More Trouble With Blanket Tech Analogies

Hadn't blogged in a while, this article using the feudal analogy for our relationships with Internet service providers seemed ripe for some quick, caffeinated midday comments. The article's main point is that we are merely vassals to our feudal big tech lords, hoping for the occasional mercy and protection engendered by trust alone, voluntarily benefiting from the convenience and redundancy of ubiquitous, mostly reliable service without the headache of managing our own security configuration. And most of us tend be ok with that or maybe even consider it progress. Agreed, so far.

My primary gripe is the failure to analyze or contrast the companies' respective terms of service or actions with respect to very different products and relationships, which makes a scarier sum than the individual parts might reveal. It also misses the opportunity to point out areas most in need of change, not to mention many counter-examples of which the author must be aware. For example, he states "There should be limitations on what cloud vendors can do with our data; rights, like the requirement that they delete our data when we want them to; and liabilities when vendors mishandle our data." Maybe the piece was just edited to death for an increasingly general purpose publication, but at least a hyperlink to discussions of the right to be forgotten in the EU and a few of the regulatory smackdowns on some companies in the US might lead to a more complete discussion. A requirement to delete data would be beneficial to users and companies but overlooks other regulatory or technical concerns the companies might have in needing to retain data for a certain minimum period of time. What about looking at the companies which already will voluntary delete data upon request as a way of pressuring the others to get on board? Further, although (very) inadequate and in need of legislative attention, there are federal laws such as ECPA and state-specific privacy protections as Massachusetts', or the patchwork of Fourth Amendment interpretations applying to government requests for user data.

On the second read, this statement really jumped out: "We mostly can’t install our own security products on iPhones or Android phones; we certainly can’t install them on Facebook, Gmail, or Twitter." I'll certainly give the author's well known expertise the benefit of the doubt that it's troublesome that I can't enhance the level of security on my mobile device. However, when using web services, certainly I can arm my computer, browser and local network in ways that further protect me. Or just not make common human errors that enhance my risk. 

Other than corporate or government abuse of available data, what are the other threats? Surely they're not all of the same magnitude. The article also uses the term 'security' to refer to data integrity, data surrender to authorities, availability of remote services and functionality of devices or machines. Maybe I was just a sucker for the linkbait of a good headline and great concept that felt sloppily unpacked. For example, the shift halfway through to properly note that enterprise concerns aren't and shouldn't be the same as those of individual users, then using examples of companies screwing up w/r/t individuals to support that point.

What about other ways of poking through holes in the castle walls? I don't just mean jailbreaking your iPhone. I'm thinking of things like using a mail client with Gmail to maintain local backups of your emails. Or, there's Google's under-publicized Data Liberation Front which allows users to export data using Google Takeout or notes other ways. Maybe (definitely) some of the mentioned companies' walls are too high, especially for more advanced users. It's also kind of ironic that the commenters jump all over the dangers of government requests for cloud data but no one points out that the government itself has been most reluctant to engage with cloud services for the reasons the enterprise ought to be wary. Overall, the article leans too heavily on fear which I've never found to be a useful educational tool.

Popular posts from this blog

Thinking About BIPA and Machine Learning

A Privacy Engineer's Guide to the EU AI Act

Changing PDF Metadata with Python