The Industry that Wouldn’t Learn: Social Media and Cybersecurity

The media is rightly targeting the matter of how we will prevent the 2016 debacle from repeating itself in the 2020 election. The problem was a mix of cybersecurity disasters, corporate missteps (which we don’t expect) and greed (which we presume to be baked in), and as you’re all aware, 21st century propogandizing by a 400-pound guy in bed.

As for the specific problem of our actual voting machinery — to the extent the machines themselves are not wired to the internet — that problem is somewhere between unsolvable and “Boeing 737Max-unimaginably-difficult.” So I won’t propose to solve the problem of having a paper audit trail on voting machines. But for all other matters, the electronic techy ones, I’m telling you that this is the industry that refuses to solve its problems… and how it could if it wanted to.

The answer to all ‘why’ questions is money. Hold that thought and we’ll circle back to it.

  1. Companies Must Stop Sending Links in Email The vast majority of cybercrime seems to start with malicious links in email. To solve the problem of cybersecurity, first-and-foremost, no one should be sending links in emails until the underlying problem that malicious links cause is permanently solved by the software systems we use: email and browsers. And who do I mean by “no one”? I mean companies. Every company should declare to its customers, “We will never send you a link, or any phrase that can be interpreted as a link, in an email. Instead we will only tell you to visit our website and enter a hashtag or similar search term… or click the link on our home page… or call us at the phone number you can find on the website.” Of course individuals will still send links, but at least you should know who’s sending it to you. And they’re probably sending you a malicious link that you shouldn’t click anyway. This remedy can be accomplished in 24 hours… if the right point person popularized it, and it doesn’t have to be a politician.
  2. Make Apple and Microsoft improve Windows Task Manager and Mac Activity Monitor To put it bluntly, our computers need to at the very minimum tell us what the fuck is running on our own god-damned computers. I am a ‘usability professional’ meaning I’ve tried to make software friendlier since 1985, so here’s where we’re going to get into the details of software design. It’s not easy; you make recommendations that are often slam-dunks in favor of users and 9 out of 9 times (you thought I’d say “9 out of 10”?) you get shot down, indefinitely deferred, or ignored. Both Windows and Mac have utility programs to tell you what “processes” are running on your computer. And in recent years, both systems seem to do a better job of forewarning you of new processes being installed and asking permission first. But it seems like a very incomplete system. The main problem I observe is that the process managers don’t show you full information. Neither show the exact description of what the software does. Windows shows you the manufacturer but not for all processes; Mac doesn’t show manufacturers. If they are serious about eliminating viruses and malware they’d improve the tools we have. Show every process, its maker, and in well-written descriptions, its purpose. And allow every process to be permanently eradicated by the user in a single action.
  3. Institute GDPR-like laws on malware and all software. Europe has shown that our computers can be treated like utilities similar to pipes that supply drinking water… by making socially responsible rules for how the suppliers of the water must act. Europe’s Global Data Protection Regulations might not be perfect, and might not be fully enforceable, but at least they’re a starting point to get the bad guys to either play by rules or pay a price eventually. GDPR mandates, for instance, that privacy policies must be legible. Of course this is hard to control, but if you don’t start with the goal what chance do you have? The operable expression here is that we “not make the perfect the enemy of the good.” In other words, if the only way to achieve a good result is to aim for perfect, so be it. We have no choice but to aim for perfect.
  4. Make malware a serious crime. With rules in place, make the penalties substantial, not slap-on-wrist penalties. Companies must be fined in proportion to their revenue and profits, not meaningless absolute dollar amounts. And repeat offenses and outright financial crimes must mean jail time.
  5. Social media must default to private content, then email-validated, then unique email validated, then snail mail validated. I’ll explain. We are told that in the 2016 US election a flood of fake news on social media fomented discord and division, and amplified messages that further entrenched voters’ biases. It sounds like a sad, nearly unbelievable commentary on the education level of our electorate but I’ll take it as the working hypothesis upon which a remedy must be applied. Facebook, Twitter, and their ilk have very low barriers to entry for uniquely identifying oneself. Most systems merely request an email address per account. Anyone with trivial technical skill can make an unlimited number of email addresses, and therefore unlimited social accounts from which to spout gibberish, or outright propagandistic lies. And the web companies make money in proportion to the number of these accounts because, one way or another, all volume translates to advertising revenue. Like the newspaper business, in which publishers engage in a constant game of showing ‘circulation numbers,’ to influence advertising dollars, the web plays the same game. Fake accounts might not directly inflate ad dollars from “eyeballs” but accounts are the first love of any website, even if 100,000 accounts are from one workstation in a Baltic state that never buys a thing on Amazon. As I said, the answer to all ‘why’ questions is money. But there are varying levels of account verification, to determine if people have only one account on a platform. Beyond mere email verification, accounts could probably be limited based on IP addresses to prevent mass accounts. Even more personal validation could be achieved with snail-mail validation, sending paper mail to a street address before considering an account to represent an individual. Somewhere in between is validating accounts by credit card, but that might be a bridge too far for mere social media companies; better to have free democratic society compromised than hand over another credit card number for hacking. Once all accounts are ranked on a continuous scale from Snail-Mail Verified to Scammer With 10,000 Accounts, the Facebooks and Twitters of the world can set the default level of what you see in their public feeds to the most verified, and then let you explicitly and voluntarily opt into see the scammer level. It’s not a perfect solution, but the perfect should not be made the enemy of the good. Of course this is all separate from your private feed, which is comprised of the people you’ve friended.
  6. Microscope There’s one more method, a more difficult one that won’t be commonplace, at the rate we’re going, until about the year 2040. I call it microscope. It’s like Task Manager/Activity Monitor but another level of visibility into the software running on our own computers. For instance, consider some annoying problem you’re having on your device, whether it’s a malware that won’t go away no matter what you delete, or a hundred accounts that you involuntarily started following on TwitterInstaBookOGram or whatever. Microscope would let you open a list of everything that happens on your computer, down to the smallest detail. Software folks, after they’re done telling us how impossible this will be, will tell us that most of that stuff is already somewhere in some log or whatever. Right, but it’s illegible. When microscope arrives it will be legible by all of us and show almost as much detail as Amazon, Facebook, and Google already have about our every movement.

Usability and other stuff