*I truly feel sorry for this guy, but I should probably feel even sorrier for the rest of us, who "lost the Internet's first culture war." That spam is like some morally debasing narcotics trade in a defeated country, that's a pretty good metaphor; it's like fake Viagra that we're all forced to eat every day.
——————————
Date: Mon, 10 Jun 2019 23:48:22 +0000
From: Paul Vixie
Subject: Spam, Anti-Spam, Data, and Drugs
Paul Vixie (CEO, Farsight Security), I Want a New Drug, 3 Jun 2019 Infosec
https://www.infosecurity-magazine.com/infosec/i-want-a-new-drug-1-1-1/
[Included in totality, with permission at my request.
Possible lessons regarding legal risks. PGN]
Slightly over 20 years ago, I co-founded the first anti-spam company, called
MAPS. It was 'spam' spelled backwards, and also the Mail Abuse Prevention
System. My co-founder was Dave Rand, and we were quite sure that the low
cost of sending e-mail would cause an explosion of network abuse, where
unethical advertisers would cheerfully externalize their costs onto the
overall economy, and equally sure that spam would be like a noxious weed
that overruns its ecosystem, because nothing eats it. We were, sadly,
correct. Even more sadly, lawsuits against us by unethical advertisers cost
millions of dollars, such that we ultimately had to sell the company just to
pay our own lawyers. Lessons learned? First, no good deed goes
unpunished. Second, check the water temperature before diving in.
Somewhere along the line we started to joke that spam was like a drug, and
spammers were addicts, and they would do anything, up to and including
selling their own children to sex traffickers, if it meant they could spam
for one more day. This may seem overly severe if you weren't in the
security business at the time and you didn't see the depths of depravity to
which unethical advertisers swam in order to bypass any and all controls
against their work. With two decades of perspective, I can certainly see it
as `gallows humor' and maybe not as darkly funny today as it seemed at the
time. I share this story with you to give you a glimpse into the minds of a
couple of perennial do-gooders as we lost the Internet's first culture war.
But also to familiarize you with the meme, `X is like a drug.'
Because, data is like a drug. It's not as some say, `the new
oil,' because while oil moves nations, it won't pivot an entire
economy from top to bottom. Only a handful of megacorporations and their
supply chains thrive or die on changes in the market for oil.
Data, by comparison, affects everybody. Like a drug, it can reform and pervert what
were stable systems or morality, literally making good people do bad things,
which they somehow justify. Also, there is no escape for the non-addicts; we
are at constant risk in every zone of our personal and professional lives
due to the insatiable need for more data by addicts and their enablers. They
will take our data no matter what depths of depravity they must swim to, and
their justification for it will sound like cheap equivocations to the
non-addicts who are their victims. (((Pretty good paragraph, eh?)))
In the new virtual economy, value chains are not anchored by physical
assets, and what a company can deliver is quite a bit more diverse than what
they can get paid for. When I first heard that if I wasn't paying for a
product, then I was the product, I knew it was so. I've tried to find some
friend at Google who can charge me money to remember everything they know
about me and use it to provide me services but never share that data with
anyone else. Unfortunately, there is no amount of money I could pay to
Google that would be worth as much to them as the many uses they can make of
my personal information. There won't be a Private Google for me or for any
of us, any more than the online news and other services I pay subscription
fees for can offer me an ad-free experience or keep my personal information
entirely private.
However, unopposed trends accelerate, and right now the General Data
Protection Regulation (GDPR) is the only thing slowing the world's sell-off
of whatever actual privacy any of us still have left, and I am not at all
sanguine about Ireland's slow-rolling protection of the American technical
industry's anti-privacy practices[1]. We must, every person, every family,
every company, every state and every nation, diligently notice and defend
against every data predator and every privacy abuse no matter how benign it
may seem.
If you're shredding your junk mail to defend your family against
identity theft but then playing Pokemon Go during idle times as you go about
your daily business, then you're hugging a tree without noticing the fire
engulfing the forest around you. Many of the companies who can observe your
activities will leverage your data to constrain your future choices in small
ways which add up to a form of `digital serfdom' for you in the aggregate.
(((Especially if you're Chinese! Yay!)))
Closer to home and immediately to hand, I am dumping my company's online
expense reporting platform, after warning them several times, and getting
only lame and misleading answers each time. They've turned on what they callSmart Scan' for all our employees, and have removed any control for turning it off again, and this has been called a policy change.' What this means
is that the personally identifiable information of our employees as they
travel the world was simply too valuable for them to leave in our hands –
they can't compete in the global data marketplace if they don't extract
every possible one or zero from any information that comes into their
orbit. Note that this is a paid commercial service, and I would pay more to
keep our employees' privacy safe, but that option has not been and will not
be offered to us. For the moment, this means we'll go back to e-mailed
spreadsheets, while we audit the privacy policies of potential new online
expense reporting services.
Sadly, last time we did a search with such audits, every single provider we
evaluated, failed, usually for more than one cause. This may help explain
why I've lost my capability to be astonished by the findings in this year's
Verizon Data Breach Investigations Report[2] (DBIR). It's a stunning piece
of work and should be compelling in its own right. However, the data we're
losing piecemeal due to surveillance capitalism is of gargantually greater
magnitude than the data we're losing due to criminal breaches of our online
infrastructure, and should concern all of us far more. I fear that we are
all numb, and if we ponder the circumstances of our privacy it's to wonder
where it will end or how it can end. Perhaps a motorcycling holiday in
Scotland will restore my capacity for outrage. I'll try that and get back to
you.
[1] https://www.politico.com/story/2019/04/24/ireland-data-privacy-1270123
[2] https://enterprise.verizon.com/resources/reports/dbir/2019/introduction/
————————
