If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
I don't think that it's impossible for politicians, even nontechnical politicians, to make good tech policy. After all, the fact that no one in Congress is a microbiologist doesn't stop federal standards from delivering potable water (and it doesn't excuse the ghastly failures, such as Flint, MI):
For politicians to make good policy, they don't need to be technical experts: they need to have solid, independent, well-resourced expert agencies. Those would be the very agencies that Trump and Musk have DOGEd into oblivion, which is pretty ominous, since the work of expert agencies is how you avoid dying of food poisoning, water poisoning, air poisoning, collapsing buildings, faulty antilock brakes, train explosions and plane-crashes.
But when it comes to tech policy, politicians get it all so goddamned wrong. Partly that's because the cartel of tech companies lies to them like crazy, even under oath, leading to a kind of nihilistic refusal to believe any expert input. Mark Zuckerberg wants you to think that's it's inconceivable for you to have a social life without him eavesdropping on it, and any rule demanding this is a farce, like a demand to make water that's not wet:
Big Tech's highly resourced bullshit machine convinces some politicians that technical expertise is not to be trusted, and gives other, more cynical politicians cover for ignoring experts by saying, "Oh you people are always telling us that this or that is impossible."
For example, since the Clinton era, politicians all over the world demanded a kind of impossible encryption: encryption that works perfectly when it's doing something legitimate, like keeping hackers from pushing malware to your pacemaker or stealing your life's savings or listening in on you through your phone's microphone, but also they require that this encryption offer no protection to criminals, drug dealers, terrorists, child abusers, and other miscreants.
This really is like water that's not wet. We can make encryption that works. It's hard to get right, but when we do, it offers a wondrous level of protection from interception and eavesdropping, scrambling our data so thoroughly that you would have to consume multiple universes worth of time and space to build all the computers necessary to guess the descrambling key. We can also make encryption that doesn't work. People do this by accident all the time. Sometimes, the NSA does it on purpose (and doesn't mention that fact to the people who rely on it for their safety and integrity):
https://en.wikipedia.org/wiki/Dual_EC_DRBG
But what we absolutely, positively, totally cannot make is encryption that both works and does not work, depending on whose secrets it is protecting. That's impossible.
But when technologists tell policymakers this, they tell us that they have every confidence in our ingenuity, and also, they can't be certain we're not telling a Zuck-style fable about how the stuff we merely disprefer is actually impossible. They tell us to NERD HARDER!
NERD HARDER! is the answer every time a politician gets a technological idée-fixe about how to solve a social problem by creating a technology that can't exist. It's the answer that EU politicians who backed the catastrophic proposal to require copyright filters for all user-generated content came up with, when faced with objections that these filters would block billions of legitimate acts of speech:
When politicians seize on a technological impossibility as a technological necessity, they flail about and desperately latch onto scholarly work that they can brandish as evidence that their idea could be accomplished.
For example, back in 2019, Trump's Bureau of Land Management tried to impose a ton of absolutely bizarre, environmentally devastating requirements on Burning Man's land-use permit. One of these requirements was to effectively ban LED lights at night (!), on the basis that these were so bright at altitude that they could disrupt nocturnal birds.
In support of this measure, the BLM cited a PhD dissertation from a physicist who developed a method for estimating light pollution. That physicist turns out to be a burner, who filed comments in the docket describing how the BLM had misapplied his work, making crude mathematical errors that led them to grossly overstate the amount of light pollution at altitude (I've just spent an hour trying to find this comment and I came up craps – if you can find it, please let me know, as it was delicious).
That kind of Annie Hall/Marshall McLuhan/"You know nothing of my work" moment is always fantastic, and especially so when politicians are demanding that technologists NERD HARDER! to realize their cherished impossibilities.
That's just happened, and in relation to one of the scariest, most destructive NERD HARDER! tech policies ever to be assayed (a stiff competition). I'm talking about the UK Online Safety Act, which imposes a duty on websites to verify the age of people they communicate with before serving them anything that could be construed as child-inappropriate (a category that includes, e.g., much of Wikipedia):
The Starmer government has, incredibly, developed a passion for internet regulations that are even stupider than Tony Blair's and David Cameron's. Requiring people to identify themselves (generally, via their credit cards) in order to look at porn will create a giant database of every kink and fetish of every person in the UK, which will inevitably leak and provide criminals and foreign spies with a kompromat system they can sort by net worth of the people contained within.
This hasn't deterred Starmer, who insists that if we just NERD HARDER!, we can use things like "zero-knowledge proofs" to create "privacy-preserving" age verification system, whereby a service can assure itself that it is communicating with an adult without ever being able to determine who it is communicating with.
In support of this idea, Starmer and co like to cite some genuinely exciting and cool cryptographic work on privacy-preserving credential schemes. Now, one of the principal authors of the key papers on these credential schemes, Steve Bellovin, has published a paper that is pithily summed up via its title, "Privacy-Preserving Age Verification—and Its Limitations":
The tldr of this paper is that Starmer's idea will not work and cannot work. The research he relies on to defend the technological feasibility of his cherished plan does not support his conclusion.
Bellovin starts off by looking at the different approaches various players have mooted for verifying their users' age. For example, Google says it can deploy a "behavioral" system that relies on Google surveillance dossiers to make guesses about your age. Google refuses to explain how this would work, but Bellovin sums up several of the well-understood behavioral age estimation techniques and explains why they won't work. It's one thing to screw up age estimation when deciding which ad to show you; it's another thing altogether to do this when deciding whether you can access the internet.
Others say they can estimate your age by using AI to analyze a picture of your face. This is a stupid idea for many reasons, not least of which is that biometric age estimation is notoriously unreliable when it comes to distinguishing, say, 16 or 17 year olds from 18 year olds. Nevertheless, there are sitting US Congressmen who not only think this would work – they labor under the misapprehension that this is already going on:
So that just leaves the privacy-preserving credential schemes, especially the Camenisch-Lysyanskaya protocol. This involves an Identity Provider (IDP) that establishes a user's identity and characteristics using careful document checks and other procedures. The IDP then hands the user a "primary credential" that can attest to everything the IDP knows about the user, and any number of "subcredentials" that only attest to specific facts about that user (such as their age).
These are used in zero-knowledge proofs (ZKP) – a way for two parties to validate that one of them asserts a fact without learning what that fact is in the process (this is super cool stuff). Users can send their subcredentials to a third party, who can use a ZKP to validate them without learning anything else about the user – so you could prove your age (or even just prove that you are over 18 without disclosing your age at all) without disclosing your identity.
There's some good news for implementing CL on the web: rather than developing a transcendentally expensive and complex new system for these credential exchanges and checks, CL can piggyback on the existing Public Key Infrastructure (PKI) that powers your browser's ability to have secure sessions. When you visit a website with https:// in front of the address (instead of just http://).
However, doing so poses several difficulties, which Bellovin enumerates under a usefully frank section header: "INSURMOUNTABLE OBSTACLES."
The most insurmountable of these obstacles is getting set up with an IDP in the first place – that is, proving who you are to some agency, but only one such agency (so you can't create two primary credentials and share one of them with someone underage). Bellovin cites Supreme Court cases about voter ID laws and the burdens they impose on people who are poor, old, young, disabled, rural, etc.
Fundamentally, it can be insurmountably hard for a lot of people to get, say, a driver's license, or any other singular piece of ID that they can provide to an IDP in order to get set up on the system.
The usual answer for this is for IDPs to allow multiple kinds of ID. This does ease the burden on users, but at the expense of creating fatal weaknesses in the system: if you can set up an identity with multiple kinds of ID, you can visit different IDPs and set up an ID with each (just as many Americans today have drivers licenses from more than one state).
The next obstacle is "user challenges," like the problem of households with shared computers, or computers in libraries, hotels, community centers and other public places. The only effective way to do this is to create (expensive) online credential stores, which are likely to be out of reach of the poor and disadvantaged people who disproportionately rely on public or shared computers.
Next are the "economic issues": this stuff is expensive to set up and maintain, and someone's gotta pay for it. We could ask websites that offer kid-inappropriate content to pay for it, but that sets up an irreconcilable conflict of interest. These websites are going to want to minimize their costs, and everything they can do to reduce costs will make the system unacceptably worse. For example, they could choose only to set up accounts with IDPs that are local to the company that operates the server, meaning that anyone who lives somewhere else and wants to access that website is going to have to somehow get certified copies of e.g. their birth certificate and driver's license to IDPs on the other side of the planet. The alternative to having website foot the bill for this is asking users to pay for it – meaning that, once again, we exclude poor people from the internet.
Finally, there's "governance": who runs this thing? In practice, the security and privacy guarantees of the CL protocol require two different kinds of wholly independent institutions: identity providers (who verify your documents), and certificate authorities (who issue cryptographic certificates based on those documents). If these two functions take place under one roof, the privacy guarantees of the system immediately evaporate.
An IDP's most important role is verifying documents and associating them with a specific person. But not all IDPs will be created equal, and people who wish to cheat the system will gravitate to the worst IDPs. However, lots of people who have no nefarious intent will also use these IDPs, merely because they are close by, or popular, or were selected at random. A decision to strike off an IDP and rescind its verifications will force lots of people – potentially millions of people – to start over with the whole business of identifying themselves, during which time they will be unable to access much of the web. There's no practical way for the average person to judge whether an IDP they choose is likely to be found wanting in the future.
So we can regulate IDPs, but who will do the regulation? Age verification laws affect people outside of a government's national territory – anyone seeking to access content on a webserver falls under age verification's remit. Remember, IDPs handle all kinds of sensitive data: do you want Russia, say, to have a say in deciding who can be an IDP and what disclosure rules you will have to follow?
To regulate IDPs (and certificate authorities), these entities will have to keep logs, which further compromises the privacy guarantees of the CL protocol.
Looming all of this is a problem with the CL protocol as being built on regulated entities, which is that CL is envisioned as a way to do all kinds of business, from opening a bank account to proving your vaccination status or your right to work or receive welfare. Authoritarian governments who order primary credential revocations of their political opponents could thoroughly and terrifyingly "unperson" them at the stroke of a pen.
The paper's conclusions provide a highly readable summary of these issues, which constitute a stinging rebuke to anyone contemplating age-verification schemes. These go well beyond the UK, and are in the works in Canada, Australia, the EU, Texas and Louisiana.
Age verification is an impossibility, and an impossibly terrible idea with impossibly vast consequences for privacy and the open web, as my EFF colleague Jason Kelley explained on the Malwarebytes podcast:
Politicians – even nontechnical ones – can make good tech policy, provided they take expert feedback seriously (and distinguish it from self-interested industry lobbying).
When it comes to tech policy, wanting it badly is not enough. The fact that it would be really cool if we could get technology to do something has no bearing on whether we can actually get technology to do that thing. NERD HARDER! isn't a policy, it's a wish.
Wish in one hand and shit in the other and see which one will be full first:
On September 22, I'm (virtually) presenting at the DIG Festival in Modena, Italy. On September 27, I'll be at Chevalier's Books in Los Angeles with Brian Merchant for a joint launch for my new book The Internet Con and his new book, Blood in the Machine.
As a teenager growing up in Ontario, I always envied the kids who spent their summers tree planting; they'd come back from the bush in September, insect-chewed and leathery, with new muscle, incredible stories, thousands of dollars, and a glow imparted by the knowledge that they'd made a new forest with their own blistered hands.
I was too unathletic to follow them into the bush, but I spent my summers doing my bit, ringing doorbells for Greenpeace to get my neighbours fired up about the Canadian pulp-and-paper industry, which wasn't merely clear-cutting our old-growth forests – it was also poisoning the Great Lakes system with PCBs, threatening us all.
At the time, I thought of tree-planting as a small victory – sure, our homegrown, rapacious, extractive industry was able to pollute with impunity, but at least the government had reined them in on forests, forcing them to pay my pals to spend their summers replacing the forests they'd fed into their mills.
I was wrong. Last summer's Canadian wildfires blanketed the whole east coast and midwest in choking smoke as millions of trees burned and millions of tons of CO2 were sent into the atmosphere. Those wildfires weren't just an effect of the climate emergency: they were made far worse by all those trees planted by my pals in the eighties and nineties.
Writing in the New York Times, novelist Claire Cameron describes her own teen years working in the bush, planting row after row of black spruces, precisely spaced at six-foot intervals:
Cameron's summer job was funded by the logging industry, whose self-pegulated, self-assigned "penalty" for clearcutting diverse forests of spruce, pine and aspen was to pay teenagers to create a tree farm, at nine cents per sapling (minus camp costs).
Black spruces are made to burn, filled with flammable sap and equipped with resin-filled cones that rely on fire, only opening and dropping seeds when they're heated. They're so flammable that firefighters call them "gas on a stick."
Cameron and her friends planted under brutal conditions: working long hours in blowlamp heat and dripping wet bulb humidity, amidst clouds of stinging insects, fingers blistered and muscles aching. But when they hit rock bottom and were ready to quit, they'd encourage one another with a rallying cry: "Let's go make a forest!"
Planting neat rows of black spruces was great for the logging industry: the even spacing guaranteed that when the trees matured, they could be easily reaped, with ample space between each near-identical tree for massive shears to operate. But that same monocropped, evenly spaced "forest" was also optimized to burn.
It burned.
The climate emergency's frequent droughts turn black spruces into "something closer to a blowtorch." The "pines in lines" approach to reforesting was an act of sabotage, not remediation. Black spruces are thirsty, and they absorb the water that moss needs to thrive, producing "kindling in the place of fire retardant."
Cameron's column concludes with this heartbreaking line: "Now when I think of that summer, I don’t think that I was planting trees at all. I was planting thousands of blowtorches a day."
The logging industry committed a triple crime. First, they stole our old-growth forests. Next, they (literally) planted a time-bomb across Ontario's north. Finally, they stole the idealism of people who genuinely cared about the environment. They taught a generation that resistance is futile, that anything you do to make a better future is a scam, and you're a sucker for falling for it. They planted nihilism with every tree.
That scam never ended. Today, we're sold carbon offsets, a modern Papal indulgence. We are told that if we pay the finance sector, they can absolve us for our climate sins. Carbon offsets are a scam, a market for lemons. The "offset" you buy might be a generated by a fake charity like the Nature Conservancy, who use well-intentioned donations to buy up wildlife reserves that can't be logged, which are then converted into carbon credits by promising not to log them:
The credit-card company that promises to plant trees every time you use your card? They combine false promises, deceptive advertising, and legal threats against critics to convince you that you're saving the planet by shopping:
The carbon offset world is full of scams. The carbon offset that made the thing you bought into a "net zero" product? It might be a forest that already burned:
The only reason we have carbon offsets is that market cultists have spent forty years convincing us that actual regulation is impossible. In the neoliberal learned helplessness mind-palace, there's no way to simply say, "You may not log old-growth forests." Rather, we have to say, "We will 'align your incentives' by making you replace those forests."
The Climate Ad Project's "Murder Offsets" video deftly punctures this bubble. In it, a detective points his finger at the man who committed the locked-room murder in the isolated mansion. The murderer cheerfully admits that he did it, but produces a "murder offset," which allowed him to pay someone else not to commit a murder, using market-based price-discovery mechanisms to put a dollar-figure on the true worth of a murder, which he duly paid, making his kill absolutely fine:
What's the alternative to murder offsets/carbon credits? We could ask our expert regulators to decide which carbon intensive activities are necessary and which ones aren't, and ban the unnecessary ones. We could ask those regulators to devise remediation programs that actually work. After all, there are plenty of forests that have already been clearcut, plenty that have burned. It would be nice to know how we can plant new forests there that aren't "thousands of blowtorches."
If that sounds implausible to you, then you've gotten trapped in the neoliberal mind-palace.
The term "regulatory capture" was popularized by far-right Chicago School economists who were promoting "public choice theory." In their telling, regulatory capture is inevitable, because companies will spend whatever it takes to get the government to pass laws making what they do legal, and making competing with them into a crime:
This is true, as far as it goes. Capitalists hate capitalism, and if an "entrepreneur" can make it illegal to compete with him, he will. But while this is a reasonable starting-point, the place that Public Choice Theory weirdos get to next is bonkers. They say that since corporations will always seek to capture their regulators, we should abolish regulators.
They say that it's impossible for good regulations to exist, and therefore the only regulation that is even possible is to let businesses do whatever they want and wait for the invisible hand to sweep away the bad companies. Rather than creating hand-washing rules for restaurant kitchens, we should let restaurateurs decide whether it's economically rational to make us shit ourselves to death. The ones that choose poorly will get bad online reviews and people will "vote with their dollars" for the good restaurants.
And if the online review site decides to sell "reputation management" to restaurants that get bad reviews? Well, soon the public will learn that the review site can't be trusted and they'll take their business elsewhere. No regulation needed! Unleash the innovators! Set the job-creators free!
This is the Ur-nihilism from which all the other nihilism springs. It contends that the regulations we have – the ones that keep our buildings from falling down on our heads, that keep our groceries from poisoning us, that keep our cars from exploding on impact – are either illusory, or perhaps the forgotten art of a lost civilization. Making good regulations is like embalming Pharaohs, something the ancients practiced in mist-shrouded, unrecoverable antiquity – and that may not have happened at all.
Regulation is corruptible, but it need not be corrupt. Regulation, like science, is a process of neutrally adjudicated, adversarial peer-review. In a robust regulatory process, multiple parties respond to a fact-intensive question – "what alloys and other properties make a reinforced steel joist structurally sound?" – with a mix of robust evidence and self-serving bullshit and then proceed to sort the two by pantsing each other, pointing out one another's lies.
The regulator, an independent expert with no conflicts of interest, sorts through the claims and counterclaims and makes a rule, showing their workings and leaving the door open to revisiting the rule based on new evidence or challenges to the evidence presented.
But when an industry becomes concentrated, it becomes unregulatable. 100 small and medium-sized companies will squabble. They'll struggle to come up with a common lie. There will always be defectors in their midst. Their conduct will be legible to external experts, who will be able to spot the self-serving BS.
But let that industry dwindle to a handful of giant companies, let them shrink to a number that will fit around a boardroom table, and they will sit down at a table and agree on a cozy arrangement that fucks us all over to their benefit. They will become so inbred that the only people who understand how they work will be their own insiders, and so top regulators will be drawn from their own number and be hopelessly conflicted.
When the corporate sector takes over, regulatory capture is inevitable. But corporate takeover isn't inevitable. We can – and have, and will again – fight corporate power, with antitrust law, with unions, and with consumer rights groups. Knowing things is possible. It simply requires that we keep the entities that profit by our confusion poor and thus weak.
The thing is, corporations don't always lie about regulations. Take the fight over working encryption, which – once again – the UK government is trying to ban:
Advocates for criminalising working encryption insist that the claims that this is impossible are the same kind of self-serving nonsense as claims that banning clearcutting of old-growth forests is impossible:
They say that when technologists say, "We can't make an encryption system that keeps bad guys out but lets good guys in," that they are being lazy and unimaginative. "I have faith in you geeks," they said. "Go nerd harder! You'll figure it out."
Google and Apple and Meta say that selectively breakable encryption is impossible. But they also claim that a bunch of eminently possible things are impossible. Apple claims that it's impossible to have a secure device where you get to decide which software you want to use and where publishers aren't deprive of 30 cents on every dollar you spend. Google says it's impossible to search the web without being comprehensively, nonconsensually spied upon from asshole to appetite. Meta insists that it's impossible to have digital social relationship without having your friendships surveilled and commodified.
While they're not lying about encryption, they are lying about these other things, and sorting out the lies from the truth is the job of regulators, but that job is nearly impossible thanks to the fact that everyone who runs a large online service tells the same lies – and the regulators themselves are alumni of the industry's upper eschelons.
Logging companies know a lot about forests. When we ask, "What is the best way to remediate our forests," the companies may well have useful things to say. But those useful things will be mixed with actively harmful lies. The carefully cultivated incompetence of our regulators means that they can't tell the difference.
Conspiratorialism is characterized as a problem of what people believe, but the true roots of conspiracy belief isn't what we believe, it's how we decide what to believe. It's not beliefs, it's epistemology.
Because most of us aren't qualified to sort good reforesting programs from bad ones. And even if we are, we're probably not also well-versed enough in cryptography to sort credible claims about encryption from wishful thinking. And even if we're capable of making that determination, we're not experts in food hygiene or structural engineering.
Daily life in the 21st century means resolving a thousand life-or-death technical questions every day. Our regulators – corrupted by literally out-of-control corporations – are no longer reliable sources of ground truth on these questions. The resulting epistemological chaos is a cancer that gnaws away at our resolve to do anything about it. It is a festering pool where nihilism outbreaks are incubated.
The liberal response to conspiratorialism is mockery. In her new book Doppelganger, Naomi Klein tells of how right-wing surveillance fearmongering about QR-code "vaccine passports" was dismissed with a glib, "Wait until they hear about cellphones!"
But as Klein points out, it's not good that our cellphones invade our privacy in the way that right-wing conspiracists thought that vaccine passports might. The nihilism of liberalism – which insists that things can't be changed except through market "solutions" – leads us to despair.
By contrast, leftism – a muscular belief in democratic, publicly run planning and action – offers a tonic to nihilism. We don't have to let logging companies decide whether a forest can be cut, or what should be planted when it is. We can have nice things. The art of finding out what's true or prudent didn't die with the Reagan Revolution (or the discount Canadian version, the Mulroney Malaise). The truth is knowable. Doing stuff is possible. Things don't have to be on fire.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Picks and Shovels is a new, standalone technothriller starring Marty Hench, my two-fisted, hard-fighting, tech-scam-busting forensic accountant. You can pre-order it on my latest Kickstarter, which features a brilliant audiobook read by Wil Wheaton.
Truth is provisional! Sometimes, the things we understand to be true about the world change, and stuff we've "always done" has to change, too. There comes a day when the evidence against using radium suppositories is overwhelming, and then you really must dig that radium out of your colon and safely dispose of it:
So it's natural and right that in the world, there will be people who want to revisit the received wisdom and best practices for how we live our lives, regulate our economy, and organize our society. But not a license to simply throw out the systems we rely on. Sure, maybe they're outdated or unnecessary, but maybe not. That's where "Chesterton's Fence" comes in:
Let us say, for the sake of simplicity, a fence or gate erected across a road. The more modern type of reformer goes gaily up to it and says, "I don't see the use of this; let us clear it away." To which the more intelligent type of reformer will do well to answer: "If you don't see the use of it, I certainly won't let you clear it away. Go away and think. Then, when you can come back and tell me that you do see the use of it, I may allow you to destroy it."
In other words, it's not enough to say, "This principle gets in the way of something I want to do, so let's throw it out because I'm pretty sure the inconvenience I'm experiencing is worse than the consequences of doing away with this principle." You need to have a theory of how you will prevent the harms the principle protects us from once you tear it down. That theory can be "the harms are imaginary" so it doesn't matter. Like, if you get rid of all the measures that defend us from hexes placed by evil witches, it's OK to say, "This is safe because evil witches aren't real and neither are hexes."
But you'd better be sure! After all, some preventative measures work so well that no living person has experienced the harms they guard us against. It's easy to mistake these for imaginary or exaggerated. Think of the antivaxers who are ideologically committed to a world in which human beings do not have a shared destiny, meaning that no one has a moral claim over the choices you make. Motivated reasoning lets those people rationalize their way into imagining that measles – a deadly and ferociously contagious disease that was a scourge for millennia until we all but extinguished it – was no big deal:
There's nothing wrong with asking whether longstanding health measures need to be carried on, or whether they can be sunset. But antivaxers' sloppy, reckless reasoning about contagious disease is inexcusable. They were warned, repeatedly, about the mass death and widespread lifelong disability that would follow from their pursuit of an ideological commitment to living as though their decisions have no effect on others. They pressed ahead anyway, inventing ever-more fanciful reasons why health is a purely private matter, and why "public health" was either a myth or a Communist conspiracy:
When RFK Jr kills your kids with measles or permanently disables them with polio, he doesn't get to say "I was just inquiring as to the efficacy of a longstanding measure, as is right and proper." He was told why the vaccine fence was there, and he came up with objectively very stupid reasons why that didn't matter, and then he killed your kids. He was warned.
Fuck that guy.
Or take Bill Clinton. From 1933 until 1999, American banks were regulated under the Glass-Steagall Act, which "structurally separated" them. Under structural separation, a "retail bank" – the bank that holds your savings and mortgage and provides you with a checkbook – could not be "investment bank." That meant it couldn't own or invest in businesses that competed with the businesses its depositors and borrowers ran. It couldn't get into other lines of business, either, like insurance underwriting.
Glass-Steagall was a fence that stood between retail banks and the casino economy. It was there for a fucking great reason: the failure to structurally separate banks allowed them to act like casinos, inflating a giant market bubble that popped on Black Friday in October 1929, kicking off the Great Depression. Congress built the structural separation fence to keep banks from doing it again.
In the 1990s, Bill Clinton agitated for getting rid of Glass-Steagall. He argued that new economic controls would allow the government to prevent another giant bubble and crash. This time, the banks would behave themselves. After all, hadn't they demonstrated their prudence for seven decades?
In fact, they hadn't. Every time banks figured out how to slip out of regulatory constraints they inflated another huge bubble, leading to another massive crash that made the rich obscenely richer and destroyed ordinary savers' lives. Clinton took office just as one of these finance-sector bombs – the S&L Crisis – was detonating. Clinton had no basis – apart from wishful thinking – to believe that deregulating banks would lead to anything but another gigantic crash.
But Clinton let his self interest – in presiding over a sugar-high economic expansion driven by deregulation – overrule his prudence (about the crash that would follow). Sure enough, in the last months of Clinton's presidency, the stock market imploded with the March 2000 dot-bomb. And because Congress learned nothing from the dot-com crash and declined to restore the Glass-Steagall fence, the crash led to another bubble, this time in subprime mortgages, and then, inevitably, we suffered the Great Financial Crisis.
Look: there's no virtue in having bank regulations for the sake of having them. It is conceptually possible for bank regulations to be useless or even harmful. There's nothing wrong with investigating whether the 70-year old Glass-Steagall Act was still needed in 1999. But Clinton was provided with a mountain of evidence about why Glass-Steagall was the only thing standing between Americans and economic chaos, including the evidence of the S&L Crisis, which was still underway when he took office, and he ignored all of them. If you lost everything – your home, your savings, your pension – in the dot-bomb or the Great Financial Crisis, Bill Clinton is to blame. He was warned. he ignored the warnings.
Fuck that guy.
No, seriously, fuck Bill Clinton. Deregulating banks wasn't Clinton's only passion. He also wanted to ban working cryptography. The cornerstone of Clinton's tech policy was the "Clipper Chip," a backdoored encryption chip that, by law, every technology was supposed to use. If Clipper had gone into effect, then cops, spooks, and anyone who could suborn, bribe, or trick a cop or a spook could break into any computer, server, mobile device, or embedded system in America.
When Clinton was told – over and over, in small, easy-to-understand words – that there was no way to make a security system that only worked when "bad guys" tried to break into it, but collapsed immediately if a "good guy" wanted to bypass it. We explained to him – oh, how we explained to him! – that working encryption would be all that stood between your pacemaker's firmware and a malicious update that killed you where you stood; all that stood between your antilock brakes' firmware and a malicious update that sent you careening off a cliff; all that stood between businesses and corporate espionage, all that stood between America and foreign state adversaries wanting to learn its secrets.
In response, Clinton said the same thing that all of his successors in the Crypto Wars have said: NERD HARDER! Just figure it out. Cops need to look at bad guys' phones, so you need to figure out how to make encryption that keeps teenagers safe from sextortionists, but melts away the second a cop tries to unlock a suspect's phone. Take Malcolm Turnbull, the former Australian Prime Minister. When he was told that the laws of mathematics dictated that it was impossible to build selectively effective encryption of the sort he was demanding, he replied, "The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia":
Fuck that guy. Fuck Bill Clinton. Fuck a succession of UK Prime Ministers who have repeatedly attempted to ban working encryption. Fuck 'em all. The stakes here are obscenely high. They have been warned, and all they say in response is "NERD HARDER!"
Now, of course, "crypto means cryptography," but the other crypto – cryptocurrency – deserves a look-in here. Cryptocurrency proponents advocate for a system of deregulated money creation, AKA "wildcat currencies." They say, variously, that central banks are no longer needed; or that we never needed central banks to regulate the money supply. Let's take away that fence. Why not? It's not fit for purpose today, and maybe it never was.
Why do we have central banks? The Fed – which is far from a perfect institution and could use substantial reform or even replacement – was created because the age of wildcat currencies was a nightmare. Wildcat currencies created wild economic swings, massive booms and even bigger busts. Wildcat currencies are the reason that abandoned haunted mansions feature so heavily in the American imagination: American towns and cities were dotted with giant mansions built by financiers who'd grown rich as bubbles expanded, then lost it all after the crash.
Prudent management of the money supply didn't end those booms and busts, but it substantially dampened them, ending the so-called "business cycle" that once terrorized Americans, destroying their towns and livelihoods and wiping out their savings.
It shouldn't surprise us that a new wildcat money sector, flogging "decentralized" cryptocurrencies (that they are nevertheless weirdly anxious to swap for your gross, boring old "fiat" money) has created a series of massive booms and busts, with insiders getting richer and richer, and retail investors losing everything.
If there was ever any doubt about whether wildcat currencies could be made safe by putting them on a blockchain, it is gone. Wildcat currencies are as dangerous today as they were in the 18th and 19th century – only moreso, since this new bad paper relies on the endless consumption of whole rainforests' worth of carbon, endangering not just our economy, but also the habitability of the planet Earth.
And nevertheless, the Trump administration is promising a new crypto golden age (or, ahem, a Gilded Age). And there are plenty of Democrats who continue to throw in with the rotten, corrupt crypto industry, which flushed billions into the 2024 election to bring Trump to office. The result is absolutely going to be more massive bubbles and life-destroying implosions. Fuck those guys. They were warned, and they did it anyway.
Speaking of the climate emergency: greetings from smoky Los Angeles! My city's on fire. This was not an unforeseeable disaster. Malibu is the most on-fire place in the world:
Since 1919, the region has been managed on the basis of "total fire suppression." This policy continued long after science showed that this creates "fire debt" in the form of accumulated fuel. The longer you go between fires, the hotter and more destructive those fires become, and the relationship is nonlinear. A 50-year fire isn't 250% more intense than a 20-year fire: it's 50,000% more intense.
Despite this, California has invested peanuts in regular controlled burns, which has created biennial uncontrolled burns – wildfires that cost thousands of times more than any controlled burn.
Speaking of underinvestment: PG&E has spent decades extracting dividends for its investors and bonuses for its execs, while engaging in near-total neglect of maintenance of its high-voltage transmission lines. Even with normal winds, these lines routinely fall down and start blazes.
But we don't have normal winds. The climate emergency has been steadily worsening for decades. LA is just the latest place to be on fire, or under water, or under ice, or baking in wet bulb temperatures. Last week in southern California, we were warned to expect gusts of 120mph.
They were warned. #ExxonKnew: in the early 1970s, Exxon's own scientists warned them that fossil fuel consumption would kick off climate change so drastic that it would endanger human civilzation. Exxon responded by burying the reports and investing in climate denial:
https://exxonknew.org/
They were warned! Warned about fire debt. Warned about transmission lines. Warned about climate change. And specific, named people, who individually had the power to heed these warnings and stave off disaster, ignored the warnings. They didn't make honest mistakes, either: they ignored the warnings because doing so made them extraordinarily, disgustingly rich. They used this money to create dynastic fortunes, and have created entire lineages of ultra-wealthy princelings in $900,000 watches who owe it all to our suffering and impending dooml
Fuck those guys. Fuck 'em all.
We've had so many missed opportunities, chances to make good policy or at least not make bad policy. The enshitternet didn't happen on its own. It was the foreseeable result of choices – again, choices made by named individuals who became very wealthy by ignoring the warnings all around them.
Let's go back to Bill Clinton, because more than anyone else, Clinton presided over some terrible technology regulations. In 1998, Clinton signed the Digital Millennium Copyright Act, a bill championed by Barney Frank (fuck that guy, too). Under Section 1201 of the Digital Millennium Copyright Act, it's a felony, punishable by a five year prison sentence, and a $500,000 fine, to tamper with a "digital lock."
That means that if HP uses a digital lock to prevent you from using third-party ink, it's a literal crime to bypass that lock. Which is why HP ink now costs $10,000/gallon, and why you print your shopping lists with colored water that costs more, ounce for ounce, than the sperm of a Kentucky Derby winner:
Clinton was warned that DMCA 1201 would soon metastasize into every kind of device – not just the games consoles and DVD players where it was first used, but medical implants, tractors, cars, home appliances – anything you could put a microchip into (Jay Freeman calls this "felony contempt of business-model"):
He ignored those warnings and signed the DMCA anyway (fuck that guy). Then, under Bush (fuck that guy), the US Trade Representative went all around the world demanding that America's trading partners adopt versions of this law (fuck that guy). In 2001, the European Parliament capitulated, enacting the EU Copyright Directive, whose Article 6 is a copy-paste of DMCA 1201 (fuck all those people).
Fast forward 20 years, and boy is there a lot of shit with microchips that can be boobytrapped with rent-extracting logic bombs that are illegal to research, describe, or disable.
Like choo-choo trains.
Last year, the Polish hacking group Dragon Sector was contacted by a public sector train company whose Newag trains kept going out of service. The operator suspected that Newag had boobytrapped the trains to punish the train company for getting its maintenance from a third-party contractor. When Dragon Sector investigated, they discovered that Newag had indeed riddled the trains' firmware with boobytraps. Trains that were taken to locations known to have third-party maintenance workshops were immediately bricked (hilariously, this bomb would detonate if trains just passed through stations near to these workshops, which is why another train company had to remove all the GPSes from its trains – they kept slamming to a halt when they approached a station near a third-party workshop). But Newag's logic bombs would brick trains for all kinds of reasons – merely keeping a train stationary for too many days would result in its being bricked. Installing a third-party component in a locomotive would also trigger a bomb, bricking the train.
In their talk at last year's Chaos Communications Congress, the Dragon Sector folks describe how they have been legally terrorized by Newag, which has repeatedly sued them for violating its "intellectual property" by revealing its sleazy, corrupt business practices. They also note that Newag continues to sell lots of trains in Poland, despite the widespread knowledge of its dirty business model, because public train operators are bound by procurement rules, and as long as Newag is the cheapest bidder, they get the contract:
The laws that let Newag make millions off a nakedly corrupt enterprise – and put the individuals who blew the whistle on it at risk of losing everything – were passed by Members of the European Parliament who were warned that this would happen, and they ignored those warnings, and now it's happening. Fuck those people, every one of 'em.
It's not just European parliamentarians who ignored warnings and did the bidding of the US Trade Representative, enacting laws that banned tampering with digital locks. In 2010, two Canadian Conservative Party ministers in the Stephen Harper government brought forward similar legislation. These ministers, Tony Clement (now a disgraced sex-pest and PPE grifter) and James Moore (today, a sleazeball white-shoe corporate lawyer), held a consultation on this proposal.
6, 138 people wrote in to say, "Don't do this, it will be hugely destructive." 54 respondents wrote in support of it. Clement and Moore threw out the 6,138 opposing comments. Moore explained why: these were the "babyish" responses of "radical extremists." The law passed in 2012.
Last year, the Canadian Parliament passed bills guaranteeing Canadians the Right to Repair and the right to interoperability. But Canadians can't act on either of these laws, because they would have to tamper with a digital lock to do so, and that's illegal, thanks to Tony Clement and James Moore. Who were warned. And who ignored those warnings. Fuck those guys:
Back in the 1990s, Bill Clinton had a ton of proposals for regulating the internet, but nowhere among those proposals will you find a consumer privacy law. The last time an American president signed a consumer privacy law was 1988, when Reagan signed the Video Privacy Protection Act and ensured that Americans would never have to worry that video-store clerks where telling the newspapers what VHS cassettes they took home.
In the years since, Congress has enacted exactly zero consumer privacy laws. None. This has allowed the out-of-control, unregulated data broker sector to metastasize into a cancer on the American people. This is an industry that fuels stalkers, discriminatory financial and hiring algorithms, and an ad-tech sector that lets advertisers target categories like "teenagers with depression," "seniors with dementia" and "armed service personnel with gambling addictions."
When the people cry out for privacy protections, Congress – and the surveillance industry shills that fund them – say we don't need a privacy law. The market will solve this problem. People are selling their privacy willingly, and it would be an "undue interference in the market" if we took away your "freedom to contract" by barring companies from spying on you after you clicked the "I agree" button.
These people have been repeatedly warned about the severe dangers to the American public – as workers, as citizens, as community members, and as consumers – from the national privacy free-for-all, and have done nothing. Fuck them, every one:
Now, even a stopped clock is right twice a day, and not every one of Bill Clinton's internet policies was terrible. He had exactly one great policy, and, ironically, that's the one there's the most energy for dismantling. That policy is Section 230 of the Communications Decency Act (a law that was otherwise such a dumpster fire that the courts struck it down). Chances are, you have been systematically misled about the history, use, and language of Section 230, which is wild, because it's exactly 26 words long and fits in a single tweet:
No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.
Section 230 was passed because when companies were held liable for their users' speech, they "solved" this problem by just blocking every controversial thing a user said. Without Section 230, there would be no Black Lives Matter, no #MeToo – no online spaces where the powerful were held to account. Meanwhile, rich and powerful people would continue to enjoy online platforms where they and their bootlickers could pump out the most grotesque nonsense imaginable, either because they owned those platforms (ahem, Twitter and Truth Social) or because rich and powerful people can afford the professional advice needed to navigate the content-moderation bureaucracies of large systems.
We know exactly what the internet looks like when platforms are civilly liable for their users' speech: it's an internet where marginalized and powerless people are silenced, and where the people who've got a boot on their throats are the only voices you can hear:
The evidence for this isn't limited to the era of AOL and Prodigy. In 2018, Trump signed SESTA/FOSTA, a law that held platforms liable for "sex trafficking." Advocates for this law – like Ashton Kutcher, who campaigns against sexual assault unless it involves one of his friends, in which case he petitions the judge for leniency – were warned that it would be used to shut down all consensual sex work online, making sex workers's lives much more dangerous. This warnings were immediately borne out, and they have been repeatedly borne out every month since. Killing CDA 230 for sex work brought back pimping, exposed sex workers to grave threats to their personal safety, and made them much poorer:
It also pushed sex trafficking and other nonconsensual sex into privateforums that are much harder for law enforcement to monitor and intervene in, making it that much harder to catch sex traffickers:
This is exactly what SESTA/FOSTA's advocates were warned of. They were warned. They did it anyway. Fuck those people.
Maybe you have a theory about how platforms can be held civilly liable for their users' speech without harming marginalized people in exactly the way that SESTA/FOSTA, it had better amount to more than "platforms are evil monopolists and CDA 230 makes their lives easier." Yes, they're evil monopolists. Yes, 230 makes their lives easier. But without 230, small forums – private message boards, Mastodon servers, Bluesky, etc – couldn't possibly operate.
There's a reason Mark Zuckerberg wants to kill CDA 230, and it's not because he wants to send Facebook to the digital graveyard. Zuck knows that FB can operate in a post-230 world by automating the deletion of all controversial speech, and he knows that small services that might "disrupt" Facebook's hegemony would be immediately extinguished by eliminating 230:
It's depressing to see so many comrades in the fight against Big Tech getting suckered into carrying water for Zuck, demanding the eradication of CDA 230. Please, I beg you: look at the evidence for what happens when you remove that fence. Heed the warnings. Don't be like Bill Clinton, or California fire suppression officials, or James Moore and Tony Clement, or the European Parliament, or the US Trade Rep, or cryptocurrency freaks, or Malcolm Turnbull.
Or Ashton fucking Kutcher.
Because, you know, fuck those guys.
Check out my Kickstarter to pre-order copies of my next novel, Picks and Shovels!
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Sure, sometimes it really does make sense to do your own research. There's times when you really do need to take personal responsibility for the way things are going. But there's limits. We live in a highly technical world, in which hundreds of esoteric, potentially lethal factors impinge on your life every day.
You can't "do your own research" to figure out whether all that stuff is safe and sound. Sure, you might be able to figure out whether a contractor's assurances about a new steel joist for your ceiling are credible, but after you do that, are you also going to independently audit the software in your car's antilock brakes?
How about the nutritional claims on your food and the sanitary conditions in the industrial kitchen it came out of? If those turn out to be inadequate, are you going to be able to validate the medical advice you get in the ER when you show up at 3AM with cholera? While you're trying to figure out the #HIPAAWaiver they stuck in your hand on the way in?
40 years ago, Ronald Reagan declared war on "the administrative state," and "government bureaucrats" have been the favored bogeyman of the American right ever since. Even if Steve Bannon hasn't managed to get you to froth about the "Deep State," there's a good chance that you've griped about red tape from time to time.
Not without reason, mind you. The fact that the government can make good rules doesn't mean it will. When we redid our kitchen this year, the city inspector added a bunch of arbitrary electrical outlets to the contractor's plans in places where neither we, nor any future owner, will every need them.
But the answer to bad regulation isn't no regulation. During the same kitchen reno, our contractor discovered that at some earlier time, someone had installed our kitchen windows without the accompanying vapor-barriers. In the decades since, the entire structure of our kitchen walls had rotted out. Not only was the entire front of our house one good earthquake away from collapsing – there were two half rotted verticals supporting the whole thing – but replacing the rotted walls added more than $10k to the project.
In other words, the problem isn't too much regulation, it's the wrong regulation. I want our city inspectors to make sure that contractors install vapor barriers, but to not demand superfluous electrical outlets.
Which raises the question: where do regulations come from? How do we get them right?
Regulation is, first and foremost, a truth-seeking exercise. There will never be one obvious answer to any sufficiently technical question. "Should this window have a vapor barrier?" is actually a complex question, needing to account for different window designs, different kinds of barriers, etc.
To make a regulation, regulators ask experts to weigh in. At the federal level, expert agencies like the DoT or the FCC or HHS will hold a "Notice of Inquiry," which is a way to say, "Hey, should we do something about this? If so, what should we do?"
Anyone can weigh in on these: independent technical experts, academics, large companies, lobbyists, industry associations, members of the public, hobbyist groups, and swivel-eyed loons. This produces a record from which the regulator crafts a draft regulation, which is published in something called a "Notice of Proposed Rulemaking."
The NPRM process looks a lot like the NOI process: the regulator publishes the rule, the public weighs in for a couple of rounds of comments, and the regulator then makes the rule (this is the federal process; state regulation and local ordinances vary, but they follow a similar template of collecting info, making a proposal, collecting feedback and finalizing the proposal).
These truth-seeking exercises need good input. Even very competent regulators won't know everything, and even the strongest theoretical foundation needs some evidence from the field. It's one thing to say, "Here's how your antilock braking software should work," but you also need to hear from mechanics who service cars, manufacturers, infosec specialists and drivers.
These people will disagree with each other, for good reasons and for bad ones. Some will be sincere but wrong. Some will want to make sure that their products or services are required – or that their competitors' products and services are prohibited.
It's the regulator's job to sort through these claims. But they don't have to go it alone: in an ideal world, the wrong people will be corrected by other parties in the docket, who will back up their claims with evidence.
So when the FCC proposes a Net Neutrality rule, the monopoly telcos and cable operators will pile in and insist that this is technically impossible, that there is no way to operate a functional ISP if the network management can't discriminate against traffic that is less profitable to the carrier. Now, this unity of perspective might reflect a bedrock truth ("Net Neutrality can't work") or a monopolists' convenient lie ("Net Neutrality is less profitable for us").
In a competitive market, there'd be lots of counterclaims with evidence from rivals: "Of course Net Neutrality is feasible, and here are our server logs to prove it!" But in a monopolized markets, those counterclaims come from micro-scale ISPs, or academics, or activists, or subscribers. These counterclaims are easy to dismiss ("what do you know about supporting 100 million users?"). That's doubly true when the regulator is motivated to give the monopolists what they want – either because they are hoping for a job in the industry after they quit government service, or because they came out of industry and plan to go back to it.
To make things worse, when an industry is heavily concentrated, it's easy for members of the ruling cartel – and their backers in government – to claim that the only people who truly understand the industry are its top insiders. Seen in that light, putting an industry veteran in charge of the industry's regulator isn't corrupt – it's sensible.
All of this leads to regulatory capture – when a regulator starts defending an industry from the public interest, instead of defending the public from the industry. The term "regulatory capture" has a checkered history. It comes out of a bizarre, far-right Chicago School ideology called "Public Choice Theory," whose goal is to eliminate regulation, not fix it.
In Public Choice Theory, the biggest companies in an industry have the strongest interest in capturing the regulator, and they will work harder – and have more resources – than anyone else, be they members of the public, workers, or smaller rivals. This inevitably leads to capture, where the state becomes an arm of the dominant companies, wielded by them to prevent competition:
This is regulatory nihilism. It supposes that the only reason you weren't killed by your dinner, or your antilock brakes, or your collapsing roof, is that you just got lucky – and not because we have actual, good, sound regulations that use evidence to protect us from the endless lethal risks we face. These nihilists suppose that making good regulation is either a myth – like ancient Egyptian sorcery – or a lost art – like the secret to embalming Pharaohs.
But it's clearly possible to make good regulations – especially if you don't allow companies to form monopolies or cartels. What's more, failing to make public regulations isn't the same as getting rid of regulation. In the absence of public regulation, we get private regulation, run by companies themselves.
Think of Amazon. For decades, the DoJ and FTC sat idly by while Amazon assembled and fortified its monopoly. Today, Amazon is the de facto e-commerce regulator. The company charges its independent sellers 45-51% in junk fees to sell on the platform, including $31b/year in "advertising" to determine who gets top billing in your searches. Vendors raise their Amazon prices in order to stay profitable in the face of these massive fees, and if they don't raise their prices at every other store and site, Amazon downranks them to oblivion, putting them out of business.
This is the crux of the FTC's case against Amazon: that they are picking winners and setting prices across the entire economy, including at every other retailer:
The same is true for Google/Facebook, who decide which news and views you encounter; for Apple/Google, who decide which apps you can use, and so on. The choice is never "government regulation" or "no regulation" – it's always "government regulation" or "corporate regulation." You either live by rules made in public by democratically accountable bureaucrats, or rules made in private by shareholder-accountable executives.
You just can't solve this by "voting with your wallet." Think about the problem of robocalls. Nobody likes these spam calls, and worse, they're a vector for all kinds of fraud. Robocalls are mostly a problem with federation. The phone system is a network-of-networks, and your carrier is interconnected with carriers all over the world, sometimes through intermediaries that make it hard to know which network a call originates on.
Some of these carriers are spam-friendly. They make money by selling access to spammers and scammers. Others don't like spam, but they have lax or inadequate security measures to prevent robocalls. Others will simply be targets of opportunity: so large and well-resourced that they are irresistible to bad actors, who continuously probe their defenses and exploit overlooked flaws, which are quickly patched.
To stem the robocall tide, your phone company will have to block calls from bad actors, put sloppy or lazy carriers on notice to shape up or face blocks, and also tell the difference between good companies and bad ones.
There's no way you can figure this out on your own. How can you know whether your carrier is doing a good job at this? And even if your carrier wants to do this, only the largest, most powerful companies can manage it. Rogue carriers won't give a damn if some tiny micro-phone-company threatens them with a block if they don't shape up.
This is something that a large, powerful government agency is best suited to addressing. And thankfully, we have such an agency. Two years ago, the FCC demanded that phone companies submit plans for "robocall mitigation." Now, it's taking action:
Specifically, the FCC has identified carriers – in the US and abroad – with deficient plans. Some of these plans are very deficient. National Cloud Communications of Texas sent the FCC a Windows Printer Test Page. Evernex (Pakistan) sent the FCC its "taxpayer profile inquiry" from a Pakistani state website. Viettel (Vietnam) sent in a slide presentation entitled "Making Smart Cities Vision a Reality." Canada's Humbolt VoIP sent an "indiscernible object." DomainerSuite submitted a blank sheet of paper scrawled with the word "NOTHING."
The FCC has now notified these carriers – and others with less egregious but still deficient submissions – that they have 14 days to fix this or they'll be cut off from the US telephone network.
This is a problem you don't fix with your wallet, but with your ballot. Effective, public-interest-motivated FCC regulators are a political choice. Trump appointed the cartoonishly evil Ajit Pai to run the FCC, and he oversaw a program of neglect and malice. Pai – a former Verizon lawyer – dismantled Net Neutrality after receiving millions of obviously fraudulent comments from stolen identities, lying about it, and then obstructing the NY Attorney General's investigation into the matter:
The Biden administration has a much better FCC – though not as good as it could be, thanks to Biden hanging Gigi Sohn out to dry in the face of a homophobic smear campaign that ultimately led one of the best qualified nominees for FCC commissioner to walk away from the process:
Notwithstanding the tragic loss of Sohn's leadership in this vital agency, Biden's FCC – and its action on robocalls – illustrates the value of elections won with ballots, not wallets.
Self-regulation without state regulation inevitably devolves into farce. We're a quarter of a century into the commercial internet and the US still doesn't have a modern federal privacy law. The closest we've come is a disclosure rule, where companies can make up any policy they want, provided they describe it to you.
It doesn't take a genius to figure out how to cheat on this regulation. It's so simple, even a Meta lawyer can figure it out – which is why the Meta Quest VR headset has a privacy policy isn't merely awful, but long.
It will take you five hours to read the whole document and discover how badly you're being screwed. Go ahead, "do your own research":
The answer to bad regulation is good regulation, and the answer to incompetent regulators is competent ones. As Michael Lewis's Fifth Risk (published after Trump filled the administrative agencies with bootlickers, sociopaths and crooks) documented, these jobs demand competence:
For example, Lewis describes how a Washington State nuclear waste facility created as part of the Manhattan Project endangers the Columbia River, the source of 8 million Americans' drinking water. The nuclear waste cleanup is projected to take 100 years and cost 100 billion dollars. With stakes that high, we need competent bureaucrats overseeing the job.
The hacky conservative jokes comparing every government agency to the DMV are not descriptive so much as prescriptive. By slashing funding, imposing miserable working conditions, and demonizing the people who show up for work anyway, neoliberals have chased away many good people, and hamstrung those who stayed.
One of the most inspiring parts of the Biden administration is the large number of extremely competent, extremely principled agency personnel he appointed, and the speed and competence they've brought to their roles, to the great benefit of the American public:
But leaders can only do so much – they also need staff. 40 years of attacks on US state capacity has left the administrative state in tatters, stretched paper-thin. In an excellent article, Noah Smith describes how a starveling American bureaucracy costs the American public a fortune:
Even stripped of people and expertise, the US government still needs to get stuff done, so it outsources to nonprofits and consultancies. These are the source of much of the expense and delay in public projects. Take NYC's Second Avenue subway, a notoriously overbudget and late subway extension – "the most expensive mile of subway ever built." Consultants amounted to 20% of its costs, double what France or Italy would have spent. The MTA used to employ 1,600 project managers. Now it has 124 of them, overseeing $20b worth of projects. They hand that money to consultants, and even if they have the expertise to oversee the consultants' spending, they are stretched too thin to do a good job of it:
When a public agency lacks competence, it ends up costing the public more. States with highly expert Departments of Transport order better projects, which need fewer changes, which adds up to massive costs savings and superior roads:
Other gaps in US regulation are plugged by nonprofits and citizen groups. Environmental rules like NEPA rely on the public to identify and object to environmental risks in public projects, from solar plants to new apartment complexes. NEPA and its state equivalents empower private actors to sue developers to block projects, even if they satisfy all environmental regulations, leading to years of expensive delay.
The answer to this isn't to dismantle environmental regulations – it's to create a robust expert bureaucracy that can enforce them instead of relying on NIMBYs. This is called "ministerial approval" – when skilled government workers oversee environmental compliance. Predictably, NIMBYs hate ministerial approval.
Which is not to say that there aren't problems with trusting public enforcers to ensure that big companies are following the law. Regulatory capture is real, and the more concentrated an industry is, the greater the risk of capture. We are living in a moment of shocking market concentration, thanks to 40 years of under-regulation:
Remember that five-hour privacy policy for a Meta VR headset? One answer to these eye-glazing garbage novellas presented as "privacy policies" is to simply ban certain privacy-invading activities. That way, you can skip the policy, knowing that clicking "I agree" won't expose you to undue risk.
This is the approach that Bennett Cyphers and I argue for in our EFF white-paper, "Privacy Without Monopoly":
After all, even the companies that claim to be good for privacy aren't actually very good for privacy. Apple blocked Facebook from spying on iPhone owners, then sneakily turned on their own mass surveillance system, and lied about it:
But as the European experiment with the GDPR has shown, public administrators can't be trusted to have the final word on privacy, because of regulatory capture. Big Tech companies like Google, Apple and Facebook pretend to be headquartered in corporate crime havens like Ireland and Luxembourg, where the regulators decline to enforce the law:
It's only because of the GPDR has a private right of action – the right of individuals to sue to enforce their rights – that we're finally seeing the beginning of the end of commercial surveillance in Europe:
It's true that NIMBYs can abuse private rights of action, bringing bad faith cases to slow or halt good projects. But just as the answer to bad regulations is good ones, so too is the answer to bad private rights of action good ones. SLAPP laws have shown us how to balance vexatious litigation with the public interest:
https://www.rcfp.org/resources/anti-slapp-laws/
We must get over our reflexive cynicism towards public administration. In my book The Internet Con, I lay out a set of public policy proposals for dismantling Big Tech and putting users back in charge of their digital lives:
The most common objection I've heard since publishing the book is, "Sure, Big Tech has enshittified everything great about the internet, but how can we trust the government to fix it?"
We've been conditioned to think that lawmakers are too old, too calcified and too corrupt, to grasp the technical nuances required to regulate the internet. But just because Congress isn't made up of computer scientists, it doesn't mean that they can't pass good laws relating to computers. Congress isn't full of microbiologists, but we still manage to have safe drinking water (most of the time).
You can't just "do the research" or "vote with your wallet" to fix the internet. Bad laws – like the DMCA, which bans most kinds of reverse engineering – can land you in prison just for reconfiguring your own devices to serve you, rather than the shareholders of the companies that made them. You can't fix that yourself – you need a responsive, good, expert, capable government to fix it.
We can have that kind of government. It'll take some doing, because these questions are intrinsically hard to get right even without monopolies trying to capture their regulators. Even a president as flawed as Biden can be pushed into nominating good administrative personnel and taking decisive, progressive action:
Biden may not be doing enough to suit your taste. I'm certainly furious with aspects of his presidency. The point isn't to lionize Biden – it's to point out that even very flawed leaders can be pushed into producing benefit for the American people. Think of how much more we can get if we don't give up on politics but instead demand even better leaders.
My next novel is The Lost Cause, coming out on November 14. It's about a generation of people who've grown up under good government – a historically unprecedented presidency that has passed the laws and made the policies we'll need to save our species and planet from the climate emergency:
The action opens after the pendulum has swung back, with a new far-right presidency and an insurgency led by white nationalist militias and their offshore backers – seagoing anarcho-capitalist billionaires.
In the book, these forces figure out how to turn good regulations against the people they were meant to help. They file hundreds of simultaneous environmental challenges to refugee housing projects across the country, blocking the infill building that is providing homes for the people whose homes have been burned up in wildfires, washed away in floods, or rendered uninhabitable by drought.
I don't want to spoil the book here, but it shows how the protagonists pursue a multipronged defense, mixing direct action, civil disobedience, mass protest, court challenges and political pressure to fight back. What they don't do is give up on state capacity. When the state is corrupted by wreckers, they claw back control, rather than giving up on the idea of a competent and benevolent public system.
If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog: