  • Most of us weren’t born yesterday, and it’s plainly obvious that there are very few telcos in the United States.  The government has, since the passing of the Sherman Act in 1890, taken the position, with good reason in my opinion, that monopolies are bad, and that high levels of concentration are not good for consumers, either.  Prosecution through that act as a means of redress, however, is a last resort, because…
  • Such prosecutions take years if not decades, are often at the whim of administrations, and often do not succeed. Three examples of arguably failed prosecutions include IBM, AT&T, and Microsoft.  In the case of IBM, the U.S. dismissed the case when Ronald Reagan became president.  AT&T is arguably a failed attempt, because we are very close to right back where we started.  In the case of Microsoft, European regulators have provided far more oversight than our own Justice Department, perhaps in part due to the non-European nature of the company, but also due to a lack willingness to go further by the Bush administration.  Hence it is better to nip a problem in the bud.  This is one reason for the FCC to have a role.
  • At stake is not whether or not consumers will see a choice of service providers, but whether content providers and etailers, sites like and Amazon will have a choice.  Otherwise, we get to a two-sided market, where those who own the so-called eyeball networks also own the other end, providing an enormous price control lever.
  • Properly considered, network neutrality as a concept protects against the idea that you have to go to a service provider to implement new applications features in the network.  This is the core strength of the Internt, but it’s not clear that regulation is needed.  For one thing, I would hope that providers understand that new features and applications are in their best interests, since they get to sell more bandwidth, and perhaps even offer a few such features to their, and other, customers.

That’s what all the fuss is about.

Wrap-up of this year’s WEIS

This year’s Workshop on the Economics of Information Security (WEIS2010) enlightened us about Identity, privacy, and the insecurity of the financial payment system, just to name a few presentaitons.

Every year I attend a conference called the Workshop on Economics of Information Security (WEIS), and every year I learn quite a bit from the experience.  This year was no exception.  The conference represents an interdisciplinary approach to Cybersecurity that includes economists, government researchers, industry, and of course computer scientists.  Run by friend and luminary Bruce Schneier, Professor Ross Anderson from Cambridge University, and this year with chairs Drs. Tyler Moore and Allan Friedman, the conference includes an eclectic mix of work on topics such as the cyber-insurance (usually including papers from field leader Professor Rainer Böhme, soon of University of Münster), privacy protection, user behavior, and understanding of the underground economy, this year’s conference had a number of interesting pieces of work.  Here are a few samples:

  • Guns, Privacy, and Crime, by Allesandro Acquisti (CMU) and Catherine Tucker (MIT), provides an insight into how addresses of gun permit applicants posted on a Tennessee website does not really impact their security one way or another, contrary to arguments made by politicians.
  • Is the Internet for Porn? An Insight Into the Online Adult Industry – Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda and Christopher Kruegel provides a detailed explanation of the technology used to support the Internet Porn industry, in which it claims provides over $3,000 a second in revenue.
  • The password thicket: technical and market failures in human authentication on the web – Joseph Bonneau and Sören Preibusch (Cambridge) talks about just how poorly many websites manage all of those passwords we reuse.
  • A panel on the credit card payment system, together with a presentation that demonstrated that even credit cards with chips and pins are not secure.  One of the key messages from the presentation was that open standards are critically important to security.
  • On the Security Economics of Electricity Metering – Ross Anderson and Shailendra Fuloria (Cambridge) discussed the various actors in the Smart Grid, their motivations, and some recommendations on the regulatory front.

The papers are mostly available at the web site, as are the presentations.  This stuff is important.  It informs industry as to what behaviors are both rewarding and provide for the social good, as well as where we see gaps or need of improvement in our public policies, especially where technology is well ahead of policy makers’ thinking.

The Saudis would like some handouts, please.

OilHere’s a rich idea reported by the New York Times: Pay oil producers for not producing oil.  That’s right.  Saudi Arabia wants “rich nations” to pay oil producers to help wean themselves from their dependency on oil.  That is- oil exports.  It’s just like paying farmers not to plant, right?  Wrong. In this case, oil producers still sell what the market demands, it’s just that since the market will be demanding less, OPEC and the like will get less.  According to the article, the Saudis have in the past gummed up the works on climate change protocols because of other nations’ refusal to accede to this sort of extortion.

Do the Saudis have a real problem?  Yes.  They and other large oil producers like Libya lack a sufficiently diversified economy, such that when oil prices dip, everyone suffers.  This is known as Dutch Disease, and oil exports are right to be worried about it.  Dutch disease happens because the demand of oil alone drives up national currencies, making all other industries in that country uncompetitive by price.

So here are a few questions:

  1. Can oil producers wean themselves off of oil without economic assistance?  After all, they’re taking in all of this money.  Can’t they use some of it to develop other industries?  It seems Dubai has been somewhat successful at this.
  2. Would economic assistance actually help?  If consuming countries gave them more money to compensate for losses of oil revenue, would producers just become dependent on the subsidy?
  3. Isn’t there a broader picture here surrounding to the West’s relationship to the Middle East?  Doesn’t good will count for anything?  And don’t we need some of that good will in that part of the world?

Dutch Disease requires complex solutions.  Simply providing a subsidy won’t do the job.  In fact, providing a subsidy could in fact prop up the national currency and compound problems.

And then there’s the fact that most of us feel as though we’ve been held over a barrel by some of the countries in question, and would like to have done with entanglements in the middle east.  Oil or no, however, the people in those countries are not going away.  They and we need an equitable way to live together in the future.