- When Facebook came for your battery, feudal security failed: A tale of whistleblowers, security through obscurity, and binding arbitration.
- Hey look at this: Delights to delectate.
- This day in history: 2003, 2013, 2018, 2022
- Colophon: Recent publications, upcoming/recent appearances, current writing projects, current reading
When Facebook came for your battery, feudal security failed (permalink)
When George Hayward was working as a Facebook data-scientist, his bosses ordered him to run a "negative test," updating Facebook Messenger to deliberately drain users' batteries, in order to determine how power-hungry various parts of the apps were. Hayward refused, and Facebook fired him, and he sued:
Hayward balked because he knew that among the 1.3 billion people who use Messenger, some would be placed in harm's way if Facebook deliberately drained their batteries – physically stranded, unable to communicate with loved ones experiencing emergencies, or locked out of their identification, payment method, and all the other functions filled by mobile phones.
As Hayward told Kathianne Boniello at the New York Post, "Any data scientist worth his or her salt will know, 'Don’t hurt people…' I refused to do this test. It turns out if you tell your boss, 'No, that’s illegal,' it doesn’t go over very well."
Negative testing is standard practice at Facebook, and Hayward was given a document called "How to run thoughtful negative tests" regarding which he said, "I have never seen a more horrible document in my career."
We don't know much else, because Hayward's employment contract included a non-negotiable binding arbitration waiver, which means that he surrendered his right to seek legal redress from his former employer. Instead, his claim will be heard by an arbitrator – that is, a fake corporate judge who is paid by Facebook to decide if Facebook was wrong. Even if he finds in Hayward's favor – something that arbitrators do far less frequently than real judges do – the judgment, and all the information that led up to it, will be confidential, meaning we won't get to find out more:
One significant element of this story is that the malicious code was inserted into Facebook's app. Apps, we're told, are more secure than real software. Under the "curated computing" model, you forfeit your right to decide what programs run on your devices, and the manufacturer keeps you safe. But in practice, apps are just software, only worse:
Apps are part what Bruce Schneier calls "feudal security." In this model, we defend ourselves against the bandits who roam the internet by moving into a warlord's fortress. So long as we do what the warlord tells us to do, his hired mercenaries will keep us safe from the bandits:
But in practice, the mercenaries aren't all that good at their jobs. They let all kinds of badware into the fortress, like the "pig butchering" apps that snuck into the two major mobile app stores:
It's not merely that the app stores' masters make mistakes – it's that when they screw up, we have no recourse. You can't switch to an app store that pays closer attention, or that lets you install low-level software that monitors and overrides the apps you download.
Indeed, Apple's Developer Agreement bans apps that violate other services' terms of service, and they've blocked apps like OG App that block Facebook's surveillance and other enshittification measures, siding with Facebook against Apple device owners who assert the right to control how they interact with the company:
When a company insists that you must be rendered helpless as a condition of protecting you, it sets itself up for ghastly failures. Apple's decision to prevent every one of its Chinese users from overriding its decisions led inevitably and foreseeably to the Chinese government ordering Apple to spy on those users:
Apple isn't shy about thwarting Facebook's business plans, but Apple uses that power selectively – they blocked Facebook from spying on Iphone users (yay!) and Apple covertly spied on its customers in exactly the same way as Facebook, for exactly the same purpose, and lied about it:
The ultimately, irresolvable problem of Feudal Security is that the warlord's mercenaries will protect you against anyone – except the warlord who pays them. When Apple or Google or Facebook decides to attack its users, the company's security experts will bend their efforts to preventing those users from defending themselves, turning the fortress into a prison:
Feudal security leaves us at the mercy of giant corporations – fallible and just as vulnerable to temptation as any of us. Both binding arbitration and feudal security assume that the benevolent dictator will always be benevolent, and never make a mistake. Time and again, these assumptions are proven to be nonsense.
Hey look at this (permalink)
- Amazon’s Endgame https://prospect.org/power/amazon-business-endgame-jassy/
Mastodon Flock https://mastodon-flock.vercel.app/ (h/t Waxy)
Watch David Byrne sing David Bowie's "Heroes" with beautiful, massive backup choir https://boingboing.net/2023/02/04/watch-david-byrne-sing-david-bowies-heroes-with-beautiful-massive-backup-choir-video.html
This day in history (permalink)
#20yrsago PacBell and Scientology knock Kevin Burton offline https://web.archive.org/web/20030219085335/http://www.peerfear.org/rss/permalink/2003/02/04/1044497702-DMCA_Takedown_Notice_Scientology_and_PacBell.shtml<?a>
#20yrsago Brewster Kahle’s librarian rant https://web.archive.org/web/20030409204107/http://www.loc.gov/rr/program/lectures/kahle.html
#10yrsago Bogosity generators: the secret heart of science fiction https://www.rudyrucker.com/blog/2013/02/05/the-bogosity-generator-tool-in-science-fiction/
#10yrsago NYT, 1924: Hitler’s tamed by prison, “no longer to be feared” https://web.archive.org/web/20130206224612/http://www.retronaut.com/2013/02/hitler-tamed-by-prison/
#5yrsago Trump’s Consumer Finance Protection Board chief gives up on punishing Equifax for doxing the entire United States of America https://www.reuters.com/article/us-usa-equifax-cfpb/exclusive-u-s-consumer-protection-official-puts-equifax-probe-on-ice-sources-idUSKBN1FP0IZ
#5yrsago The GOP candidate who would represent a suburban Chicago district is an open Holocaust denier, white supremacist and anti-Semite https://chicago.suntimes.com/politics/2019/12/2/20992050/holocaust-denier-arthur-jones-candidate-republican-primary-3rd-congressional-district
#5yrsago 139 pieces of (seemingly nonfunctional) malware that exploit Spectre and Meltdown are now circulating in the wild https://www.securityweek.com/malware-exploiting-spectre-meltdown-flaws-emerges/
#1yrago How to design an anti-monopoly interop system https://pluralistic.net/2022/02/05/time-for-some-game-theory/#massholes
Today's top sources: Slashdot (https://slashdot.org).
- Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. Friday's progress: 520 words (102259 words total)
The Bezzle, a Martin Hench noir thriller novel about the prison-tech industry. FIRST DRAFT COMPLETE, WAITING FOR EDITORIAL REVIEW
A Little Brother short story about DIY insulin PLANNING
Vigilant, Little Brother short story about remote invigilation. ON SUBMISSION
Moral Hazard, a short story for MIT Tech Review's 12 Tomorrows. FIRST DRAFT COMPLETE, ACCEPTED FOR PUBLICATION
Spill, a Little Brother short story about pipeline protests. ON SUBMISSION
Currently reading: Analogia by George Dyson.
Latest podcast: Social Quitting https://craphound.com/news/2023/01/22/social-quitting/
- Avid Reader (Brisbane), Feb 8
Chokepoint Capitalism: A Kiwi Perspective, Feb 13
Future of Arts, Culture & Technology, ACMI, (Melbourne), Feb 14
State Library of NSW (Sydney), Feb 15
ANU/Canberra Times Meet The Author (Canberra), Feb 16
Australian Digital Alliance Copyright Forum (Canberra), Feb 17
Antitrust, Regulation and the Political Economy (Brussels), Mar 2
- Chokepoint Capitalism: Can It Be Defeated? (UCL Institute of Brand and Innovation Law):
A theory of how internet platforms die (Marketplace Tech)
Graeber's Pirate Enlightment (Everyday Anarchism)
- "Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com
"Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The Washington Post called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html
"How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59 (print edition: https://bookshop.org/books/how-to-destroy-surveillance-capitalism/9781736205907) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)
"Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html
"Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p2682/Corey_Doctorow%3A_Poesy_the_Monster_Slayer_HB.html#/.
- Red Team Blues: "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books, April 2023
The Internet Con: A nonfiction book about interoperability and Big Tech, Verso, September 2023
The Lost Cause: a post-Green New Deal eco-topian novel about truth and reconciliation with white nationalist militias, Tor Books, November 2023
This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.
Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.
How to get Pluralistic:
Blog (no ads, tracking, or data-collection):
Newsletter (no ads, tracking, or data-collection):
Mastodon (no ads, tracking, or data-collection):
Medium (no ads, paywalled):
(Latest Medium column: "Small Government: The ref has to be more powerful than the players" https://doctorow.medium.com/small-government-fd5870a9462e)
Twitter (mass-scale, unrestricted, third-party surveillance and advertising):
Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):
"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla