My Defcon 31 speech, delivered August 12 in Las Vegas.
I have a confession to make: I am old. I turned 52 last month, the full deck of cards. I have two artificial hips. I have cataracts in both eyes. I’m old as dirt.
You may know that the AARP has a squad junk-mail ninjas that track you down on your 50th birthday to try to sell you a membership. Less well known is that the AARP also issues every 50 year old with a license to complain about how much worse things are today than they used to be in my day
I know that complaint is trite, but I think it’s true when it comes to the internet. I think the internet used to be better, back before it turned into what the Kiwi hacker Tom Eastman calls “five giant websites filled with screenshots of text from the other four.”
I miss the old, good internet. But this isn’t a talk about bringing the old good internet back. It’s a talk about what a new good web could be.
And why we don’t have it.
And how we’ll get it.
This is a talk about enshittification. Enshittification is a term I coined to describe how platforms die.
Platforms are the endemic form of the internet. A platform mediates between end users and business customers: Uber has drivers and riders; Amazon and eBay have sellers and buyers; Google and Facebook have publishers, advertisers and users.
The platform sits between these two different groups, business customers and users, an intermediary.
Remember when we said the internet would disintermediate everything?
And then it reintermediated everything.
Platforms are just intermediaries
Here is how a platform dies:
First, it is good to its users, then, it abuses its users to make things better for its business customers; finally, it abuses those business customers to claw back all the value for itself. Then, it dies.
We are living through mass, end-stage platform decay, the Great Enshittening.
I am going to explain the three stage process of platform enshittification. Then I’m going to explain the policy choices that let them get away with it. Then I’m going to tell you what policy changes would let us seize the means of computation and build a new good internet: a worthy successor to the old good internet.
This is a talk about how we make the enshitternet a transitional phase between the old good internet and the new good internet.
Let’s start with a case-study: Facebook.
Facebook is a company that was founded to nonconsensually rate the fuckability of Harvard undergrads, and it only got worse after that.
When Facebook started off, it was only open to US college and high-school kids with .edu and k-12.us addresses. But in 2006, it opened up to the general public.
It told them: “Yes, I know you’re all using Myspace. But Myspace is owned by an evil, crapulent senescent Australian billionaire, who spies on you with every hour that God sends.
“Sign up with Facebook and we will never spy on you. Come and tell us who matters to you in this world, and we will compose a personal feed consisting solely of what those people post for consumption by those who choose to follow them.”
That was stage one. Facebook had a surplus — its investors’ cash — and it allocated that surplus to its end-users.
Those end-users proceeded to lock themselves into FB. FB — like most tech businesses — has network effects on its side. A product or service enjoys network effects when it improves as more people sign up to use it.
You joined FB because your friends were there, and then others signed up because you where there.
But FB didn’t just have high network effects, it had high switching costs.
Switching costs are everything you have to give up when you leave a product or service. In Facebook’s case, it was all the friends there that you followed and who followed you.
In theory, you could have all just left for somewhere else; in practice, you were hamstrung by the collective action problem.
It’s hard to get lots of people to do the same thing at the same time. You and your six hacker buddies are going to struggle to agree on where to eat dinner tonight. How the fuck were you and your 200 Facebook friends ever gonna agree on when it was time to leave Facebook, and where to go?
So FB’s end-users engaged in a mutual hostage-taking that kept them glued to the platform. And FB exploited that hostage situation, withdrawing the surplus from end-users and allocating it to two groups of business customers: advertisers, and publishers.
To the advertisers, FB said, “Remember when we told those rubes we wouldn’t spy on them? We lied.
“We spy on them from asshole to appetite.
“We will sell you access to that surveillance data in the form of fine-grained ad-targeting.
“And we will devote substantial engineering resources to thwarting ad-fraud.
“Your ads are dirt cheap to serve
“And we’ll spare no expense to make sure that when you pay for an ad, a real human sees it.”
To the publishers, FB said, “Remember when we told those rubes we would only show them the things they asked to see? We lied!
“Upload short excerpts from your website, append a link, and we will nonconsensually cram it into the eyeballs of users who never asked to see it
“We are offering you a free traffic funnel that will drive millions of users to your website to monetize as you please
“And those users will become stuck to you when they subscribe to your feed.”
And so advertisers and publishers became stuck to the platform, too, dependent on those users.
The users held each other hostage, and those hostages took the publishers and advertisers hostage, too, so that everyone was locked in.
Which meant it was time for the third stage of enshittification: withdrawing surplus from everyone and handing it to Facebook’s shareholders.
For the users, that meant dialing down the share of content from accounts you followed to a homeopathic dose, and filling the resulting void with ads and pay-to-boost content from publishers.
For advertisers, that meant jacking up prices and drawing down anti-fraud enforcement. So advertisers paid much more for ads that were far less likely to be seen by a person.
For publishers, this meant algorithmically suppressing the reach of their posts unless they included an ever-larger share of their articles in the excerpt, until anything less than fulltext was likely to be be disqualified from being sent to your subscribers, let alone included in algorithmic suggestion feeds.
And then FB started to punish publishers for including a link back to their own sites, so they were corralled into posting fulltext feeds with no links, meaning they became commodity suppliers to Facebook, entirely dependent on the company, both for reach, and for monetization, via the increasingly crooked advertising service.
When any of these groups squawked, FB just repeated the lesson they’d learned in the Darth Vader MBA:
“I have altered the deal. Pray I don’t alter it any further”
Facebook now enters the most dangerous phase of enshittification. It wants to withdraw all available surplus, and leave just enough residual value in the service to keep end users stuck to each other, and business customers stuck to end users, without leaving anything extra on the table, so that every extractable penny is drawn out and returned to its shareholders.
But that’s a very brittle equilibrium, because the difference between “I hate this service but I can’t bring myself to quit it,” and “Jesus Christ, why did I wait so long to quit this shithole? Get me the fuck out of here!” is razor thin
All it takes is one Cambridge Analytica scandal, one whistleblower, one livestreamed mass-shooting, and users bolt for the exits, and then FB discovers that network effects are a double-edged sword.
If users can’t leave because everyone else is staying, hen when everyone starts to leave, there’s no reason to stay.
That’s terminal enshittification, the phase when a platform becomes a pile of shit. This phase is usually accompanied by panic, or, more euphemistically, “pivoting.”
Which is how we get pivots like, “In the future, all internet users will transform into legless, sexless, low-poly, heavily surveilled cartoon characters in a virtual world ripped off from a 25-year-old satirical cyberpunk novel.”
Enshittification isn’t inevitable. Plenty of tech platforms died without enshittifying. But when the three following criteria are satisfied, enshittification always ensues.
The first is a general lack of competition. 50 years ago, the Carter administration started pulling Jenga blocks out of our antitrust enforcement system, then Reagan yanked them out by the fistfull.
And every administration since — up to, but not including Biden — has continued to nerf antitrust, making it progressively weaker, until every industry — not just tech — is dominated by a tiny handful of companies: pharma, health insurance, appliances, athletic shoes, books, booze, drug stores, office supplies, eyeglasses, vitamin C, bottle caps, airlines, railroads, rental cars, mattresses, Champagne, candy and professional wrestling.
These companies grew by doing things that were illegal until the 1980, which is, not coincidentally, the PC era. PCs, the internet, and antitrust drawdown are simultaneous phenomena. Tech is the first industry in more than a century that grew up without meaningful antitrust.
What laws were these companies allowed to violate? They were able to sell goods below cost, which let the deepest-pocketed companies bankrupt their competitors, and prevent new companies from entering the market.
Think of Amazon, which tried to buy diapers.com, got rejected, and then lit $100m on fire selling diapers below cost, until diapers.com went bankrupt.
But more than anything, they were able to merge with major competitors and buy out small ones. Google made one good product, search, a quarter of a century ago. That opened conduit to the capital markets that gave Google an effectively limitless budget to buy competitors.
So it didn’t matter that everything Google made in-house failed — videos, social media, wifi balloons, smart cities, they couldn’t even keep an RSS Reader alive!
Because they were able to buy other peoples’ companies — mobile, ad tech, videos, maps, documents, satellites, server management. Google isn’t Willy Wonka’s magic idea factory, they’re Rich Uncle Pennybags, spending other peoples’ money to buy the products they themselves are too ossified and lumbering to create.
It’s not just Google, of course, Apple buys 90 companies a year. Tim Cook brings back a new company more often than you bring back a bag of groceries.
Eliminating competition is key to enshittification. It’s a lot easier to treat your customers and suppliers like shit when you’re the only game in town.
But all industries are consolidated, not just tech. Enshittification is what happens when you stir two more factors into the mix.
Let’s take a quick hacker interlude here. Remember when I told you about how network effects drive explosive growth? Tech has amazing network effects. But tech has another property, an irreducible feature that operates as an anti-network effect: low switching costs, driven by universality.
We only know how to make one kind of computer: the Turing Complete, universal von Neumann machine, which can run every program we know how to write.
That means that every software-driven product or service is liable to adversarial interoperability. That’s when a hacker uses reverse-engineering, scraping and bots to plug something in that the OEM doesn’t want plugged in.
Remember our Facebook case-study? When Facebook was telling Myspace users they needed to escape Rupert Murdoch’s evil crapulent Australian social media panopticon, It didn’t just say to those Myspacers, “Fuck your friends, come to Facebook and just hang out looking at the cool UI until they get here.”
It gave them a bot. You fed the bot your login credentials, and it would login to Myspace and pretend to be you,a nd scrape everything waiting in your inbox, copying it to your FB inbox, and you could reply to it and it would autopilot your replies back to Myspace.
The explosive growth that platforms get from network effects attracts competitors, who hack interop layers into their products that attack their highest-margin offerings, draining users and revenues.
So that every company that starts with explosive network-effects-driven growth ends with implosive contraction driven by low-switching costs.
Every successful tech company started with adversarial interop. Google presented itself to every webserver in the world and said, “Hi, I’m a user, serve me all your pages thank you.” Apple reversed MS Office and made iWork Suite — Pages, Numbers and Keynote — which could perfectly read and write Word, Excel, and Powerpoint files.
Look hard at any tech company and you’ll find them ripping, mixing and burning the biggest products and services of the day. Why go after the biggest platforms? Same reason Willie Sutton robbed banks: that’s where the users are.
But when these companies exploited our dying antitrust rules to grow to unimaginable scale, they joined forces and declared the end of history
Adversarial interoperability was fine when they did it — necessary to humanity’s progress, even — but when anyone tries to do it to them, that’s a crime.
Every pirate wants to be an admiral.
An industry with 1000 small-and-medium companies has the same collective problem you and your friends have when you get stuck on a social media platform.
They can’t agree on anything. Not only can’t they agree on what the law should be, they can’t agree on how to cater the annual meeting where they’d discuss the question.
Remember the Napster Wars? Tech was much bigger than the music and movie companies, but Big Content kicked tech’s ass. Because there were five labels and seven studios, which meant they could easily agree on a response to P2P.
Today there’s three labels and four studios. Those companies are so incestuous they’ve got the corporate equivalent of a Habsburg Jaw, and they’ve decided that they’re gonna replace every creative worker with a chatbot, which is why the actors and writers in my hometown have spent the summer roasting on the treeless sidewalks in front of the studios.
When a sector has only five companies, or four, or three, or two, it can agree on policy direction, and it can screw its customers and suppliers so hard that it amasses a fortune to buy that policy.
Tech today is even more concentrated than content was back in the Copyright War, and they’ve agreed on the end of history.
When Apple reversed Office and built iWork, Microsoft just had to suck it up. In the ensuing decades, Apple — and Microsoft, Facebook, Google and other tech giants — have secured changes to law, regulation and their interpretations that make doing unto them as they did unto others radioactivelyillegal.
If you were to reverse the file-formats used by iOS, and make a runtime and player for iOS apps and Apple-locked media, they would reduce you to rubble.
They’d come after you with Section 1201 of the DMCA, the Computer Fraud and Abuse Act, tortious interference with contract, copyright, patent, trademark and trade secrecy.
“IP,” in other words, which has a crisp meaning in business circles. IP is anything that lets a company reach beyond the four walls of its business, and exercise control over its customers, critics and competitors.
Or, as Jay Freeman from Cydia says, it’s “felony contempt of business-model.”
Here’s what that looks like: .Today, one in four web users has installed an ad-blockers. It’s what Doc Searls calls the largest consumer boycott in history. Ad-blockers are possible because browsers are open platforms
But if you wanted to add ad-blocking to apps you would commit half a dozen federal crimes. Bypass app DRM? That’s a DMCA 1201 violation, carrying a sentence of five years in prison and a $500,000 fine, for a first offense.
“App” is just a euphemism a web page skinned with enough “IP” to allow either Apple or Google to send you to prison for Felony Contempt of Business Model.
Back to enshittification.
Enshittification is what happens when companies do not face competition; and when they are able to use the incredible flexibility of digital computers to twiddle the knobs on the back end, to do Darth Vader shit, altering the deal further, unconstrained by privacy law, labor law, fair trading law, turning every platform into a rigged Skinner Box casino, where the payout schedule is altered from moment to moment, making it impossible for end users or business customers to figure out whether they’re getting a fair deal.
Tech companies can twiddle the knobs whenever they want, without explanation or transparency, and we can’t get a law passed to make them stop compulsively touching their knobs, because in the world of five giants websites each filled with screenshots of the other four, they can easily agree that these rules are bad, and they can mobilize their monopoly casino winnings to make sure they never pass.
Let’s take stock.
Step one: consolidated industries eliminate competition through predatory pricing and acquisitions.
Step two: tech companies play a high-speed shell-game on the back end, and use their consolidation to bigfoot any attempt to constrain their twiddling (like privacy, labor, or fair trading laws).
Now we come to step thre: where tech companies embrace tech laws, laws that make it illegal to twiddle back at them, the IP laws that create felony contempt of business-model, criminalizing the adversarial interoperability, that once acted as garbage collection for enshittified, bloated, top-heavy companies, letting nimble, innovative players drain off their users, eat their lunch and dance on their graves.
Put these three factors together — consolidation, unrestricted twiddling for them, a total ban on twiddling for us — and enshittification becomes inevitable.
That’s how enshittification works. Now let’s talk about how we halt it, throw it into reverse, and build a new good internet that’s a worthy successor to the old good internet.
Step one: halt consolidation and break up the Big Tech companies.
This one is going great, actually. After 40 years, we have the first US administration in two generations taking this seriously, joined by colleagues in the UK and EU, who are blocking mergers and demanding breakups.
This fight is fought by lawmakers from across the political spectrum. The AMERICA Act will break up Google and Facebook. It is sponsored by Ted Cruz and Elizabeth Warren.
The FTC and DoJ just published new merger guidelines which ban the anticompetitive mergers that have been the norm for 40 years.
If you’re only cursorily paying attention to this, you might have gotten the impression that FTC Chair Lina Khan is thrashing indiscriminately at Big Tech mergers, like Activision-Microsoft, only to lose in court.
But the reality is that she is setting out to make new law, after four decades of complacency and bias in favor of monopolies. She is taking swings that no one has taken since the Carter administration.
She is a goddamned American hero, along with colleagues like Rohit Chopra at the CFPB and Jonathan Kanter at the DoJ.
But breakups take a long-ass time. It took 69 years to break up AT&T.
We don’t want to wait that long for a new good internet, and we don’t have to. Because tech is different: it is universal. It is interoperable, and that means we have options we’ve never had before.
Interoperability options: options that devolve control over technology from giant companies to small companies, co-ops, nonprofits, and communities of users themselves.
Interop is how we seize the means of computation.
First things first: we need to limit twiddling.
Pass comprehensive federal privacy laws with private right of action, meaning that you can sue if your privacy is violated, even if the local public prosecutor doesn’t think you deserve justice.
End worker misclassification through the so-called gig economy, meaning that every worker is entitled to minimum wages, a safe workplace, and fair scheduling.
Apply normal consumer protection standards to ecommerce platforms and search engines, banning deceptive advertising, fake reviews, and misleading search results that put fake businesses and products ahead of the best matches.
Then we need to open the walled gardens. Laws like the EU’s Digital Markets Act will force tech platforms to stand up APIs that allow new platforms to connect to them.
This interop will make switching costs low. So you can leave Facebook or Twitter and go to Mastodon, Diaspora — or Bluesky or some new platform — and still exchange messages with the people you left behind, and participate in the communities that matter to you, and connect with the customers you rely on.
These new platforms must be fiddle-constrained the way the big ones should be, subject to the same privacy, fair trading, and labor rules.
But mandatory APIs have a fatal flaw: they are easy to cheat on.
Because just because we order Facebook to operate an API, it doesn’t mean that we don’t want them to yank the emergency brake if they think someone is exploiting it to steal millions or billions of users’ data.
That means that Facebook can cheat. They can claim they pulled the plug because they thought there was a breach, when really they just wanted to destabilize those new platforms and teach their founders, users and investors that you can’t bet against Facebook and win.
And even if you drag Facebook in front of a regulator to get them punished for this, it can take years to get justice. Because to a first approximation, everyone who understands FB’s infra well enough to tell a bona fide shutdown from a pretextual one works for Facebook. So every one of these disputed shut-downs can turn into a yearslong, fact-intensive inquest.
To make mandatory APIs work, we need to make robust interoperability preferable to behind-the-scenes fuckery, we need to align tech giants’ incentives so they encourage competition, rather than sabotaging it.
That’s where you all come in, this is what we need the hackers for.
Because in addition to the mandatory interop that’s already coming down the pike, we need to restore the right to mod, tinker, reverse and hack these services.
I’m gonna tell you why, and how, and how we’ll make it safe for users.
First, why: Companies hate competition, but they hate surprises even more. If we have the right to mod existing service to restore busted API functionality, then any company that’s tempted to nerf its API has to consider the possibility that you are going to come along and scrape its site or reverse its apps to make the API work again.
That means that the choice for tech giants isn’t “Keep the API and lose my discontented users or nerf the API and screw my competitors.” It’s: “Keep the API and lose my discontented users or, nerf the API and get embroiled in unquantifiable guerilla warfare against engineers who have the attackers’ advantage, meaning I have to be perfect, and they only have to find and exploit a single error I make.”
Tech giants hate surprises because investors hate surprises. When you get on a quarterly earnings call and announce worse news than predicted, your company’s share price tanks.
Remember 2022, when Facebook gained slightly fewer users in the US than they’d promised and Wall Street staged a mass sell-off, knocking a quarter-trillion dollars off the market cap, the largest one-day drop in a company’s value in human history?
The decision to cheat on a mandate and break an API has to come from an exec, and tech execs own a ton of their own company’s stocks. Meaning that the person who makes the call to break interop is the person who stands to have their personal net worth wiped out if the competition leaps in with adversarial interop backstops
And if the exec is so pig-headed that they go ahead with sabotaging the API? Well, the scrappy little guys can use adversarial interop.
So how do we get adversarial interop?
We should roll back or modify every law that constitutes “felony contempt of business model”: anti-circumvention, criminalizing terms of service violations, overbroad patents and copyright, and so on.
But that’s a project of years and we need to restore adversarial interop now.
Here’s how we can do that: first, we can simply wait for the tech companies to cheat on one of those interoperability mandates, like the EU’s Digital Markets Act.
Because of course they’ll cheat. They can’t not cheat. And when they do, we can penalize them. We can stick them with a “special master,” a kind of court-appointed overseer, who will have to approve legal threats against interoperators, to verify that they are threats aimed at protecting the company’s users, not the company’s shareholders.
While we’re waiting for them to cheat, we can put the government to work for us, specifically government procurement.
Governments should require that every tech company that sells them a product or service has to promise not to interfere with interop.
That’s just prudent public administration. Lincoln insisted that every rifle-supplier for the Union army used interoperable tooling and ammo. Of course he did! “Sorry boys, war’s cancelled, our sole supplier decided not to make any more bullets.”
Every digital system procured by every level of government should come with a binding covenant not to impede interop — from the cars in government motor-pools to Google Classroom in public schools to iPhones in public agencies.
Sure, companies will squawk. But no one forces a tech giant to sell to the American government. If you’re too emotionally fragile to sell to the American public on reasonable terms, you can find another line of work better suited to your delicate sensibilities.
Your shareholders’ priorities are your problem. Public agencies are charged with doing the people’s business.
OK, so we’ll use adversarial interop to keep big companies from sabotaging mandatory interop, and we’ll use procurements, conduct remedies and new law to get that adversarial interop.
How will we keep interoperators honest?
After all, if you squint just right, Cambridge Analytica is just an interoperator. Remember when I talked about putting limits on twiddling, privacy law, labor law, fair trading law?
That’s how we do it.
It’s frankly surreal that the way we keep Facebook’s partners from abusing your info is by asking Facebook to decide what is and isn’t acceptable.
Remember: Cambridge Analytica was a Facebook partner. So whether you’re using an API or you’re fielding an interoperable app that relies on scraping and reversing, you will be bound by those same laws, passed by democratically accountable lawmakers in public proceedings, not by shareholder accountable corporate executives in closed-door meetings.
Enshittification didn’t happen because today’s companies are run by evil geniuses. They’re no more wicked than the mediocrities who founded DEC or Sun or AOL. All of those companies would have abolished their competitors, captured their regulators, and abused their users and business customers if they could have gotten away with it.
We didn’t let them get away with it, but we let the current crop get away with murder. They’re just able to buy their way to dominance, merging with competitors, until they have the money and the unity of purpose to capture our laws, to give them the freedom to abuse us without limit, and to criminalize anything we do to defend ourselves.
To stop them we need to block new merger, and unwind existing ones, limit their ability to twiddle the back end to keep their users and business customers in a constant state of confusion, and restore our ability to twiddle back, to give ourselves an internet operated by and for the people who use it: the new, good internet that is the worthy successor to the old, good internet.
For millennia, the indigenous people of California used controlled burns to wipe out old and sick trees, opening the canopy for new growth.
When settlers banned good fire, California started accumulating fire debt, so every year, California burns.
Because the alternative to good fire isn’t “no fire,” it’s wildfire.
When tech companies had to contend with the implosive contraction of low switching costs, they were dynamic, springing up and disappearing all the time.
When we stopped enforcing antitrust la, we ended that good fire, and now we have wildfire. Our tech companies have terminal gigantism, and they’re on fire all the time.
It’s time to stop trying to make the tech giants better, and to start evacuating them and letting them burn.
In your heart, you know we could have a better internet than this one, and a better tech sector too.
Remember when tech workers dreamed of working for a big company for a few years, before striking out on their own to start their own company that would knock that tech giant over?
Then that dream shrank to: work for a giant for a few years, quit, do a fake startup, get acqui-hired by your old employer, as a complicated way of getting a bonus and a promotion.
Then the dream shrank further: work for a tech giant for your whole life, get free kombucha and massages on Wednesdays.
And now, the dream is over. All that’s left is: work for a tech giant until they fire your ass, like those 12,000 Googlers who got fired six months after a stock buyback that would have paid their salaries for the next 27 years.
We deserve better than this. We can get it.
Let’s take a lesson from my arch-enemy, the loathsome Milton Friedman — court sorcerer to Ronald Reagan and architect of the neoliberal revolution.
He was a monster, but he knew a thing or two.
When people would ask him, “Milton, how will you ever put your kooky fringe ideas into operation?”
He would say: “Some day, there will be a crisis, and when crisis comes, ideas that are lying around can move from the fringe to the center in an instant.”
I love quoting Friedman. I imagine that when he hears his words in my mouth he looks up from the spit he’s roasting on and gargles a curse up at me around the red-hot iron bar protruding from his jaws, while the demons around him laugh and laugh.
We are lurching from crisis to crisis, and thus far, we do the same thing at every crisis — the thing we did last time, only we do it harder, and expect a different outcome.
We need to start spreading good ideas lying around, so that the next crisis doesn’t go to waste.