Inkwell: Authors and Artists

    
You say that our representative democracy, when it came to be, "...was
based on the facts that travel and communications were hard, and that
geographical groups needed to choose someone amongst themselves to make
laws in their name." Are you thinking that we no longer need mediation
of the popular will by a set of representatives? I would question
whether representative democracy exists because it was hard for more
people to gather or communicate. I think it solves a different problem,
the fact that important decisions require time, focus, and
consideration that people in general can't manage. And we can't very
well take the time to vote on all the particulars of governance, even
at a relatively high level. I don't think the solution is to move past
representative democracy, but to leverage the tools that create more
opportunity for input into governance. In the past, I've talked about
swarming the legislative process - which we can do very effectively
with new communications media, for instance. Unfortunately a few can
swarm more effectively with money than many can swarm with
representations of their will.
  

    
We could try non-geographic representative democracy.
  

    
In response to <jef>'s <22>:

These are good points, and precisely why the answers aren't easy.  We
could try to monitor every phone call, e-mail, Tweet, physical meeting,
and so on of every politician, and it still wouldn't make a
difference.  Those in power would still find ways to get around the
surveillance.  This isn't to say that open government laws aren't good
-- they certainly are -- only that more surveillance isn't always
better.

And cameras in every public space has similar revenge effects.  Giving
the more powerful increased tools to monitor the less powerful seems
like a societal mistake, not a utopian vision.  You might get fewer
people rolling through stop signs, but you'd get fewer new ideas and
original thoughts. 
  

    
In response to <jonl>'s <26>:

I'm not saying that we no longer need representation or mediation, but
representation based on geographical proximity seems arbitrary.  I am
not the one to reinvent democracy for the 21st century, although as a
security expert I'd like to be involved in the conversation -- but I
think that such a reinvention is both possible and desirable.  
  

    
Ubiquitous surveillance certainly has potential for abuse, to
put it mildly.  I don't see it as a utopian vision.  I see it
as inevitable, and now is the time to start thinking about how
we'll deal with it.  One vague concept I'm mulling is a requirement
that any government-run surveillance must be available to the
public.
  

    
Bruce, I'm wondering about data. We used to save and back up
everything on our own drives and servers. Now, with the move to mobile,
we are relying more and more on the Cloud and third parties. I'm not
even sure "who" I'm trusting in some of these scenarios or what
recourses I have in the event of system failure. I realize this is part
of the transition as the move to a digital world matures. What are
your concerns and recommendations about data protection for
individuals, businesses, and governments?

Similarly for identity. I'm not sure I can protect my identity much
any more; I'm more concerned about protecting my personal data. It
seems like I find myself more into branding and reputation scores;
trying to establish a record of my 'digital self' that can be enhanced
and defended. Comments, suggestions?
  

    
In response to <jef>'s <30>:

It's an interesting notion, but it's not obvious to me that making
government surveillance more broadly available is a solution.  Already
we're seeing corporate uses of government data on individuals. Do we
really want more of it?

An example might be my local airport in Minneapolis.  I know that
security there uses vehicle-mounted cameras to take a complete
inventory of license plates in the parking lots every night.  Is that
the sort of data I really want sold to data brokers and telemarketers?

On the other hand, public scrutiny of government actions is generally
a good idea.  So maybe there's some middle ground that works.
  

    
I was puzzled by the statement on P. 179 that "A corporation is
legally required to follow its charter, which for a non-profit
corporation means maximizing shareholder value."  I'm guessing that the
"non-" is a misprint?
  

    
Since corporations are persons, shouldn't that now read "A corporation
is legally required to follow his or her charter..." :) 
  

    
Seems to me that sexless and souless persons should be "it."
  

    
Hoping this isn't too far off-topic: 

Many believe that a for-profit is required by law to maximize
shareholder value, but my understanding is that no law includes this
requirement. Noting that I'm not an attorney, I suspect there's an
enforceable requirement to follow the charter or whatever agreement the
corporation has made with its shareholders, and an assumption that the
charter would include an agreement to maximize shareholder value seems
reasonable. But it could include other agreements, and there could be
other ways to define value than profit (e.g. where a company might put
social responsibility first, and include that in the charter).
  

    
The book says "A corporation is legally required to follow its
charter"; that's true, or what's a charter for? (Of course the board
gets to draft the charter as widely as they like.)  But "maximizing
shareholder value" as the Prime Directive, no, even at a for-profit
corporation (whether male, female or none of the above). There are
case-law limits on how far corporate shareholder value may be
disregarded - in one famous instance a court determined that Henry Ford
was using his company as a personal piggybank - but in general a
corporation is allowed pretty wide latitude in deciding what is to the
ultimate long-term benefit of its owners.
  

    
Very few modern corporations have a specific charter. Where permitted,
the typical charter or purpose stated in a corporation's articles is
something like, "to engage in any lawful act or activity for which
a corporation may be organized under the General Corporation Law of
California other than the banking business, the trust company business
or the practice of a profession permitted to be incorporated by the
California Corporations Code."
  

    
> Very few modern corporations have a specific charter

They learned from their predecessors' mistakes.
  

    
Bruce, in my years as an Internet rabble-rouser, I've run across many
mostly-honest tech savants who felt few qualms about "defecting" in a
particular context - e.g. downloading and sharing copyright content, or
breaking into secure systems just because they can. It's arguable
whether they're harming anyone, but they're clearly flaunting "the
rules." And there's the phenomenon of trolls and griefers in various
online contexts - people who can be just fine in physical social
settings, but do the Mr. Hyde thing when they're online. Why do people
who probably wouldn't "defect" in their day to day physical world
choose to do so when they're online? 
  

    
Because the Founding Nerds of the Net failed to implement
a nose-punching protocol?
  

    
In response to <tcn>'s <31>:

No argument that this is a problem.  My concerns are obvious, but I
really don't have any good recommendations.  We're being forced to
trust companies more (and more companies) with our personal data
without much in the way of contracts, agreements, and so on.  And while
I might still run Eudora for my e-mail, that's not a viable option for
most people.  Everyone's e-mail is in the cloud.  And Facebook just
doesn't make sense if it isn't in the cloud.

My only suggestion is to agitate for a legislative environment
conducive to privacy and security, even in this sort of environment. 
I'm not optimistic in the near term -- the police like the easy
accessibility of this data just as much as the corporations do -- but
it's our only hope in the long term. 
  

    
In response to <ronks>'s <33>:

Yes.  As far as I know it's the only meaningful typo that made it
through the editing process. 
  

    
In response to <jonl>'s <40>:

We don't know.  There are a lot of theories: anonymity, the lack of
social cues, a group mentality that rewards extreme behavior, specific
things about the environment.  It's probably a combination of things. 
  

    
And I suppose it could be different drivers for individual actors,
hard to generalize.

You're a security specialist, and in the book you talk a lot about
security systems. Can you discuss briefly where security systems fit
in, and where they're most effective?
  

    
Resonant with the aspect of reputational pressures covered in the
book, I'm reposting a link here that Ted Newcomb had posted in another
part of the WELL (thanks, Ted!):

Welcome to the new reputation economy: http://tinyurl.com/92ub3dl

"An aggregated online reputation having a real-world value holds
enormous potential for sectors where trust is fractured: banking;
e-commerce, where value is exponentially increased by knowing who
someone really is; peer-to-peer marketplaces, where a high degree of
trust is required between strangers; and where a traditional approach
based on disjointed information sources is currently inefficient, such
as recruiting."
  

    
re: <45> and <46> above, it seems like were on new ground, staying
with the cyberspace as territory metaphor. What's on the horizon for
security in the near future? And what are the implications of cyber
terrorism?
  

    
In response to <jonl>'s <45>:

Security systems fill the gap where other societal pressures fail.

Let me step back.  In my book, I identify four broad classes of
inducements that push people to behave cooperatively: honestly, fairly,
compliantly, etc.  I call these "societal pressures."  They are
morals, reputation, institutions (laws), and security systems.  I'm
skipping over a lot of detail here, but you can think of them as all
working in tandem.

Take stealing.  Most of us don't steal, most of the time, because we
know it's wrong.  Or we'll feel guilt or shame if we do.  That's our
morality talking.  Some of us don't steal because of how other people
will react to it.  (If I invite a friend over to my house and he steals
my sweater, I won't call the police -- I just won't invite him over
anymore.)  A few of us don't steal because it's illegal, and we fear
the punishment.  And the rest of us don't steal because of the door
locks and the burglar alarms.

That's the role of security systems. 
  

    
That seems to imply two levels of "defector" - those that would vary
from the societal norm and steal but for the security systems that
prevent them from doing so, and those that will look for ways to defeat
or work around the locks and alarms so that they can steal anyway -
i.e. thieves and  burglars. Am I oversimplifying?
  

    
In response to <jonl>'s <49>:

Yes, but it's a useful oversimplification.  More specifically, there
are four levels of defectors.  Most of us don't steal because we know
it's wrong.  Some of us don't steal because of how others would react
if we did.  Still others don't steal because it's illegal.  And the
rest of us don't steal because of the door locks and burglar alarms. 
All four types of societal pressures work together to keep the theft
rate down to some acceptable societal minimum.

This is where I think my model is valuable to a security practitioner.
 In general, security concerns itself with systems like those locks
and alarms.  I argue that security is best conceptualized more broadly,
and including morals, reputation, and institutions gives us a more
comprehensive -- and more effective -- security toolbox.

Here's a great example.  Think of an office coffee machine and an
honesty box.  The protocol is simple: when you take a cup of coffee,
you're supposed to put a quarter in the box.  No one is watching, and
there are no security measure in place to ensure compliance.  The moral
inclinations of the coffee drinkers are the only thing that induces
them to put quarters in that box.

This is also a good setup to collect data on honesty.  You can measure
the amount of coffee drunk, count the number of quarters in the box,
and have a good idea of what percentage of people paid.

What some researchers did was put a photograph of a pair of eyes
behind the box.  (The control was a photograph of flowers.)  And what
they found that the photograph significantly increased payment.  It's a
fascinating security mechanism: simply a reminder that someone might
be watching induced cooperation.

In our information-age hyper-networked world, I think we need more of
this sort of security thinking.

I think our discussion is about done.  Thanks for having me.