Posts Tagged ‘strategic vulnerability’

Laws Derived From Moral Panics Are Dangerous

Monday, January 29th, 2018

Politicians love morality laws.
They really love sex laws.
They really love child protection laws.
And they really really love child sex laws.

Manufactured moral panics are awesome if you are a career politician. By leveraging a moral panic you can whip people into a frenzy, warping their perception of reality to the point that the only thing that matters is whatever you made seem important. This is true even if the issue actually affects a statistically insignificant number of people. Consider the number of annual non-suicide homicide deaths involving firearms compared to the number of annual drunk driving deaths — the first number isn’t even paid attention to, as the anti-gun lobby will cite every death involving firearms regardless of circumstance, while the second number isn’t mentioned in public safety debates unless the subject is specifically drunk driving (but that’s not a hot topic now, so nobody cares). Repeated often enough, any message that induces a strong emotional response will stick and make people think the (actually rare) issue is happening to everyone all the time.

In this article I’m going to show you why moral panics, of any nature, are good for politicians and bad for you. If you think carefully about an example of a moral panic taken to its conclusion you will understand that the side effect of the moral moral panic (an inevitable national vulnerability) is far more destructive to society than the subject of the panic (one side of basic human behavior that has been generally kept in check by the another side of basic human nature since the beginning of time).

Let me revisit my first paragraph for a correction. A moral panic is not useful to politicians “even if” the issue affects an insignificant number of people in reality, it is “especially if”. The fewer people actually affected by the issue the more confident you can be that the issue will not backfire: Almost nobody will come forward to present a concrete counter argument, particularly if the issue is significantly emotional for a large enough portion of the population that people begin hiding their true thoughts on the matter in the interest of avoiding social ostracism. After all, anyone presenting a counter argument must be evil because they hold such views.

Imagine trying to bring a counter argument about the effects of cocaine use in the 1980’s at the height of the Cocaine Wars. If you came out and said “I’ve used pure cocaine as a mild stimulant in limited doses for years and it has not affected my health, made me an addict, or driven me to kill anyone. It is my own body, anyway.” You would immediately be socially ostracized and find yourself under federal investigation for what you had just said. The number of people who actually used pure cocaine at the time and were willing to admit it to support you would have been far too low to change the tide of public opinion — and good luck getting any of those people who secretly agree with you but haven’t used cocaine before to break their silence. Of course, this is exactly how cocaine was used before the drug wars started and that period of American history coincides with the greatest economic expansion and greatest increase in quality of life standards in human history. But those details wouldn’t save you because the moral panicky flavor of the issue itself would already make you seem like the Devil Hisself for having even cast doubt on the illicit status of the substance.

Remember the bizarre world of square cops Duke stepped into when he accidentally attended the narcotics enforcement convention in Fear and Loathing in Las Vegas? Granted, he was only trading one equally bizarre world for another, but the experience was illustrative enough for Thompson to include it in his book.

Here is a clip from the movie to jog your memory, since nobody reads actual books anymore.

Age of consent laws and the problems that surround them are mostly non-issues. But they are really, really useful non-issues if you are a politician. Age of consent laws are pretty freaking new and yet the world has gotten along just fine without them so far. But how?!? Before age of consent laws it wasn’t just non-stop adolescent hedonism in the streets. People have families and enough people are non-evil enough of the time that things have generally worked out OK. The world got along just fine without drug laws until just recently also.

Consider the following:

  • There was alcohol prohibition in the U.S. until 1920, at which point America embarked on a decade-long journey of gangland violence, abuses of alcohol went from being the occasional crying shame to being a literal pathway to either extreme abuse or a life in the prison system, and the government went to war against its own citizens. Great. This doesn’t seem like it was a very big win.
  • There was no drug prohibition in the U.S. until the first nuisance tax on the distribution of marijuana in 1937. Fast forward and the U.S. is once again mired in gangland violence and the government is openly at war with its own citizens based on random chemical combinations they make at home from ordinary materials. All that plus the effect artificial scarcity of the relatively benign naturally occurring drugs has had on the market: instead of cessation of narcotic consumption, people consume profoundly more dangerous and addictive alternatives and destroy their bodies much quicker at a higher public medical cost than previously. All of this while drug use has expanded instead of declined. There is also the small detail of the civil war in Mexico that is driving people north in record numbers — a war that the lowest members of American society are funding through drug purchases and the middle-class is subsidizing through massive government outlay in the form of anti-drug operations funds. Entire agencies exist solely for the purpose of pursuing the drug war! Once again, not a big win here.
  • There were no age of consent laws until quite recently, but that didn’t matter so much in the face of strong family traditions, social taboos regarding sexual interactions, relatively strong sexual morals across all segments of society, and a strong social preference for publicly adhering to near-puritanical views on sexuality in general. Age was not the core issue, but the society had strong views on sexual propriety. Fast forward to today and in some states you can get sent to jail for having a girlfriend a few months younger than you, women are assumed to have zero capacity for thought until they turn some arbitrary number, men can have their careers destroyed by a rumor, and yet at the same time little girls are all over YouTube twerking,  incidence of early teen pregnancy is skyrocketing, and even very young girls are making a game of engaging in highly promiscuous teasing games with older boys and men. Kids are obviously having sex at a rapidly increasing rate in spite of the law, but when both partners are extremely naive about life in general the outcome is far worse than whatever was going on before.

See a trend? I’m not saying that substance abuse or sex are light-weight issues — quite the opposite — but that government intervention really seems to consistently backfire on every social issue that is normally handled by families. Education is another shining example of the Cobra Effect in action, but that deserves an article of its own some day.

The Thesis

In the current era, where almost everything valuable you own is a networked computing device, moral panics are a source of strategic technical vulnerability. In the prefacing discussion above I discussed drugs because that is a major freak-out issue for some people and child sex because it is a major freak-out for other people. I avoided diving into a discussion about terrorism not because it isn’t a similarly dangerous issue, but because we all know what happens if you are perceived to be talking about Islam (I wouldn’t want anyone to take that the wrong way, of course). I assume there is a lot of crossover between the drug-panic and child-panic demographics, and I’m pretty sure the terrorism-panic and holy-crap-invasion-by-hijra-panic demographic covered pretty much everyone (even though that second one is WrongThink), but hopefully I’ve got you upset over one issue or another by this point.

An Example

Consider Android boards. Actually consider them for a moment.

Let’s say our goal is to stop terrorists or save the children or catch the drug dealers. Based on the premise that people do nearly everything through their smartphones these days we create a regulation that mandates all phone makers provide a hardware backdoor for law-enforcement and intelligence services in every new Android board produced. This is hardly a far-fetched proposal, and in fact there are proposals to do exactly this already on the table today.

So now, in this hypothetical-but-likely world, every new Android board that is now network enabled across a huge spectrum of wireless bands, can be equipped with wired ethernet, USB, etc., contains a GPS unit, accelerometer, thermometer, microphone, camera, etc… and is backdoored at the hardware level.

“Well hurrah!” you might say. Surely with the fantastical power of these backdoors into everyone’s phones the kids are safe, drug use has totally stopped, the terrorists are automagically banished from the Mortal Plane, and flowers have sprung forth in full bloom!

Absurd hyperbole? Yes. Of course it is. Backdoors into phones will just drive criminals to do business in other ways as always. Universal backdoors in computing devices are far less useful to law enforcement and intelligence officials in practice than regulators imagine when they formulate such rules. We have many examples to draw from already, and overall it certainly appears that while backdoors are of limited utility to law enforcement, they are super useful to criminals, enemy governments, and despots.

Part of the problem of being a good guy is that having data one everybody means that you don’t have time to check the data on anybody. You’re still in target identification mode while the bad guys already have a laser-focus on a target ahead of time. As law enforcement you wind up becoming the Precrimes Division — and that’s downright spooky. Trying to profile for criminality in aggregate winds up creating magical (and highly unpredictable) categories of “unusual” behavior patterns that, while not actually criminal, can mistakenly flag a normal citizen for scrutiny. This is terrifying for a number of reasons, not least of which that it tends to force people into conformance with artificial social norms that are invented by aggregate software analysis (the way we do with adsearch results, for example) rather than actual knowledge of criminal activity.

Even if we stopped here and didn’t pursue the Android example that follows, the situation already poses a strategic economic challenge. Without room for safely breaking with prior social behaviors there is little hope of social, economic or technical innovation moving forward. The last thing Americans seem to do well is conform with a static, centrally controlled society. (A spontaneously self-orded, semi-static society, sure — but the moment you tell an American who is sitting down that he’d better remain sitting is the moment that guy will stand up just to spite you.)

Back to our warehouse full freshly minted of government-compliant Android boards…

A year goes by after the passage of the new mandate for phone backdoors without incident. Things seem static, quiet, calm, wonderful. But one thing is never static: the market. Nobody is making phones with last year’s (or even last quarter’s) boards. Time and technology have moved on and new boards are being produced, leaving the old models which have been produced-but-unsold sitting in a warehouse waiting to be sold in bulk for a few dollars a piece, rotting in their surplus obsolescence — obsolescence for the phone market, anyway.

In this world you work as a product manager at a company that needs to develop a new, “smart” building utility control unit that should first and foremost be capable of controlling the lights and thermostat, but also must be extensible — perhaps becoming a more universal facility control device: door lock awareness/control, outlet consumption tracking, etc. (and I’m actually simplifying the example as this tech is already here on the fringe now and the example is itself a bit of date).

As a project manager you have a choice:

  1. You can get a bunch of old-school hardware engineers together to develop a new device, then get systems people on developing the software to run it, and eventually go through the product testing phase and get protocol people to make it comply with other devices it might need to talk to in the future, etc.
  2. You can acquire a box full of obsolete Android boards that already have a universally understood operating system on them (Linux/Android), complete drivers, and comply with whatever communication standards you might encounter right out of the box — and can outsource or offshore hasty development of some crapware to make the thing almost sorta-kinda work. For pennies on the dollar compared to #1.

As we say in engineering, the three favorable attributes to a project are: Cheap, Fast, Accurate; pick two.

Nobody will ever opt for Option 1 these days. Option 1 is expensive and/or time consuming despite the end result being a really proper “MIT design”. Investors and executives might be willing to throw a few million dollars away on toy mobile social app development these days (seriously) but they will never authorize development of a serious engineering project that isn’t instantly gratifying unless you can somehow link a buzzword like “blockchain” or “IoT” or “cloud” or “big data” to it somehow.

So you’re left, of course, with Option 2 — and that only because you spun the product as an IoT device. Despite the tendency to marry disaster early and outsource the software bits in an Option 2 project (behold! the fateful project grenade!), some rare managers might do a really solid job of Option 2 by, for example, hiring experienced local programmers for the software instead of offshoring the development of crapware.

So what is the end result? Any customer that buys your new thermostate/control device just placed a universal computing system onto its network with the following attributes:

  • Has an out of date OS your company is never going to pay to patch
  • Is equipped with a vast array of powerful wired and wireless networking interfaces
  • Has a GPS device
  • Defaults to trying to send data back to your servers (because IoT…ugh)
  • Has a microphone
  • Has a camera
  • Has a variety of old backdoors that your government mandated be put in place just in case someone had Japanese loli cartoons on their phone however many years ago

Those backdoors are still alive and operational, and by design are impossible for you to do anything about or even detect during a normal inspection. Of course, these backdoors will eventually be figured out by or leaked to other governments and The Bad Guys (and of course, those two factions may be the same depending on context).

Elements of the hypothetical situation above are already true. The control device development process — that choice between a custom device and shortcutting by using obsolete, discount Android boards — is something I’ve seen happen several times in real projects already. The missing piece is (hopefully) the universal backdooring part. Of course, backdooring is already happening a lot (you did check some of the linked resource material in the article, right?) but the universal mandate for backdooring is not yet in place — imposing something like that would require something like a moral panic to put in place.

Final Impact

The eventual impact of these backdoors is far-reaching and unpredictable, but it is certainly dangerous and strategically risky to have backdoors of any nature in widely deployed devices. We already are seeing IoT devices (security cameras, printers, door locks, routers, fence monitoring systems, teddy bears, thermostats, coffee makers, etc.) getting cracked on the network and enlisted in DDoS botnets on a scale that dwarfs anything that one could have ever hoped to accomplish by cracking notebook and desktop computers.

The risk inherent in placing wirelessly enabled, GPS enhanced control devices into service on physical plant and industrial control and monitoring systems is absolutely impossible to overstate. It is also impossible to overstate the strength of certainty that I feel when I say that this is, generally speaking, the future of control systems. The economics are just too good once the fundamentals get worked out. Dirt cheap commodity hardware pre-equipped with an OS everyone already knows how to write code for speaking universal protocols — all out of the box.

This is happening. It will be an awesome market upset and advancement of the state of the art if it is done well. If it is inadvertently subverted by the side effects of a moral panic, however, it could easily wind up making the backbone of our infrastructure control systems strategically vulnerable to everyone from governments to criminals looking for a technical ransom payoff.

Moral panics are designed to be uncomfortable to bear, but the subject of today’s moral panics are all issues that boil down to simple moral degeneracy. These are the kinds of issues your parents set you straight on as a kid, not the kind of issues the government has any hope of influencing in a positive way. These are issues that can only ever be handled by families and neighborhoods performing their traditional role of instilling moral values in their members and enforcing those values with a combination of instruction, room-to-grow plus mistakes forgiven, wielding the natural tools of social discomfort to encourage morally conformant behavior, and acting on genuine personal concern and love that a government can never hope to replace.

Trading real families and parents for government regulators and a penal system is a bad tradeoff. Coupling that with the economic chaos that would follow The Great Infrastructure Crack might just do us in for good.