Hi,
If you’re in the broad professional orbit of folks who turn ideas-into-other-ideas for money, you probably are getting Too Many Newsletters. Since I’m doing this for free — and you’re kind enough to give me your time to read it — I intend to keep on publishing this on the willfully irregular timeframe of “whenever I have something I think you’d find interesting, mostly Sundays.” And even if I fail on the substantive content part, well, I put the animal memes at the bottom for a reason.
So here are some things I’ve been thinking about over the past two weeks:
Selling like a State SaaS
In this newsletter, we talk a lot about the risks of government invasion of privacy. [0] In general, that tends to take the format of pointing out the problems with Bill Barr wanting to have a backdoor into your phone and promising that he won’t use it for shenanigans.
But I think there’s another angle that’s really worth exploring, and we’ve been seeing expanding of late. It’s long been the case that governments make demands of information technology and communications providers to aid in their law enforcement investigations at the local, state, and federal levels. The implications of the Title III wiretapping, pen register, email subpoena, and similar authorities, and the complex ways they’ve been implemented, were basically unforseeable to the society that they were created in; too much has happened. But those authorities, though far-reaching, and often interpreted by Justices and judges with shockingly poor understanding of technology, have long relied on a sort of set of implicit assumptions:
1) Technical surveillance is hard, and way more expensive than good-old-fashioned stakeouts, and;
2) It requires a big, corporate, 3rd-party organization to be compelled to help.
But what if that wasn’t true?
———————
Talk to folks expert on starting a business with computer-y stuff, and they’ll tell you that the best business model is selling enterprise Software-as-a-Service (SaaS). It allows you to get recurring, not one-time revenue. It allows you to monetize your users up to their willingness to pay over time as they use more features. It allows you to improve those features based on user feedback. And, if you price it right, the first taste is cheap enough that a middle manager can buy it for a month or two on their corporate card and expense it (or even free), so you don’t have to get a meeting with the CIO to sell the damn thing.
Famously, this means that lots of enterprise SaaS products essentially ransom companies with data their own employees put there — they go to the company and (of course oh-so-gently) say, “We already have hundreds of users from your company on your product, and they’re writing about all sorts of your proprietary stuff on it. Don’t you want to pay us so you can manage it centrally and reduce the risk?”
———————
In the year of our Dumpster Fire 2020, we’re starting to see companies that do that, but with surveillance tools.
For example, Clearview AI sells access to its wildly-unethically (and arguably -illegally, depending on your view of the CFAA) scraped dataset of public photos to cops across the country; it has been reported that over 2,000 police departments nationwide have tried the tool. The LAPD had to ban its own employees from using the product after it was publicly disclosed that LAPD employees did 475 searches of people’s faces; you see, it turns out that cops aren’t supposed to do facial recognition searches without oversight and training. Clearview wants to be so easy to use that the average detective uses its tool rather than going through the right channels. Clearview — which is currently being sued by lots and lots of people — maintains it’s doing nothing wrong, it’s just selling a mathematical interpretation of publicly-available data.
But what of the aspiring private citizen, who feels that CCTV cameras just aren’t enough? Well, Flock Safety will sell your Homeowner’s Association an automated license plate reader (ALPR) to track the license plates of every car entering or exiting the neighborhood. According to Ella Fassler of OneZero, Flock’s pitch goes as follows:
“Live in an HOA or neighborhood? Work in law enforcement?” reads the intro text on Flock’s website. In either case, the call to action is the same: “Use license plate readers to capture evidence and stop crime.”
This is good, because as we all know, Americans famously trust HOAs not to be creepy, petty authoritarian, or stalker-y. Nothing bad could come of them having access to this data, I’m sure. And I’m sure there’s no risk of the features being—
Companies like Vigilant Solutions have some neighborhood license-plate readers that automatically funnel data into a nationwide license-plate database accessible to Immigration and Customs Enforcement (ICE), fusion centers, the Drug Enforcement Administration, and other federal agencies.
—Oh, right.
Look, there’s nothing wrong with innovation in public safety, or with people wanting to have more ability to protect their neighborhoods. But there is a real problem with random people having the ability to track you, nationwide, based on your face, or your license plate, or your neighbor’s Ring camera footage, or data from your prayer app, or whatever comes next out of a startup with more data to monetize than it has common sense.
How can we reckon with that kind of creepy spying on us, without the oversight of Internal Affairs, or lawyers, or judges? What happens when we wake up one day and realize that these companies have gotten a thousand little hooks embedded in our society, so much so that we cave and make a big, overarching deal with them to manage them, rather than simply telling them to buzz off?
Or, as my teacher Riana Pfefferkorn points out:
Reminder of FREE BOOKS
This is also an excellent time to remind you that, as I will continue to reference Seeing Like A State in many posts, and we are about to head into the winter vacation period, it is a great time to read this book. How else will you learn why Certain Schemes to Improve the Human Condition Have Failed?
I am also 100% willing to purchase a copy of this book for anyone who reads this newsletter (as of the time of this sending, offer not valid if one day I have 100K followers or something), because I believe it is that worth reading. Think about it: you’ll now be able to trade references about Brasilia! Mozambique! and German Tree Farming! with internet personages as diverse as Byrne Hobart, He Who Must Not Be Named By the New York Times d/b/a SlateStarCodex, patio11, and of course, my branding nemesis Dave Guarino. In other words:
(In a truly ironic move, this winter I purchased a copy of Seeing Like A State — as well as several of my other favorite books — to keep on my bookshelf to give away to folks who visited, if the topic came up in conversation. Hilariously, my all-seeing-Amazon-order-history [1] tells me that I did this less than 24 hours before I realized “oh, the balloon’s going up on COVID” and bought my first wave of supplies for lockdown.)
When a phishing ring has the bad luck of targeting a Google security team member, a story in 3 acts:
There’s a lesson, here, by the way. Think about the boring-but-important processes Google needs to enable its employees to update Chrome’s Safe Browsing blacklist in 32 minutes. We are still horribly, horribly failing when it comes to making the Internet safe, but occasionally the good guys win a round.
And if you’re in a position to influence an institution’s processes and technology, ask yourself how you can move that institution closer to a response that looks like this one.
Defeating bots is hard, purported human says:
May this birb bless your timeline:
May this cat resemble a cloth design:
May this wolverine join your ski patrol:
Other news:
The niche Paperwork Reduction Act policy proposal DC needs, even if it doesn’t deserve it
Even more niche material, confirming that we are letting a museum gap open up with Beijing
We’ve now hit the point where The Youths don’t understand why we all craved Gmail
Next time on Dave Kasten:
Is Stargate Physics 101 or Instruments of Destruction a better story of science-fictional project management?
Footnotes:
An earnest attempt to reduce my digressions
[0] Sometime soon, I need to invest an issue of this specifically talking about the downsides of a privacy-centric mindset. I don’t think they outweigh the benefits, but I do think we need to confront the challenges that privacy tooling can cause to other anti-abuse efforts head-on.
[1] Even more ironically, I could not easily search for this order in my Gmail inbox, as Amazon has stopped listing what you order in its email receipts, only the price, to reduce Google and other 3P data providers’ ability to scrape sales data. Yes, the book about making-things-legible was sold to me in a receipt that was made illegible to Amazon’s competitors to defend Amazon against competing institutions. You can’t make this stuff up.
Disclosures:
Views are my own and do not represent those of current or former clients, employers, friends, or my cat.
I may on occasion use Amazon Affiliate or similar links when referencing things I’d tell you about anyways. As an Amazon Associate I earn from qualifying purchases; I donate the proceeds to charity. While Substack has a paid subscription option, I don’t have any plans to use it at this time and anyone who gets this newsletter now surely won’t be ever paying for their subscription.