Security is love

Let's start with a story of real piracy. Formed in 1988 the Avast company is probably known to you for it's anti-virus products. It began as a non-profit foundation for community development. Today it's a global cyber-security empire worth $8 billion, employing almost 2000 staff in 25 offices around the world. Many people place a lots of trust in their security products which include anti-virus, firewalls, and password management. It has 435 million monthly subscribers.

However, Avast anti-virus and browser extensions were found to collect user data and store it indefinitely without the proper knowledge of customers. Not just a little bit. Not just visited sites. But very detailed information from hundreds of millions of users over ten years - "more than eight petabytes of browsing information dating back to 2014". This sensitive data, which can be deanonymised and therefore identifiable against each individual user includes videos watched, search queries, religious beliefs, health concerns, political views, locations, and financial status. It was then resold to over 100 companies for targeted advertising through a subsidiary company. On January 30, 2020 Avast announced that it would cease reselling personal data when the FTC found it guilty and issued a $16.5 million fine.

That's obviously a massive betrayal. But why single out Avast? No reason in particular, they were just the company on the front page the day I wrote this article. And it seemed like a good place to start the story.

Anyone whose been paying attention to technology news this past decade knows such criminality is rife. Despite governments issuing companies millions, even billions in fines, they shrug it off as the cost of doing business. Big tech companies spy on you, violate your privacy, steal and sell your data with impunity.

In fact it's become the standard business model in tech and follows a pattern of building trust, and then burning it to "pivot" or cash-out. Enshitification is this elevation and then degeneration of digital platforms. According to the Financial Times it is a problem endemic to every commercial online service.

Personally, I somewhat prefer cryptogram commenter Clive Robinson's take on what is a timeless craft of;

Bedazzle, Beguile, Bewitch, Befriend, and Betray

More concretely in cybersecurity the ruse is;

• Get people to trust in a product by scaremongering, false promises or threats.
• Get people to depend on the product, through network effects, lock-in, social pressure, or even buying regulatory mandates.
• And finally, use that dependency to betray customers, such as selling the company to an unethical acquirer, breaching your privacy or compromising your assets.

It might help to look at some concepts in play. Let's start with trust. In Ross Anderson's Security Engineering book, we can find a good distinction of trust from trustworthiness.

If something is trusted that may be a good or a bad thing. A rock climber trusts a rope, or in other words depends upon it. If you drive to work each day you trust your car. If it breaks down you can't work. You might lose money or even your job. A whole series of things can depend on something trusted. It is the proverbial link in a chain.

However, if your car has never broken down in 20 years you might claim it is trustworthy. You have some evidence to believe it may continue to be worthy of your dependence on it.

As with science, the evidence necessary for trustworthiness must be gathered, not given by "assurances". The required conditions are choice, access, legibility, understanding and verification. Let's examine these.

Let's say we put our trust in something. Is that trust deserved if every week the product becomes outdated and needs replacing or (as the trick goes in tech… "updating")? Of course we are used to consumable products like milk, or light-bulbs. However, we understand why these products need replenishing. Does that work for cybersecurity?

What are we now trusting? The product, or the supplier's honesty? Can we trust online updates of computer products if companies can use them to sabotage our property for their own profit?

This is somewhat related to solutionism, the dangerous ideology of Silicon Valley criticised by Evgeny Morozov as the spirit of digital capitalism, whereby we solve technologically created problems by adding ever more technology, that in turn creates other new problems in the process…

So far we've only considered that the solutions fail to solve our needs. There is a next stage of rotten technology. Something is iatrogenic when it sets out fix something but in the process makes it worse.

An example of a technology that makes things worse is digital key fobs for cars. Auto-theft has gone up enormously since it became quite easy to steal cars due to poor electronic security. Despite people generally disliking this technology and preferring old-style metal keys, manufacturers continue to push it onto drivers who now revive the use of old-fashioned steering locks to stop cars with the latest technology from being stolen.

Another technology that simply begs us to suffer more problems than it can solve is infrastructure-level system management tools, centrally managed supply chains and indeed things like password managers. Any tools that, "for convenience" put all our eggs into one basket, are going to fail catastrophically at some point because they work against the principles of risk distribution and hybrid/diversity vigour. They make class break scale attacks more likely. In 2020 compromise of the Solarwinds Orion system left 30,000 public and private organisations wide open to backdoors and malware, and allowed hundreds of thousands more systems connected to them to be infiltrated.

But there is something still worse. The Shirky principle is the adage that "institutions will try to preserve the problem to which they are the solution". This maxim is almost a gold-standard in systems theory, with variations in Pournelle's Iron Law of Bureaucracy, Gall's Systemantics, Meadow's leverage points and Jane Jacobs work on urban complexity. It also relates to that Upton Sinclair quip that "It is difficult to get a man to understand something, when his salary depends on his not understanding it".

In a nutshell, this is the "Security Industry". Or perhaps more appropriately the Insecurity Industry which is starting to look more and more like a protection racket as a handful of monopoly mobs duke it out for rights to capture the rest of us as chattel in their walled gardens. The problem is that it's a business and set of products with no real incentive to actually protect customers.

The psychological allegory we give this is factitious disorder, also known as Munchausen Syndrome by Proxy. It's where an ostensible caregiver keeps a patient sick in order to continue the caring relation for their own benefit.

Never before have there been industries so perfectly placed to create the problems for which they sell the solutions. And never before have we strayed so far from anything resembling "free markets" but still under the illusion that we live in demand-driven free-market capitalist economy.

Are we being cynical here? Surely nobody would create security problems simply to make money by selling the solutions? Doesn't this violate the broken window fallacy? To understand more let's move on to our next factor; psychopathy…

None of this might happen if computer technology was run by nice people. It is maybe a somewhat overplayed trope that business leaders are disproportionately psychopathic. But one area of enormous concern remains around psychological attitudes in tech. Here, controlling behaviours, arrogant down-talking, manpsplaining, cult-like assumptions of normativity and ugly domineering behaviours are rife.

Maelle Gavet's Trampled by Unicorns is a catalogue of technology companies staffed by people lacking human empathy and worldly understanding, who lack self-regulation and massively overvalue immediate rewards while avoiding complex, humane or long-term thinking.

The characters of Peter Isherwell (played by Mark Rylance) in Adam McKay's "Don't Look Up" and "Dr. Strangelove" (Played by Peter Sellers) in Stanley Kubrick's eponymous film, epitomise the grandiose exceptionalism of the "tech-bro" narcissistic psychopath - who just wants to make the world a "better place" (for profit).

These seem like exactly the wrong people to be within a clear country mile of securing other people's digital lives. Indeed, we all know exactly what Mark Zuckerberg thinks of his Facebook users.

The thing is, to offer anything that even looks like security one needs to care, to plan, to think ahead and hold what one cares for in mind as a mother offers security to her child. Psychologically this model of security is clustered somewhere close to the common conception of love. It may be contrasted with protection as a provision, which feels like a more masculine flavour of security. Whether or not security can be thought of as "gendered", this still reveals a deep and fundamentally different concepts of security.

But this is nothing new. In the 1960s Joseph Weizenbaum, creator of the original AI chatbot, wrote much about the ethics and indeed the human purpose of coding, and the misuse of digital power. His Computer Power and Human Reason remains a classic paper. His work is still analysed today, and is highly recommended for anyone worrying about AI.

Unfortunately, modern corporate software is a train-wreck of hastily thrown together cruft, built with the purpose of extracting money. It's pushed by smartly dressed, confident sounding apologists who speak nonsense and lies about reliability, security and ethics. Google famously fired two consecutive chief ethics officers, and the role, while grand in name, is generally considered untenable in any large technology company.

Computers seem to do something to certain people who get power and profit from them. Like firearms or cars, perfectly normal people like your mother or neighbour can become monsters in the presence of technology. Action at a distance, diffusion of responsibility, and quasi-religious idolatry are, according to Andrew Kimbrall, a gateway to Cold Evil, where latent malevolent, authoritarian and aggressive traits are unleashed. To some kinds of people, all technology regardless its ostensible use as a "tool" becomes a weapon

Fifty years after Gerald Weinberg gave us egoless programming, tech execs are unable to separate their puff, bluster, pride, and brand image from common-sense practical engineering. Whether it's selling personal information, installing spyware, or deliberately breaking people's devices they seem to have almost no ability to shield their customers security from their own greed.

So, thinking rationally for a moment; for our security, would we naturally choose psychopaths wielding defective weapons?

The answer, bizarrely, is yes, but it has little to do with rationality.

So how much of the dreadful security landscape is our own fault? "Strong leaders" invariably turn out to be bad choices. Sadly our brains seem wired to confuse strength with competence. Big Tech companies project themselves as powerful in order to command our fealty. When we are in doubt about cybersecurity we tend to turn to established brands as havens of safety. Let's use Diane Dreher's checklist from this Psychology Today piece to see why;

Let's start to bring some of these threads together.

We seem drawn to strong, powerful, psychopathic forces, especially if they indulge our vices, allow us to be lazy and hide the truth from ourselves. Strangely IT and computers embody this "technofascist" element for many ordinary people who are cowed by technology. Big Tech companies epitomise this attractive but abusive creed.

We are happy to pay them for the right to stay ignorant. They are happy to sell us junk that merely creates more problems for which they sell more junk solutions. Somehow, not only are we held by this feeding cycle, we feel contented within it. We're always just one fix away from the perfect system and from existential security. Readers of Orwell's Nineteen Eighty Four will recognise this ever shifting landscape immediately.

Readers of a different flavour of psychology may instead recognise a common attachment pattern. John Bowlby worked on the stages of human development from childhood into adulthood, including attachment, separation and individuation.

To become an adult we have to take on board responsibilities. We learn to make conversation, to win arguments, find and keep a job, manage money, start friendships, cook, clean, exercise and look after our body and mind.

In the digital age that includes basic digital skills and literacy. But society has not yet caught up with recognising what those qualities of the "digital adult" are.

In developmental psychology we recognise the horrible effects of violent, abusive and treacherous caregivers. We see how overbearing, suffocating mothers, demanding fathers and helicopter parents block maturation and cultivate dependency. Instead of growing up, we get adults in stages of arrested development with avoidant or disorganised ways of seeing the world.

People in this state make easy victims for predators who, like drug dealers, develop factitious (Munchausen by proxy) relations with them. They are kept in a perpetual state of insecurity, forever beholden to the suppliers of "security". Unlike a social contract or parental relationship, there is nothing to gain from this arrangement for the party that is held down, and no hope of exit from it.

We are going to very quickly revisit "trustworthiness" and highlight one condition.

Trustworthiness includes the freedom to join or leave.

This should feel natural, as all of the other conditions we saw earlier have corresponding ideas in contract law, understanding, legibility, consideration. Very importantly in contract law we have entry and exit conditions, like capacity and termination.

Put more simply, nobody can be compelled to trust.

Unfortunately, as it is configured today cybersecurity is blighted by a number of serious principle agent problems. For the average person computer security revolves around a handful of near-mandatory monopoly providers who create the problems, the solutions and increasingly the rules of the game.

These "principle agent" problems seem so out of control that despite the valiant efforts of the European Union many security thinkers now feel that nation state legislatures have given up.

Wherever we live, as computer users, whether on desktops or smartphones, we feel ever more as if in the presence of an occupying empire. This is why we believe in and promote Civic Cybersecurity.

Amidst such a depressing and galling problem it became necessary to set up a different kind of cybersecurity company, and a different kind of cybersecurity education.

At Boudica we don't train you in how to secure your Google phone, Microsoft desktop or Amazon cloud against attackers. For us, Big Tech companies are the cybersecurity problem.

Many of the courses we run start with a detailed systems analysis and review of your attack surface, with one clear goal in mind - getting you free from Big Tech risks and into a state of manageable independence. It is "cybersecurity for grown-ups".

One of the exercises involves finding places where you "feel you have no choice", get stuck in patterns of mistakes and use something risky simply because it feels good, or is needed to inter-operate with a particular client or process.

Unsurprisingly, Boudica programmes are rooted as much in psychology as they are in mathematics, code and protocols.

We're not embarrassed to say that real security is like genuine love. It seeks not to control, make dependent or hold the other in debt. Instead the idea is to impart understanding, agency and empowerment. It is the proverbial "teaching a man to fish" or, as was once the aspiration of higher education, for students to "learn how to learn".

It would be easy to sell you something that makes you keep coming back. We're most happy when we never see our customers again, because you went off and got on with life building your business or just feeling safe in the digital world.

At Boudica our model of security is founded on understanding, autonomy, radical scepticism, focus, minimalism, and elegance. It is more about what you do not do than what you do.

In any secure relationship the other is always an equal partner. We try to teach that principle not as a glib touchy-feely aside, but as a foundational principle of system design and technology. Obviously love that is forced is never for the benefit of its object. At best it is clumsy and pitiful, at worst it is harassment and rape.

Security that is forced on people is no security at all. At best it is a simple commercial extraction, at worse it is a criminal protection racket. As reasons go, "for your own good" is never an acceptable reason. Security is always aligned with freedom. That includes "Ensler-type" security - freedom from other people's imposition of security.

Today, millions of companies suffer extreme inefficiency because security is a burden on them. Ideas like "boss-ware" to spy on homeworkers, and surprise internal phishing raids, hurt everyone and cost a fortune in anxiety, suspicion, loss of goodwill and time spent circumventing and gaming systems. Bad security, which gets off on the wrong foot, is worse than no security at all, because the illusion of safety makes us all more vulnerable.

Perhaps the lesson to learn from Avast is not that they're a bad company who betrayed their users, but that relying on "security products" of any kind is a mistake.

Indeed, turning to big technology companies for security is a terrible mistake. They are blind profit machines essentially incapable of love and care. If all they have to offer is security without love, all they have to offer is a kind of tyranny.

Real security is a design stance, a mindset, a way of thinking and being that stops you from getting mixed up with substandard technology in the first place.

Much cybersecurity education and training is funded by sellers of security products and connected with big business. All are ultimately conflicted in their loyalty to their customers.

If you're interested in pioneering psychological approaches to cybersecurity come and visit us at Boudica. We teach principles not products, empowering knowledge and ideas that will last a lifetime and go with you wherever your career turns.