I'm on a tour with my new book, the international bestseller Enshittification: catch me next in Miami, Burbank, Lisbon! Full schedule here.
While "tech exceptionalism" can be a grave sin (as with the "move fast and break things" ethos that wrecked so much of our world, especially its labor markets), there are ways in which tech is truly exceptional, in the sense of bringing forth capabilities and affordances that have never existed before, in all of human history.
One obvious way in which tech is exceptional: its flexibility. Digital computers are "Turing-complete, universal von Neumann machines," which means that they are engines capable of computing every valid program. They are truly general purpose. We have many other general purpose machines, of course, but they are simple things, like wheels. Computers are unique in that they are both complex and universal, and every computer can run every program. Just as we don't know how to make knives that only cut in beneficial ways, we also don't know how to make computers that only run desirable programs.
Every computer can run every program, including ones that the user doesn't want (viruses), or that the manufacturer doesn't want (ad-blockers). No one knows how to make a computer that is almost Turing-complete. There's no such thing as "Turing-complete minus one." We can't make a computer that only runs the programs the manufacturer has authorized – all we can do is criminalize the act modifying your own computer to do what you tell it to, even if the manufacturer objects:
I've devoted a lot of my life to exploring the policy implications of this amazing fact, but that's not the only amazing, exceptional thing about technology. There's at least one other way in which modern digital technology has produced something that is genuinely, civilizationally novel: encryption.
Encryption – scrambling data so that it can only be read by its intended recipient – is an age-old project for both the authorities (who used ciphers to keep their secrets safe since the time of the Caesars) and for those who would overthrow them (revolutionary movements have always used codes to protect themselves from the authorities they sought to dethrone).
But WWII ushered in a new era, in which encryption (and attempts to break it) went digital, as Alan Turing and the codebreakers of Bletchley Park turned themselves to a computer-aided mathematics of scrambling and descrambling. In the decades that followed, a modern form of encryption emerged, one that was powerful beyond the wildest dreams of the Caesars and their revolutionary adversaries.
Modern, computerized encryption can scramble data to the point where it is literally unscramblable by an unauthorized party. In the eyeblink moment between you pressing the camera button on your phone and the resulting image being saved to its mass storage, the bits that make up that image are scrambled so thoroughly that even if every hydrogen atom in the universe were made into a computer, and even if all those computers were put to work guessing at the key, we would run out of time and universe before we ran out of keys.
Even futuristic, experimental technologies like quantum computing that may revolutionize codebreaking are also revolutionizing scrambling itself:
https://signal.org/blog/pqxdh/
The history of encryption is seriously fraught. Until the early 1990s, the NSA classed working encryption as a munition and banned civilian access to a whole branch of mathematics. It wasn't until Cindy Cohn – then a lawyer for the Electronic Frontier Foundation, now its executive director – convinced a court that the First Amendment protected the right to publish computer code, that we were all able to gain access to this essential technology, which today safeguards your messages, files, banking transactions, and the software updates for your car's brakes, your pacemaker, and the informatics on airplanes. Cohn has announced her retirement from EFF in 2026, and while she will be sorely missed, we do have her memoir, Privacy's Defender, to look forward to:
The legalization of encryption was a starting gun for the internet itself, as true information security entered the picture and pervaded every part of service design. Every security crisis, every scandal (e.g. Snowden), jolted the effort to encrypt the internet forward, and in this way, much of the internet lurched into a state we can call "encrypted by default."
But even as this privacy-preserving technology was perfected and made ubiquitous, something weird and contradictory happened: mass surveillance also took off online. The ad-tech industry – and its handmaidens, the data-broker industry – rigged the game so that our private activities were only encrypted in such a way as to defend their privacy, but not ours. Our data is encrypted in transit to the servers we interact with, and when it is at rest on those servers' mass storage devices, but it is not encrypted in a way that prevents companies from data-mining it, or decrypting it and selling it on or giving it away or combining it with surveillance data purchased or traded from others.
This isn't an inevitability: it's a choice. The ubiquity of surveillance in the age of encryption is a policy choice. The reason companies don't encrypt our data so that they can't use it against us is because they don't have to. Congress hasn't updated American consumer privacy law since 1988, when they passed a law that prohibits video store clerks from disclosing our VHS rentals:
Why hasn't Congress updated our privacy rights since Die Hard was in theaters? Because American cops and spies love commercial internet surveillance. Tech companies and data brokers are a source of fine-grained, off-the-books, warrantless surveillance data that the American state is totally dependent on. There is no difference between "commercial surveillance" and "government surveillance" – they are a fused symbiote and neither could survive without the other:
Governments have hated encryption since the Clinton era, and have been attempting to subvert it since computers came in beige boxes and modems screamed in agony every time you tried to look at the internet:
It's no mystery why we don't have federal bans on facial recognition – if we did, ICE wouldn't be able to nonconsensually, warrantlessly steal your face and store it for 15 years (at least):
Why did the EU allow Ireland to facilitate mass surveillance for a decade after the GDPR's passage? Because European authorities also hate encryption and say that it is a "totally erroneous perception that it is everyone's civil liberty to communicate on encrypted messaging services":
The internet could be the most privacy-preserving communications medium in history. Instead, it has ushered in an era of nightmarish surveillance. This isn't a technology problem. It's a policy problem. Criminals spy on us online because our governments wanted to spy on us online, so they let corporations spy on us online.
Imagine what the internet would look like today if, in its early regulatory moments, our elected representatives had demanded privacy, rather than trying to ban it. Sure, some corporations would have spied on us anyway, and criminals would have done their best to compromise our privacy, but criminals and rogue firms wouldn't have been able to attract capital to engage in conduct that was likely to give rise to massive fines and criminal prosecutions for violating the privacy laws Congress never bothered to write for us.
Think of it this way: sure, there are e-commerce sites that are just scams, that take your money and never ship you goods. Those sites don't have IPOs, they're not listed on stock exchanges, and they get shut down or blocked. They exist in the shadows, not in the light. Imagine if that was the kind of commercial surveillance industry we'd gotten: marginal, shadowy, illegal, forever on the run. There would still have been some bad privacy invasions, but these would have been crimes, not Harvard Business Review case-studies:
(And before you email me about that one time Paypal closed your account and kept your money or Ebay wouldn't give you a refund, sure, that's right, those things suck, and the companies should face penalties for them, but their business model isn't stealing money from their customers; but Google and Meta and Apple's business model is 100% stealing data from their customers.)
Instead of treating data theft the way we treat monetary theft, we're now increasingly treating monetary theft like data theft. The legislative formalization of cryptocurrency will now allow companies to steal your money with the same blissful lack of consequence as Google faced for stealing your private information:
https://www.citationneeded.news/issue-89/
We're rounding the corner on a decade since the beginning of the fight against Big Tech, and the efforts to cut it down to size. These keep foundering on the political economy of crushing an all-powerful monopolist – namely, that it is all-powerful.
Breakups, taxes and fines are all forms of redistribution, which seek to address the harms of monopoly after the monopoly has been formed. The failure to make privacy protections as inviolable as financial protections is a missed opportunity for predistribution. Bans on data collection, mining, and sale would have prevented these monopolies from forming in the first place. Predistribution is far more effective than redistribution:
It's amazing to realize that the privacy-invading internet has somehow beaten the encrypted internet. It's crazy that the only entity that will promise to encrypt your data beyond the reach of a data broker, an ad-tech giant, or a government is a ransomware criminal, who will also encrypt your data beyond your reach:
It didn't have to be this way. This wasn't a technology failure. It wasn't a commercial failure. It was a policy failure. Since the 1990s, whenever push came to shove, governments decided that they would rather preserve their ability to spy on us than keep us safe from private spying.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
I'm on a 20+ city book tour for my new novel PICKS AND SHOVELS. Catch me in NYC on TOMORROW (26 Feb) with JOHN HODGMAN and at PENN STATE THURSDAY (Feb 27). More tour dates here. Mail-order signed copies from LA's Diesel Books.
The UK government has just ordered Apple to secretly compromise its security for every iOS user in the world. Instead, Apple announced it will disable a vital security feature for every UK user. This is a terrible outcome, but it just might be the best one, given the circumstances:
https://www.bbc.com/news/articles/cgj54eq4vejo
So let's talk about those circumstances. In 2016, Theresa May's Conservative government passed a law called the "Investigative Powers Act," better known as the "Snooper's Charter":
https://www.snooperscharter.co.uk/
This was a hugely controversial law for many reasons, but most prominent was that it allowed British spy agencies to order tech companies to secretly modify their software to facilitate surveillance. This is alarming in several ways. First, it's hard enough to implement an encryption system without making subtle errors that adversaries can exploit.
Tiny mistakes in encryption systems are leveraged by criminals, foreign spies, griefers, and other bad actors to steal money, lock up our businesses and governments with ransomware, take our data, our intimate images, our health records and worse. The world is already awash in cyberweapons that terrible governments and corporations use to target their adversaries, such as the NSO Group malware that the Saudis used to hack Whatsapp, which let them lure Jamal Khashoggi to his death. The stakes couldn't be higher:
Encryption protects everything from the software updates for pacemakers and anti-lock braking to population-scale financial transactions and patient records. Deliberately introducing bugs into these systems to allow spies and cops to "break" encryption when they need to is impossible, which doesn't stop governments from demanding it. Notoriously, when former Australian PM Malcolm Turnbull was told that the laws of mathematics decreed that there is no way to make encryption that only stops bad guys but lets in good guys, he replied "The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia":
The risks don't stop with bad actors leveraging new bugs introduced when the "lawful interception" back-doors are inserted. The keys that open these back-doors inevitably circulate widely within spy and police agencies, and eventually – inevitably – they leak. This is called the "keys under doormats" problem: if the police order tech companies to hide the keys to access billions of peoples' data under their doormats, eventually, bad guys will find them there:
Again, this isn't a theoretical risk. In 1994, Bill Clinton signed a US law called CALEA that required FBI back-doors for data switches. Most network switches in use today have CALEA back-doors and they have been widely exploited by various bad guys. Most recently, the Chinese military used CALEA backdoors to hack Verizon, AT&T and Lumen:
This is the backdrop against which the Snooper's Charter was passed. Parliament stuck its fingers in its ears, covered its eyes, and voted for the damned thing, swearing that it would never result in any of the eminently foreseeable harms they'd been warned of.
Which brings us to today. Two weeks ago, the Washington Post's Joseph Menn broke the story that Apple had received a secret order from the British government, demanding that they install a back-door in the encryption system that protects cloud backups of iOS devices:
Virtually every iOS device in the world regularly backs itself up to Apple's cloud backup service. This is very useful: if your phone or tablet is lost, stolen or damaged, you can recover your backup to a new device in a matter of minutes and get on with your day. It's also very lucrative for Apple, which charges every iOS user a few dollars every month for backup services. The dollar amount here is small, but that sum is multiplied by the very large number of Apple devices, and it rolls in every single month.
Since 2022, Apple has offered its users a feature called "Advanced Data Protection" that employs "end-to-end" encryption (E2EE) for these backups. End-to-end encryption keeps data encrypted between the sender and the receiver, so that the service provider can't see what they're saying to each other. In the case of iCloud backups, this means that while an Apple customer can decrypt their backup data when they access it in the cloud, Apple itself cannot. All Apple can see is that there is an impenetrable blob of user data on one of its servers.
2022 was very late for Apple to have added E2EE to its cloud backups. After all, in 2014, Apple customers suffered a massive iCloud breach when hackers broke into the iCloud backups of hundreds of celebrities, leaking nude photos and other private data, in a breach colloquially called "Celebgate" or "The Fappening":
Better late than never. For three years, Apple customers' backups have been encrypted, at rest, on Apple's servers, their contents fully opaque to everyone except the devices' owners. Enter His Majesty's Government, clutching the Snooper's Charter. As the eminent cryptographer Matthew Green writes, a secret order to compromise the cloud backups of British users is necessarily a secret order to compromise all users' encrypted backups:
There's no way to roll out a compromised system in the UK that differs from non-British backups without the legion of reverse-engineers and security analysts noticing that something new is happening in Britain and correctly inferring that Apple has been served with a secret "Technical Capability Notice" under the Snooper's Charter:
Even if you imagine that Apple is only being asked only to target users in the U.K., the company would either need to build this capability globally, or it would need to deploy a new version or “zone”1 for U.K. users that would work differently from the version for, say, U.S. users. From a technical perspective, this would be tantamount to admitting that the U.K.’s version is somehow operationally distinct from the U.S. version. That would invite reverse-engineers to ask very pointed questions and the secret would almost certainly be out.
For Apple, the only winning move was not to play. Rather than breaking the security for its iCloud backups worldwide, it simply promised to turn off all security for backups in the UK. If they go through with it, every British iOS user – doctors, lawyers, small and large business, and individuals – will be exposed to incalculable risk from spies and criminals, both organized and petty.
For Green, this is Apple making the best of an impossible conundrum. Apple does have a long and proud history of standing up to governmental demands to compromise its users. Most notably, the FBI ordered Apple to push an encryption-removing update to its phones in 2016, to help it gain access to a device recovered from the bodies of the San Bernardino shooters:
But it's worth zooming out here for a moment and considering all the things that led up to Apple facing this demand. By design, Apple's iOS platform blocks users from installing software unless Apple approves it and lists it in the App Store. Apple uses legal protections (such as Section 1201 of the US Digital Millennium Copyright Act and Article 6 of the EUCD, which the UK adopted in 2003 through the Copyright and Related Rights Regulations) to make it a jailable offense to reverse-engineer and bypass these blocks. They also devote substantial technical effort to preventing third parties from reverse-engineering its software and hardware locks. Installing software forbidden by Apple on your own iPhone is thus both illegal and very, very hard.
This means that if Apple removes an app from its App Store, its customers can no longer get that app. When Apple launched this system, they were warned – by the same cohort of experts who warned the UK government about the risks of the Snooper's Charter – that it would turn into an attractive nuisance. If a corporation has the power to compromise billions of users' devices, governments will inevitably order that corporation to do so.
Which is exactly what happened. Apple has already removed all working privacy tools for its Chinese users, purging the Chinese App Store of secure VPN apps, compromising its Chinese cloud backups, and downgrading its Airdrop file-transfer software to help the Chinese state crack down on protesters:
These are the absolutely foreseeable – and foreseen – outcomes of Apple arrogating total remote control over its customers' devices to itself. If we're going to fault Theresa May's Conservatives for refusing to heed the warnings of the risks introduced by the Snooper's Charter, we should be every bit as critical of Apple for chasing profits at the expense of billions of its customers in the face of warnings that its "curated computing" model would inevitably give rise to the Snooper's Charter and laws like it.
As Pavel Chekov famously wrote: "a phaser on the bridge in act one will always go off by act three." Apple set itself up with the power to override its customers' decisions about the devices it sells them, and then that power was abused in a hundred ways, large and small:
Of course, there are plenty of third-party apps in the App Store that allow you to make an end-to-end encrypted backup to non-Apple cloud servers, and Apple's onerous App Store payment policies mean that they get to cream off 30% of every dollar you spend with its rivals:
It's entirely possible to find an end-to-end encrypted backup provider that has no presence in the UK and can tell the UK government to fuck off with its ridiculous back-door demands. For example, Signal has repeatedly promised to pull its personnel and assets out of the UK before it would compromise its encryption:
But even if the company that provides your backup is impervious to pressure from HMG, Apple isn't. Apple has the absolute, unchallenged power to decide which apps are in its App Store. Apple has a long history of nuking privacy-preserving and privacy-enhancing apps from its App Store in response to complaints, even petty ones from rival companies like Meta:
If they're going to cave into Zuck's demand to facilitate spying on Instagram users, do we really think they'll resist Kier Starmer's demands to remove Signal – and any other app that stands up to the Snooper's Charter – from the App Store?
It goes without saying that the "bad guys" the UK government claims it wants to target will be able to communicate in secret no matter what Apple does here. They can just use an Android phone and sideload a secure messaging app, or register an iPhone in Ireland or any other country and bring it to the UK. The only people who will be harmed by the combination of the British government's reckless disregard for security, and Apple's designs that trade the security of its users for the security of its shareholders are millions of law-abiding Britons, whose most sensitive data will be up for grabs by anyone who hacks their accounts.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
THIS WEEKEND (November 8-10), I'll be in TUCSON, AZ: I'm the GUEST OF HONOR at the TUSCON SCIENCE FICTION CONVENTION.
My latest Locus Magazine column is "Hard (Sovereignty) Cases Make Bad (Internet) Law," an attempt to cut through the knots we tie ourselves in when speech and national sovereignty collide online:
This happens all the time. Indeed, the precipitating incident for my writing this column was someone commenting on the short-lived Brazilian court order blocking Twitter, opining that this was purely a matter of national sovereignty, with no speech dimension.
This is just profoundly wrong. Of course any rules about blocking a communications medium will have a free-speech dimension – how could it not? And of course any dispute relating to globe-spanning medium will have a national sovereignty dimension.
How could it not?
So if every internet fight is a speech fight and a sovereignty fight, which side should we root for? Here's my proposal: we should root for human rights.
In 2013, Edward Snowden revealed that the US government was illegally wiretapping the whole world. They were able to do this because the world is dominated by US-based tech giants and they shipped all their data stateside for processing. These tech giants secretly colluded with the NSA to help them effect this illegal surveillance (the "Prism" program) – and then the NSA stabbed them in the back by running another program ("Upstream") where they spied on the tech giants without their knowledge.
After the Snowden revelations, countries around the world enacted "data localization" rules that required any company doing business within their borders to keep their residents' data on domestic servers. Obviously, this has a human rights dimension: keeping your people's data out of the hands of US spy agencies is an important way to defend their privacy rights. which are crucial to their speech rights (you can't speak freely if you're being spied on).
So when the EU, a largely democratic bloc, enacted data localization rules, they were harnessing national soveriegnty in service to human rights.
But the EU isn't the only place that enacted data-localization rules. Russia did the same thing. Once again, there's a strong national sovereignty case for doing this. Even in the 2010s, the US and Russia were hostile toward one another, and that hostility has only ramped up since. Russia didn't want its data stored on NSA-accessible servers for the same reason the USA wouldn't want all its' people's data stored in GRU-accessible servers.
But Russia has a significantly poorer human rights record than either the EU or the USA (note that none of these are paragons of respect for human rights). Russia's data-localization policy was motivated by a combination of legitimate national sovereignty concerns and the illegitimate desire to conduct domestic surveillance in order to identify and harass, jail, torture and murder dissidents.
When you put it this way, it's obvious that national sovereignty is important, but not as important as human rights, and when they come into conflict, we should side with human rights over sovereignty.
Some more examples: Thailand's lesse majeste rules prohibit criticism of their corrupt monarchy. Foreigners who help Thai people circumvent blocks on reportage of royal corruption are violating Thailand's national sovereignty, but they're upholding human rights:
Saudi law prohibits criticism of the royal family; when foreigners help Saudi women's rights activists evade these prohibitions, we violate Saudi sovereignty, but uphold human rights:
In other words, "sovereignty, yes; but human rights even moreso."
Which brings me back to the precipitating incidents for the Locus column: the arrest of billionaire Telegram owner Pavel Durov in France, and the blocking of billionaire Elon Musk's Twitter in Brazil.
How do we make sense of these? Let's start with Durov. We still don't know exactly why the French government arrested him (legal systems descended from the Napoleonic Code are weird). But the arrest was at least partially motivated by a demand that Telegram conform with a French law requiring businesses to have a domestic agent to receive and act on takedown demands.
Not every takedown demand is good. When a lawyer for the Sackler family demanded that I take down criticism of his mass-murdering clients, that was illegitimate. But there is such a thing as a legitimate takedown: leaked financial information, child sex abuse material, nonconsensual pornography, true threats, etc, are all legitimate targets for takedown orders. Of course, it's not that simple. Even if we broadly agree that this stuff shouldn't be online, we don't necessarily agree whether something fits into one of these categories.
This is true even in categories with the brightest lines, like child sex abuse material:
But just because not every takedown is a just one, it doesn't follow that every takedown is unjust. The idea that companies should have domestic agents in the countries where they operate isn't necessarily oppressive. If people who sell hamburgers from a street-corner have to register a designated contact with a regulator, why not someone who operates a telecoms network with 900m global users?
Of course, requirements to have a domestic contact can also be used as a prelude to human rights abuses. Countries that insist on a domestic rep are also implicitly demanding that the company place one of its employees or agents within reach of its police-force.
Just as data localization can be a way to improve human rights (by keeping data out of the hands of another country's lawless spy agencies) or to erode them (by keeping data within reach of your own country's lawless spy agencies), so can a requirement for a local agent be a way to preserve the rule of law (by establishing a conduit for legitimate takedowns) or a way to subvert it (by giving the government hostages they can use as leverage against companies who stick up for their users' rights).
In the case of Durov and Telegram, these issues are especially muddy. Telegram bills itself as an encrypted messaging app, but that's only sort of true. Telegram does not encrypt its group-chats, and even the encryption in its person-to-person messaging facility is hard to use and of dubious quality.
This is relevant because France – among many other governments – has waged a decades-long war against encrypted messaging, which is a wholly illegitimate goal. There is no way to make an encrypted messaging tool that works against bad guys (identity thieves, stalkers, corporate and foreign spies) but not against good guys (cops with legitimate warrants). Any effort to weaken end-to-end encrypted messaging creates broad, significant danger for every user of the affected service, all over the world. What's more, bans on end-to-end encrypted messaging tools can't stand on their own – they also have to include blocks of much of the useful internet, mandatory spyware on computers and mobile devices, and even more app-store-like control over which software you can install:
So when the French state seizes Durov's person and demands that he establish the (pretty reasonable) minimum national presence needed to coordinate takedown requests, it can seem like this is a case where national sovereignty and human rights are broadly in accord.
But when you consider that Durov operates a (nominally) encrypted messaging tool that bears some resemblance to the kinds of messaging tools the French state has been trying to sabotage for decades, and continues to rail against, the human rights picture gets rather dim.
That is only slightly mitigated by the fact that Telegram's encryption is suspect, difficult to use, and not applied to the vast majority of the communications it serves. So where do we net out on this? In the Locus column, I sum things up this way:
Telegram should have a mechanism to comply with lawful takedown orders; and
those orders should respect human rights and the rule of law; and
Telegram should not backdoor its encryption, even if
the sovereign French state orders it to do so.
Sovereignty, sure, but human rights even moreso.
What about Musk? As with Durov in France, the Brazilian government demanded that Musk appoint a Brazilian representative to handle official takedown requests. Despite a recent bout of democratic backsliding under the previous regime, Brazil's current government is broadly favorable to human rights. There's no indication that Brazil would use an in-country representative as a hostage, and there's nothing intrinsically wrong with requiring foreign firms doing business in your country to have domestic representatives.
Musk's response was typical: a lawless, arrogant attack on the judge who issued the blocking order, including thinly veiled incitements to violence.
The Brazilian state's response was multi-pronged. There was a national blocking order, and a threat to penalize Brazilians who used VPNs to circumvent the block. Both measures have obvious human rights implications. For one thing, the vast majority of Brazilians who use Twitter are engaged in the legitimate exercise of speech, and they were collateral damage in the dispute between Musk and Brazil.
More serious is the prohibition on VPNs, which represents a broad attack on privacy-enhancing technology with implications far beyond the Twitter matter. Worse still, a VPN ban can only be enforced with extremely invasive network surveillance and blocking orders to app stores and ISPs to restrict access to VPN tools. This is wholly disproportionate and illegitimate.
But that wasn't the only tactic the Brazilian state used. Brazilian corporate law is markedly different from US law, with fewer protections for limited liability for business owners. The Brazilian state claimed the right to fine Musk's other companies for Twitter's failure to comply with orders to nominate a domestic representative. Faced with fines against Spacex and Tesla, Musk caved.
In other words, Brazil had a legitimate national sovereignty interest in ordering Twitter to nominate a domestic agent, and they used a mix of somewhat illegitimate tactics (blocking orders), extremely illegitimate tactics (threats against VPN users) and totally legitimate tactics (fining Musk's other companies) to achieve these goals.
As I put it in the column:
Twitter should have a mechanism to comply with lawful takedown orders; and
those orders should respect human rights and the rule of law; and
banning Twitter is bad for the free speech rights of Twitter users in Brazil; and
banning VPNs is bad for all Brazilian internet users; and
it’s hard to see how a Twitter ban will be effective without bans on VPNs.
There's no such thing as an internet policy fight that isn't about national sovereignty and speech, and when the two collide, we should side with human rights over sovereignty. Sovereignty isn't a good unto itself – it's only a good to the extent that is used to promote human rights.
In other words: "Sovereignty, sure, but human rights even moreso."
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
NEXT WEEKEND (June 7–9), I'm in AMHERST, NEW YORK to keynote the 25th Annual Media Ecology Association Convention and accept the Neil Postman Award for Career Achievement in Public Intellectual Activity.
No one was better positioned to tell the tale of the largest sting operation in world history than veteran tech reporter Joseph Cox, and tell it he did, in Dark Wire, released today:
Cox – who was one of Motherboard's star cybersecurity reporters before leaving to co-found 404 Media – has spent years on the crimephone beat, tracking vendors who sold modded phones (first Blackberries, then Android phones) to criminal syndicates with the promise that they couldn't be wiretapped by law-enforcement.
It's possible that some of these phones were secure over long timescales, but all the ones we know about are ones that law enforcement eventually caught up with, usually by capturing the company's top founders explicitly stating that the phones were sold to assist in the commission of crimes, and admitting to remote-wiping phones to obstruct law-enforcement options. It's hard to prove intent but it gets a lot easier when the criminal puts that intent into writing (that's true of tech executives, too!):
But after a particularly spectacular bust landed one of the top crimephone sales reps in the FBI's power, they got a genuinely weird idea: why not start their own crimephone company?
The plan was to build an incredibly secure, best-of-breed crimephone, one with every feature that a criminal would want to truly insulate themselves from law enforcement while still offering everything a criminal could need to plan and execute crimes.
They would tap into the network of crimephone distributors around the world, not telling them who they were truly selling for – nor that every one of these phones had a back-door that allowed law-enforcement to access every single message, photo and file.
This is the beginning of an incredible tale that is really two incredible tales. The first is the story of the FBI and its partners as they scaled up Anom, their best-of-breed crimephone business. This is a (nearly) classic startup tale, full of all-nighters, heroic battles against the odds, and the terror and exhilaration of "hockey-stick" growth.
The difference between this startup and the others we're already familiar with is obvious: the FBI and its global partners are acting under a totally different set of constraints to normal startup founders. For one thing, their true mission and identity must be kept totally secret. For another, they have to navigate the bureaucratic barriers of not one, but many governments and their courts, constitutions and procedures.
Finally, there are the stakes: while the bulk of the crimes that the FBI targets with Anom are just the usual futile war-on-drugs nonsense (albeit at a never-before seen scale), they also routinely encounter murders, kidnappings, tortures, firebombings, and other serious crimes, either in the planning phase, or after they have been committed. They have to make moment-to-moment calls about when and whether to do something about these, as each action taken based on intercepts from Anom threatens to tip the FBI's hand.
That's one of the startup stories in Cox's book. The other one is the crime startup, the one that the hapless criminal syndicates that sign up to distribute Anom devices find themselves in the middle of. They, too, are experiencing hockey-stick growth. They, too, have a fantastically lucrative tiger by the tail. And they, too, have a unique set of challenges that make this startup different from any other.
The obvious difference is that they are involved in global criminal conspiracies. They have to both grow and remain hidden. The tradecraft and skullduggery are fascinating, in the manner of any great crime procedural tale. But there's another constraint: these criminals are competing with one another to corner the market on these incredibly lucrative phones. Being part of violent, global criminal conspiracies, they don't confine themselves to the normal Silicon Valley crimes of violating antitrust law – they are engaged in all-out warfare.
These two startups are, of course, the same startup, but only one side knows it. As Cox weaves these two tales together – along with glimpses into the lives of the hapless gig-work developers in Asia who are developing and maintaining the Anom platform – we get front seat in a series of high-speed, high-stakes near-collisions between these two groups.
And it's not always the cops who have the advantage. When an ambitious mobster figures out how to clone the "black boxes" that initialize new Anom phones, the FBI are caught flatfooted as the number of Anom devices in the hands of criminals balloons, producing a volume of intercepts that vastly exceeds their processing capacity.
Cox has been on this story for a decade, and it shows. He has impeccable sourcing and encyclopedic access to the court records and other public details that allow him to reproduce many of the most dramatic scenes in the Anom caper verbatim. This really shines in the final section of the book, when the FBI and its partners decide to roll up the company with a series of global arrests that culminate in a triumphant press-conference in which the true masters of Anom are revealed.
As a privacy and encryption advocate, there were moments in this story that made me a little uncomfortable. There are places where the FBI is chafing at the constitutional limits on its surveillance powers where we can't help buy sympathize with these "good guys" going after "bad guys." But this the the FBI, a lawless, unaccountable secret police who routinely bypass those limits by secretly buying data from sleazy data-brokers, or illegally sharing data with the NSA.
The conclusion really hammers home the point that the FBI's problem isn't constitutional niceties. Despite seizing hundreds of tons of illegal drugs and arresting thousands of high-ranking criminal syndicate bosses, Anom made no difference in the drug trade. Prohibition, after all, just makes criminals more wealthy and powerful. The Anom raids were, at worst, the cost of doing business – and at best, they were a global reset that cleared the board of established actors so that other criminals could seize their turf.
But even though Anom didn't triumph over crime, Dark Wire is a triumph. The book's out today, and there will shortly be a Netflix adaptation based on it, directed by Jason Bateman:
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Crypto Wars a Game Based in Crypto Currencies for Android and iOS
Crypto Wars a Game Based in Crypto Currencies for Android and iOS
Crypto Wars is offline action platformer game developed by BAP IT Co.,Ltd. It is about Bitcoin’s journey when he starts to find his father, Satoshi Nakamoto, who Bitcoin knows only a name but nothing else. It is one of the first action platformer game that is base in virtual currencies, the appearance of virtual currencies in shapes of the real characters, unique art style and smooth gameplay and…