The Starfish, the Spider, and Security
Internet security lessons we can learn from both spiders and starfish.
I was recently gifted an interesting book, The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations, by Ori Brafman and Rod A. Beckstrom by a fellow Airman who (I think) hoped to encourage and empower more independent action among others against the grain of an otherwise hierarchical military. It's a pretty quick read and makes a couple of compelling arguments, though it falls short on its methodology. It focuses exclusively on why an organization would want to be more like the titular Starfish: resilient, decentralized, and highly adaptable, however it fails to address the advantages of the Spider: security, efficiency (though a different kind, to be sure), and accountability. Additionally, it fails to consider *how* an organization might effectively model itself after a Starfish or at least integrate some aspects.
Fast forward to today, when I listened to a podcast by Lawfare where they interviewed notable British contrarian, Dr. Niall Ferguson, regarding his latest book, The Square and the Tower: Networks and Power, from the Freemasons to Facebook. As I listened to him discuss the power of *networks* relative to *hierarchy*, it immediately struck me that this was little more than a more academic re-telling of the exact same book (with about twelve more years of better-cited research). Where I thought Dr. Ferguson made a more interesting case and resolves at something of a synthesis, he specifically discusses social networks and how they relate to the internet, security, and modern politics.
Facebook and the Starfish Illusion
If you've been following the news at all in the last year, you should know that Facebook and (more subtly) Google have erupted as primary information brokers. As of 24 May 2017, approximately 74% of all web traffic was referred by either Facebook or Google. Facebook, in particular, it under significant scrutiny for the role it has played in shepherding extreme political movements and ideologies, in part due to vulnerabilities in its highly-targeted advertising-based business model and the lack of advertiser transparency. Facebook is hardly alone in this; optimizing Google search results has long been a cottage industry of its own. It's increasingly important to recognize the roles these titans have, as Dr. Ferguson pointed out, as the highly-centralized primary editors of otherwise de-centralized publisher content and ideas.
In the context of Starfish and Spiders, the internet has been long-celebrated as a Starfish: it has de-centralized and democratized publication of content of all types. Authors are writing and selling books without a publisher, journalists are reporting on the news without a newspaper, musicians are reaching massive audiences without a record company, and broadcasters are creating radio and television-style shows without a station. The dark secret is that none of this truly exists unless there is a platform to host it and a method to find it. Those authors, journalists, musicians, and broadcasters are still reliant on leveraging big data and highly-centralized systems - Spiders - like Facebook, Amazon, and Google (including YouTube). I can almost guarantee that when I look through the referrers to this blog, you'll have come here via Facebook.
The truth is, the modern internet fancies itself a Starfish, but it has become a Spider in Starfish's clothing. This has dire consequences on the propagation of free speech, privacy, and personal security. It also has interesting legal implications.
The Communications Decency Act
The Communications Decency Act of 1996 was a notable attempt by Congress to regulate internet pornography. This was largely neutered by free speech advocates through several pieces of litigation, ultimately upheld by the Supreme Court. While the remainder is pretty hollow, a single section is now ironically held up a shield by many free speech advocates: Section 230. Section 230 says "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." This effectively removes any liability when a site's users (or advertisers) post bigoted, violent, or factually incorrect material. These protections are unique to U.S. law, making U.S.-based information companies effectively safe havens for free international speech. It protects internet service providers, hosts, and platforms of all sorts to become populated with content of all sorts. When folks complain that the big Spiders - Facebook and Google - are being abused and manipulated and should be regulated, Section 230 stands in their way.
Make no mistake, however. Spiders can and will be abused in this framework and we have little recourse if we wish to continue to enjoy the privilege of free speech. We can promote the beneficial Starfish-like aspects of the internet, but the platforms they will be delivered by will only increasingly be Spiders.
Spiders and Security
What Mr. Brafman and Mr. Beckstrom failed to completely acknowledge in their celebration of that humble sea creature, is that Spiders have some significant advantages that Starfish lack. Hierarchical organizations are far easier to manage, scale, and secure. Spiders can be controlled. We must absolutely not jeopardize our ability to engage in unfettered speech on the internet by simply casting off Section 230 in a moment of anger over Facebook's role in much of the political tumult of the times, as tempting as it may be. Facebook, on the other hand, cannot simply wring its hands and blame analytical firms and advertising agencies for using the business model it built. There should be some careful thought on how our Spiders can enhance transparency without destroying their business model. If we recognize these platforms for the Spiders they are, we might even be able to augment them with additional transparent security functions and oversight. Some have even suggested a measure of government regulation similar to utilities, though I'm a little wary of that, as our government does not have a history of passing or enforcing effective internet regulation. Either way, this does not alleviate our responsibility as individuals.
If you do not pay for a service, you are the product, not the customer. Regardless of the platform, if you are not paying for it, then you have nothing to do with that company's revenue model other than as a product to sell to an advertiser. This is not a new concept; it has been true even prior to the internet. If you enjoyed broadcast radio or television, the advertisers that actually funded the programming were the real customers. Your attention span has been packaged, marketed, and sold for as long as you've been alive. The big data behind the internet merely enables companies to do this on an even more massive and highly-targeted scale.
How Do I Secure Myself?
I lump these two together because they leverage big data in a similar way: to prioritize selling things to you. Honestly, I find their services fairly benign to the point that I don't even bother blocking cookies and ad trackers; I'd rather see advertisements for things I'd like to buy rather than the garbage I'm not interested in. It can be a little eerie at times, but it's hardly the worst thing that could happen and it can be trivially ignored. While Google's search engine ranking algorithm has been exploited, their engineers are usually pretty aggressive at identifying those exploits and developing fixes. In the marketplace of ideas, Google's search engine is hardly the dominant force it once was.
Facebook, Twitter, Instagram, Linkedin, etc are a bit more challenging to deal with. The real danger these sites pose isn't when they try to advertise and promote things to buy, like Google and Amazon; it's when they advertise and promote ideas. Worse is how hard it can be for many users to discern between paid content and their own friends' posts; it gets amplified when their friends comment, like, or share the advertisements that popped up on their own pages which further populates it in others feeds. Here are some important ways to secure yourself on social media:
1. Participate. While it's tempting to check out of using such services completely, much like not owning a car or a cell phone, doing so effectively opts out of important segments of modern life and curtails your ability to maintain certain valuable relationships. You cannot control what others post or say about you unless you are participating, even if only on a superficial level. A far darker concern is when a malicious actor realizes that you're not participating and begins to infiltrate your network of friends. Get an account and decide just how much or how little is shared.
2. Watch What You Share. Don't share anything that is used to validate your identity with any other account. Important examples that are commonly shared: your birthday, first car, mother's maiden name, the street you grew up on, birthplace, first pet, best childhood friend, or phone number/mailing address (doesn't social media explicitly provide a way to contact you already?). Many social media sites will hound you for this kind of data; don't fall for it.
3. Don't Do Quizzes. As curious as you might be to find out which Avenger you are or your Hogwarts house, do not take or share any online quizzes. A lot of the kinds of data I just warned you against sharing will get coaxed out of you and not all of these sites just want to advertise things to you. The most interesting recent ones are the ones which ask to analyze a photo of you. In a world of rapidly-advancing biometric security, do you think it's a good idea to submit a clear front shot of your face to a random site that's providing a fun free service (and sees the same data a social media advertiser does)?
4. Stop Commenting and Liking. Remember that when you do these things, it will likely pop up in somebody else's feed attributed to you. Everything attributed to you will reflect on you and can damage your credibility. Additionally, in the case of Facebook, liking something will essentially subscribe to its content. Treat a like of non-friend posts the same as a friend request that's automatically accepted.
5. Aggressive Skepticism. Somehow between 1996 and today, we descended from a belief that "you can't trust anything you find on the internet" to "I found this funny JPEG with no cited source that confirms my belief so now I will share it with everybody." As with the previous bullet, the content that you share will reflect on you. I have personally seen people's professional credibility damaged because they shared too many dangerously polarizing trash memes without researching or thinking anything more than "this is funny and I think it's probably right." Remember: when you do this, you are loudly proclaiming that you find critical thinking challenging.
6. Keep It Personal. Social media is at its best when you get to engage with people you know and care about. Those people want to see pictures of your kids, hear about your latest project, celebrate your promotion, or mourn the death of your cat with you. They probably don't want to hear about your stance on the latest tragedy, political opinion, or social justice platform. Alternatively, consider segregating your social media. I, for one, only use Facebook as a private face to connect with people I personally know; it's fairly closed off from the public. Twitter, on the other hand, I use as a public face and primarily use to engage and follow people (or organizations) I don't personally know. While I've seen funny posts from The Onion occasionally on my Facebook (where I want to see pictures of your awesome vacation and beautiful new baby), I don't like them because I'm already following them on Twitter, where I prefer to see such things.
The Starfish concept is a compelling one to model a system or organization off of, but for every positive one (like craigslist), there are far more dangerous examples (like Al-Qaeda). On the opposite side, there are examples of amazing Spiders that enable Starfish-like relationships while offering a centralized framework for security management and positive control. We can easily hold Spiders accountable when they fail us and we can praise them when they succeed. The truth is that most organizations are a hybrid of the two. Even craigslist needs a central office (however humble) and Al-Qaeda needs a visionary leader. Our big internet Spiders are no different; they aren't the Starfish we naively dreamed that the internet would be, but they do perilously enable very similar functions. Recognizing them for what they are (advertising companies) and our relationship to them (products) is vital to how we secure ourselves and help protect the awesome responsibility of our free speech. While the recommendations above can help you reshape your approach to these Spiders, it's hardly all-inclusive. Let me know what I missed!