Benlog

A few months ago, Sony’s Playstation Network got hacked. Millions of accounts were breached, leaking physical addresses and passwords. Sony admitted that their data was “not encrypted.”

Around the same time, researchers discovered that Dropbox stores user files “unencrypted.” Dozens (hundreds?) closed their accounts in protest. They’re my confidential files, they cried, why couldn’t you at least encrypt them?

Many, including some quite tech-savvy folks, were quick to indicate that it would have been so easy to encrypt the data. Not encrypting the data proved Sony and Dropbox’s incompetence, they said.

In my opinion, it’s not quite that simple.

Encryption is easy, it’s true. You can download code that implements military-grade encryption in any programming language in a matter of seconds. So why can’t companies just encrypt the data they host and protect us from hackers?

The core problem is that, to be consumable by human users, data has to be decrypted. So the decryption key has to live somewhere between the data-store and the user’s eyeballs. For security purposes, you’d like the decryption key to be very far from the data-store and very close to the user’s eyeballs. Heck you’d like the decryption key to be *inside* the user’s brain. That’s not (yet) possible. And, in fact, in most cases, it isn’t even practical to have the key all that far from the data-store.

encryption relocates the problem

Sony needs to be able to charge your credit card, which requires your billing address. They probably need to do that whether or not you’re online, since you’re not likely to appreciate being involved in your monthly renewal, each and every month. So, even if they encrypt your credit card number and address, they also need to store the decryption key somewhere on their servers. And since they probably want to serve you an “update your account” page with address pre-filled, that decryption key has to be available to decrypt the data as soon as you click “update my account.” So, if Sony’s web servers need to be able to decrypt your data, and hackers break into Sony’s servers, there’s only so much protection encryption provides.

Meanwhile, Dropbox wants to give you access to your files everywhere. Maybe they could keep your files encrypted on their servers, with encryption keys stored only on your desktop machine? Yes… until you want to access your files over the Web using a friend’s computer. And what if you want to share a file with a friend while they’re not online? Somehow you have to send them the decryption key. Dropbox must now ask its users to manage the sharing of these decryption keys (good luck explaining that to them), or must hold on to the decryption key and manage who gets the key…. which means storing the decryption keys on their servers. If you walk down the usability path far enough – in fact not all that far – it becomes clear that Dropbox probably needs to store the decryption key not too far from the encrypted files themselves. Encryption can’t protect you once you actually mean to decrypt the data.

The features users need often dictate where the decryption key is stored. The more useful the product, the closer the decryption key has to be to the encrypted data. Don’t think of encryption as a magic shield that miraculously distinguishes between good and bad guys. Instead, think of encryption as a mechanism for shrinking the size of the secret (one small encryption key can secure gigabytes of data), thus allowing the easy relocation of the secret to another location. That’s still quite useful, but it’s not nearly as magical as many imply it to be.

what about Firefox Sync, Apple TimeMachine, SpiderOak, Helios, etc.

But but but, you might be thinking, there are systems that store encrypted data and don’t store the decryption key. Firefox Sync. Apple’s TimeMachine backup system. The SpiderOak online backup system. Heck, even my own Helios Voting System encrypts user votes in the browser with no decryption keys stored anywhere except the trustees’ own machines.

It’s true, in some very specific cases, you can build systems where the decryption key is stored only on a user’s desktop machine. Sometimes, you can even build a system where the key is stored nowhere durably; instead it is derived on the fly from the user’s password, used to encrypt/decrypt, then forgotten.

But all of these systems have significant usability downsides (yes, even my voting system). If you only have one machine connected to Firefox Sync, and you lose it, you cannot get your bookmarks and web history back. If you forget your Time Machine or SpiderOak password, and your main hard drive crashes, you cannot recover your data from backup. If you lose your Helios Voting decryption key, you cannot tally your election.

And when I say “you cannot get your data back,” I mean you would need a mathematical breakthrough of significant proportions to get your data back. It’s not happening. Your data is lost. Keep in mind: that’s the whole point of not storing the decryption key. It’s not a bug, it’s a feature.

and then there’s sharing

I alluded to this issue in the Dropbox description above: what happens when users want to share data with others? If the servers don’t have the decryption key, that means users have to pass the decryption key to one another. Maybe you’re thinking you can use public-key encryption, where each user has a keypair, publishes the public encryption key, and keeps secret the private decryption key? Now we’re back to “you can’t get your data back” if the user loses their private key.

And what about features like Facebook’s newsfeed, where servers process, massage, aggregate, and filter data for users before they even see it? If the server can’t decrypt the data, then how can it help you process the data before you see it?

To be clear: if your web site has social features, it’s very unlikely you can successfully push the decryption keys down to the user. You’re going to need to read the data on your servers. And if your servers need to read the data, then a hacker who breaks into the servers can read the data, too.

so the cryptographer is telling me that encryption is useless?

No, far from it. I’m only saying that encryption with end-user-controlled keys has far fewer applications than most people think. Those applications need to be well-scoped, and they have to accompanied by big bad disclaimers about what happens when you lose your key.

That said, encryption as a means of partitioning power and access on the server-side remains a very powerful tool. If you have to store credit card numbers, it’s best if you build a subsystem whose entire role is to store credit-card numbers encrypted, and process transactions from other parts of your system. If your entire system is compromised, then you’re no better off than if you hadn’t taken those precautions. But, if only part of your system is compromised, encryption may well stop an attacker from gaining access to the most sensitive parts of the system.

You can take this encryption-as-access-control idea very far. An MIT team just published CryptDB, a modified relational database that uses interesting encryption techniques to strongly enforce access control. Note that, if you have the password to log into the database, this encryption isn’t going to hide the data from you: the decryption key is on the server. Still, it’s a very good defense-in-depth approach.

what about this fully homomorphic encryption thing?

OK, so I lied a little bit when I talked about pre-processing data. There is a kind of encryption, called homomorphic encryption, that lets you perform operations on data while it remains encrypted. The last few years have seen epic progress in this field, and it’s quite exciting…. for a cryptographer. These techniques remain extremely impractical for most use cases today, with an overhead factor in the trillions, both for storage and computation time. And, even when they do become more practical, the central decryption key problem remains: forcing users to manage decryption keys is, for the most part, a usability nightmare.

That said, I must admit: homomorphic encryption is actually almost like magic.

the special case of passwords

Passwords are special because, once stored, you never need to read them back out, you only need to check if a password typed by a user matches the one stored on the server. That’s very different than a credit-card number, which does need to be read after it’s stored so the card can be charged every month. So for passwords, we have special techniques. It’s not encryption, because encryption is reversible, and the whole point is that we’d like the system to strongly disallow extraction of user passwords from the data-store. The special tool is a one-way function, such as bcrypt. Take the password, process it using the one-way function, and store only the output. The one-way function is built to be difficult to reverse: you have to try a password to see if it matches. That’s pretty cool stuff, but really it only applies to passwords.

So, if you’re storing passwords, you should absolutely be passing them through a one-way function. You could say you’re “hashing” them, that’s close enough. In fact you probably want to say you’re salting and hashing them. But whatever you do, you’re not “encrypting” your passwords. That’s just silly.

encryption is not a magic bullet

For the most part, encryption isn’t magic. Encryption lets you manage secrets more securely, but if users are involved in the key management, that almost certainly comes at the expense of usability and features. Web services should strongly consider encryption where possible to more strictly manage their internal access controls. But think carefully before embarking on a design that forces users to manage their keys. In many cases, users simply don’t understand that losing the key means losing the data. As my colleague Umesh Shankar says, if you design a car lock so secure that locking yourself out means crushing the car and buying a new one, you’re probably doing it wrong.

Last night, I went to see Lessig pitch his latest book, Republic, Lost. His latest spiel is fantastic, fine-tuned, gripping, thrilling, inspiring. I’ve been an avid fan of Lessigian story-telling for 13 years now. The way he sets up his argument, the way he goes far beyond the obvious, far beyond the quick fix, and the way he absolutely destroys any shred of doubt that may remain about his thesis. I saw him giving one of his first “Code” lectures at Harvard in 1998. In 2002, I waited in line at the Supreme Court and got to see the last five minutes of his argument. I saw him in the TV studio debating Jack Valenti. I was at the Creative Commons launch in 2003. I saw his first Corruption lecture at Stanford in 2008. It just doesn’t get old.

The central thing I deeply admire about Lessig is that he takes on gigantic battles with care and determination. He’s not deluded about his chances, but he fights anyways. He looks for, and finds, incredibly aggressive wins. Copyright reform against the Disneys of the world didn’t work, but Creative Commons is genuinely affecting how we share. The corruption of the political process is an impossible challenge, yet Lessig sees a path, and I believe his is the the most likely path to success. I don’t yet know how Lessig will find the equivalent of the Creative-Commons-win in this much larger battle. But I know he’s thinking about it, and I believe that, in time, he will move the needle, significantly.

That kind of “crazy” optimism is deeply inspiring, because it is, indeed, the only way to change the world. Time is too precious not to focus on the big, gigantic, mind-blowing battles. Lessig reminds me of that every time I attend one of his talks.

So, a quibble. Lessig brought up one argument I’ve seen him make before: because vaccine policy is influenced by experts who may have received compensation from the pharmaceutical industry, people may lose trust in vaccine policy. Now let’s be clear: Lessig is not saying that vaccines are unsafe. He’s saying that, because some vaccine experts do not appear to be fully unbiased, it is understandable that people lose trust in vaccine policy.

I disagree, and I think it weakens Lessig’s argument to make this connection. I’d like to see Paul Offit and his peers deciding our vaccine policy (in a public forum of course), even though he’s getting rich from his amazing Rotavirus vaccine. Checks and balances in areas that require deep expertise cannot be achieved by banning from advisory boards all experts with a potential conflict of interest. In fact, that’s a recipe for disaster by way of mediocrity. We have other checks and balances for this. We can require peer-reviewed publications. We can fund counter-studies. We can let the truth rise to the top via competition. This country’s national vaccine policy is something to be proud of.

There is, however, a subtle but serious corruption in the medical world that should make it into Lessig’s slideshow: pharmaceutical reps routinely treat physicians to dinners, trips, etc. They leave free drug samples, they leave pens and paper pads with drug logos prominently featured, they suggest that new drugs are better than old tried-and-true drugs, and sometimes they very subtly suggest off-label uses. Drug companies receive prescription records for individual physicians: they know where they’re having an impact and can calculate very clear Return On Investment. The result: Vioxx. Physicians aren’t evil, but they are human. The grey areas in medicine are large and common, providing fertile ground for skilled influencing.

That needs to stop: where vaccine policy is a mostly public forum with competing ideas, there isn’t any oversight or counter-balance to drug-rep influence. We can change this. Doctors could be required to provide to all patients, alongside the insane HIPAA disclosure form, a funding disclosure form of all compensation received from drug reps. That disclosure form alone might make doctors think twice before prescribing a drug, and drug reps before paying for dinner. And institutions should follow the path blazed by Mass General, banning their physicians from accepting gifts and banning pharmaceutical reps from physician offices.

A few weeks ago, I became Tech Lead on Identity and User Data at Mozilla. This is an awesome and challenging responsibility, and I’ve been busy. When I took on this new responsibility, BrowserID was already well under way, so we were able to launch it in my second week on the project (early July). It’s been a very fun ride.

Here’s the BrowserID demo at the Mozilla All-Hands last week:

Given my prior work on email-based authentication (EmID, Lightweight Email Signatures, BeamAuth), you might think BrowserID was my brainchild. In fact, it really wasn’t. And, in a testament to the shrinking impact of academic publication venues, none of the BrowserID team had ever heard of my work on email-based authentication before I arrived at Mozila, even though Mozilla folks are quite well versed in the state of the art. But who cares: when I found out about the ongoing work and how we agreed on just about every design principle, I was incredibly excited. And when I realized the fantastic work the team had already done on defining a scaffolding and adoption path for the technology, I was super impressed.

BrowserID started with the Verified Email Protocol, designed by Mike Hanson and Dan Mills, who came up with the approach after extensive exploration of web-based identity approaches over the last two years. It’s a simple idea: users can prove to web sites that they own a particular email address. That’s how they register, and that’s how they log back in the next time they visit the site. BrowserID, the code and site, was initially bootstrapped by Lloyd Hilaiel and Mike Hanson. Shane Tomlinson and I joined the team in June. We now also have an awesome UX design team (Bryan and Andy) and the team continues to grow (yay Austin!)

So, that’s what I’m working on these days: BrowserID and other Identity+UserData efforts at Mozilla. I’m excited to be leading this technical effort. The team is amazing, and we’ve got big aggressive plans to help you control your identity and data on the Web.

Maybe it’s silly to add yet another story to the list of “where I was on 9/11.” I suffered no direct loss, while some people I know did. Many other world events were far, far more awful. But as I did experience 9/11 in person, I feel the need to write down some thoughts, some memories.

On the night of September 10th, 2001, I was having drinks with an old friend (I’m having trouble remembering which friend!) in Chelsea, about 3 miles north of the World Trade Center. We stayed up late. We talked about world politics, terrorism, the Middle East. So when the alarm clock radio came on a bit before 9am (hey, I’m a software guy), with talk of a plane hitting a building, I thought I was having some messed-up dream based on the night’s conversation. By the time I turned on the TV, the second plane had hit. My mom called. “Mom, that’s a second plane, it’s not an accident.” I got a call from my sister who lived a few miles uptown, she was fine, too. I noticed a voicemail from my friend and coworker Josh. His wife, who worked in the WTC, was fine, as she was away on a trip. Then the cell phones went dead.

I threw on clothes and comfortable clothes. I watched the first tower collapse on TV. I grabbed a backpack, put on jogging shoes, and ran out of my apartment on 21st street, between 7th and 8th avenues. From my street I couldn’t see the towers, so I headed to 7th avenue. By the time I got there, all I could see was smoke. I had to ask someone on the street: “where’s the second tower?”

I started walking downtown, towards my office in TriBeCa, about a mile north of the WTC. I panicked for a moment: what if this was just the beginning and more was underway? I stepped into a convenience store, bought 3 candybars and 2 bottles of water. As I walked downtown, I passed cars stopped in the street, doors open, people standing with their radios turned on, straight out of some apocalypse movie. Then I started seeing people covered in dust. I made it to my office just south of Canal St, walked in, and logged on. I think I spent an hour clicking “respond”, writing “yes, I’m fine, more later.”

I found an unused IP address on one of our servers and set up a page to list “I’m ok” messages. Looks like the Internet Archive has a copy. I remember thinking I might be aggregating thousands of messages from around the city, though in the end it was obviously limited to my circle of friends. I guess I wanted to help, in any way I could.

Somewhere in there I chatted with co-workers, emailed our clients and partners, told them we were alright, asked how they were doing. One of our clients was on Wall Street and lost a number of friends.

In the mid afternoon, my friend Greg and I went up on the roof of our office building and talked, looking down Greenwich St towards WTC 7 surrounded by smoke of the collapsed towers. We went downstairs, heard on the radio that WTC 7 had collapsed, ran back up, and sure enough, it was gone. That night, Amanda, Greg, my sister and I crowded into my little apartment, ate frozen pizza and watched the news until we couldn’t anymore.

One of my best friends was stuck in Pennsylvania on a business trip. He wanted to be home in NYC, but couldn’t.

I gave my team the week off.

The next few days were odd.

I wasn’t able to fly out to the West Coast that Friday to see my friend Rodrigo’s new baby.

I stayed up nights listening to fighter jets flying overhead. I participated in far too many email arguments about “how to respond.” I was crazy and emotional. I made stupid, childish arguments. Within a few weeks, I would be calmer and, I think, more reasonable. I wish our leaders had also taken a moment to breathe.

People started going about their business again. There was the smell of burn in the air, but people tried not to talk about it. People were nice. Very nice. I went out a lot. I followed my friend Arjun to see indie bands on the lower east side. I didn’t want to stay in, ever, I needed to go out and be with people. I remember a faux-french band we saw, the guitarist wore an “I [heart] NYC” t-shirt he’d modified to say “J’[aime] NYC”. They didn’t mention the burning buildings. No one talked about it. Instead people went out of their way to be friendly, to reach out, to help.

That was, in some way, the saddest part of that experience. Everyone wanted to help. Doctors waited for the wounded, but none came. People lined up to give blood, but none was needed. People lined up to help downtown but there wasn’t room for everyone. So we tried to help each other, in small ways, every day.

As of a few months ago, I’m no longer on a publish-or-perish academic track. Mozilla gives me the freedom to publish, but no pressure. Coincidentally, the publishing world is at a bit of a crossroads. Some organizations, like USENIX, are increasingly open: all papers are published for the world to see, many talks are videotaped and available openly. Others, like IEEE, are increasingly closed, with tighter and tighter constraints on authors, more paywalls and obstacles to the dissemination of knowledge.

I’ve got increased freedom, so I intend to use it. Starting today, I will not publish nor review papers destined for closed venues. Academic publications should be available for the world to read, to learn from, to build upon. If you’d like me on your program committee, if you’d like me to review a journal publication, if you’d like me to help with a paper, please understand that I will refuse if the conference/journal isn’t truly open. In the short term, this probably means I’ll only work with USENIX, and maybe IACR which appears to be moving towards true open-access.

My move isn’t exactly courageous. I have the luxury to make this decision, while many of my colleagues do not. I hope a few tenured professors make this move, though, as they have both the luxury and a good bit more influence than I do. Matt Blaze is starting down this path. Dan Wallach is helping tweak the IEEE approach. All of these efforts are incredibly important.

This is about free dissemination of knowledge. This is the point of the Internet. Academics who stand for discovery and learning should be outraged by the direction most publishers are taking today, and should at the very least encourage those publishers who are doing it well. Hesitating between ACM and USENIX? Go with USENIX. IACR holding a vote on open-access publishing? Make your voice heard.

Google just introduced Google Plus, their take on social networking. Unsurprisingly, Arvind has one of the first great reviews of its most important feature, Circles. Google Circles effectively let you map all the complexities of real-world privacy into your online identity, and that’s simply awesome.

You can think of Circles as the actual circles of friends you have. The things that are easy to do in real life, like sharing a fun anecdote with the friends you generally go out with on Saturday nights, are easy to do in Circles. The things that are hard to do in real life, like planning your best friend’s surprise birthday party with all of his close friends but without him, are no easier in Circles: you have to make a new list of “everyone except Bob.” That’s great, because I don’t think our brains have evolved yet to really feel comfortable with a social model that supports all set operations, e.g. this circle minus this other circle. That’s usually how we get caught lying. (I mean the lies everyone tells as part of their normal social interactions.)

The most important point is that this feature shatters the previously universally accepted idea that privacy must change dramatically given social networking. For a few years, Facebook has defined the Laws of Physics of social networking. On Facebook, it’s not possible to show different people a different face. On Facebook, relationships are, for the most part, symmetrical. And so we all believed that this was the inevitable path forward with social networking. We conflated the fact that users wanted to connect online with the constraints that Facebook created, and we assumed users wanted those constraints. We forgot that software engineers define the Laws of Physics of the worlds they create. We weren’t living in the inherent world of social networking. We were living in Facebook’s definition of social networking.

We now know it doesn’t have to be this way. The Laws of Physics in the online world are mutable. Google just busted open a world of possibility. Users will question, now more than ever, why sharing must work the way it does on Facebook, given that Google has shown it can work differently.

It will make Facebook better. Which will make Google better. And so on. We may be witnessing the beginning of a new era of online privacy, a maturation of sorts. This is an incredibly exciting time.

When Arvind writes something, I tend to wait until I have a quiet moment to read it, because it usually packs a particularly high signal to noise ratio. His latest post In Silicon Valley, Great Power but No Responsibility, is awesome:

We’re at a unique time in history in terms of technologists having so much direct power. There’s just something about the picture of an engineer in Silicon Valley pushing a feature live at the end of a week, and then heading out for some beer, while people halfway around the world wake up and start using the feature and trusting their lives to it. It gives you pause.

So true. I’ve been thinking about this issue a lot recently, especially as good technologists in the Valley are in exceptionally good financial / career health, while the rest of the country, and sometimes even the other half of our cities, are suffering through a long and deep recession.

Here’s one story that blew my mind a few months ago. Facebook (and I don’t mean to pick on Facebook, they just happen to have a lot of data) introduced a feature that shows you photos from your past you haven’t seen in a while. Except, that turned out to include a lot of photos of ex-boyfriends and ex-girlfriends, and people complained. But here’s the thing: Facebook photos often contain tags of people present in the photo. And you’ve told Facebook about your relationships over time (though it’s likely that, even if you didn’t, they can probably guess from your joint social network activity.) So what did Facebook do? They computed the graph of ex-relationships, and they ensured that you are no longer proactively shown photos of your exes. They did this in a matter of days. Think about that one again: in a matter of days, they figured out all the romantic relationships that ever occurred between their 600M+ users. The power of that knowledge is staggering, and if what I hear about Facebook is correct, that power is in just about every Facebook engineer’s hands.

Here’s another story. I used to lecture MIT Undergraduates about web security. My approach was basically: (a) hack a few of the student project web sites, then (b) hack a few public web sites to make the students understand how widespread the problems are. In late 2003, I showed students how to buy movie tickets for free (the price of the ticket was held in a hidden variable in a web form… duh). I ended my lecture with “but just because you can do this, doesn’t mean you should. Please don’t do this.” Over the years, I’ve received a few emails from former students to the tune of “hey Ben, you gave an awesome lecture, I still remember how a bunch of us went out to see Matrix 3 for free that weekend!”

I shudder to think about what happens when you put those two stories together. While the earliest hackers may have had a particularly well developed ethical sense, I get the sense that our profession’s average ethical sense doesn’t nearly measure up to the incredible power we have gained precipitously over the last 15 years.

And then there’s the additional point Arvind makes, which I’ve observed directly too:

I often hear a willful disdain for moral issues. Anything that’s technically feasible is seen as fair game and those who raise objections are seen as incompetent outsiders trying to rain on the parade of techno-utopia.

Yes! There’s this continued and surprisingly widespread delusion that technology is somehow neutral, that moral decisions are for other people to make. But that’s just not true. Lessig taught me (and a generation of other technologists) that Code is Law, or as I prefer to think about it, that Code defines the Laws of Physics on the Internet. Laws of Physics are only free of moral value if they are truly natural. When they are artificial, they become deeply intertwined with morals, because the technologists choose which artificial worlds to create, which defaults to set, which way gravity pulls you. Too often, artificial gravity tends to pull users in the direction that makes the providing company the most money.

A parting thought. In 2008, the world turned against bankers, because many profited by exploiting their expertise in a rapidly accelerating field (financial instruments) over others’ ignorance of even basic concepts (adjustable-rate mortgages). How long before we software engineers find our profession in a similar position? How long will we shield ourselves from the responsibility we have, as experts in the field much like experts in any other field, to guide others to make the best decision for them?

My friend Alon Rosen is leading an effort with colleagues Amon Ta-Shma, Ben Riva, and Yoni Ben-Nun in Israel to implement and deploy in-person open-audit voting. The project is called Wombat Voting. It combines a number of existing cryptographic techniques in a very nice package. Oh, and they’ve implemented it and used it to run a 2000+ voter election, with apparently a few more elections in the pipeline. There’s a ton of press about them.

Here’s how it works:

Voters use an intuitive, touch-screen interface, receive a paper ballot they can physically cast in a transparent ballot box, and they get a physical encrypted receipt they can take home to make sure their vote actually counted. It’s awesome.

I’m extremely excited to see more truly verifiable voting systems implemented and deployed. Slowly but surely, we will get to a point where voting is truly auditable and democracy is actually verified. Israel, a high-tech democracy with engaged citizens, is a perfect place to get this kind of system going.

It’s been 2 months since I started at Mozilla. I’m working with fantastically talented and friendly people. I’m enjoying myself tremendously and I’m starting to get a sense of what makes Mozilla different from my previous experiences. Put simply, it’s teamwork.

In his speech to Harvard Med School graduates last week (stick with me here, this is relevant), Atul Gawande (author of the Checklist Manifesto), laid out, in his clearest and most convincing argument yet, how the practice of medicine needs to change:

The core structure of medicine emerged in an era when doctors could hold all the key information patients needed in their heads and manage everything required themselves. One needed only an ethic of hard work, a prescription pad, a secretary, and a hospital willing to serve as one’s workshop, loaning a bed and nurses for a patient’s convalescence, maybe an operating room with a few basic tools. We were craftsmen. We could set the fracture, spin the blood, plate the cultures, administer the antiserum. The nature of the knowledge lent itself to prizing autonomy, independence, and self-sufficiency among our highest values, and to designing medicine accordingly. But you can’t hold all the information in your head any longer, and you can’t master all the skills. No one person can work up a patient’s back pain, run the immunoassay, do the physical therapy, protocol the MRI, and direct the treatment of the unexpected cancer found growing in the spine. I don’t even know what it means to “protocol” the MRI.

Gawande tells colleagues they need to work as well-oiled teams. No heros, no cowboys. I believe, and surely I’m not the first, that the same path lies ahead for software engineers.

The open-source and free software movements caught on to this a long time ago. Sure, there are leaders (Richard Stallman, Linus Torvalds, Mitchell Baker.) But more importantly there are teams, incredibly agile teams of developers who rise to the occasion of the software itch that needs scratching. The coordination requirement on most software is usually not that of a medical team treating an emergency patient… except when it comes to releasing Firefox 4 to 100,000,000 users in 84 languages in a matter of days. You need a well-oiled open-source software machine run by a top-notch team, and that’s what Mozilla is.

There are no rock stars, or rather, everyone’s super impressive in their own way but no one is treated like a rock star. Because what matters is the team. This is incredibly refreshing for me, especially coming from academia where, though individual academics are highly collaborative by nature, there is a strong incentive to specialize, find a niche, and be the single rockstar in that niche, because that’s how you get promoted.

So I’m really enjoying Mozilla. And, we’re hiring, so if you want to work on one of the world’s most important pieces of digital infrastructure, drop me a line.

Voting online for public office is a terrifying proposition to most security experts. The paths to subversion or failure are many:

1. the server could get overwhelmed by attackers, preventing voting altogether
2. the server could get hacked and the votes changed surreptitiously
3. the users’ machines could get compromised by a virus, which would then flip votes as it chooses with little or no trace
4. even if somehow we secure the entire digital channel, there’s still the issue of your spouse looking over your shoulder, strongly suggesting you vote a certain way

So, terrifying. And yet, I’m now pretty sure it is inevitable.

What human activity isn’t on the Internet?

Today, we bank online, deposit checks and even pay vendors with our smart phones. We can change our mailing address with the postal service and pay parking tickets with our local governments online. We can shop online, socialize online, and debate with our Presidential candidates online. Newt Gingrich announced his Presidential campaign on Twitter.

Just about everyone now carries an Internet-connected personal device. The Internet is everywhere you want it, and just about everywhere you don’t. People are starting to experience the world through augmented reality, using online maps and satellite overlays matched with your current location. The Internet is only going to become more omnipresent, faster. Within a few years, it’s hard to imagine any human activity that doesn’t involve the Internet.

And yet, somehow, we expect people to still be voting in person, on paper? We can’t even get users to take SSL certificate warnings seriously, but we’re going to convince them that voting is so special it has to be done in person? I don’t think so.

Don’t grab your pitchfork yet

I’m not arguing that this is how it should be. I’m definitely not saying that we can secure online voting just like we can secure online banking. In fact I’ve made many of the original arguments, in my dissertation and on this blog, shooting down the bogus arguments that go something like “hey, we can secure online banking, surely we can secure online voting!” No, we don’t know how to do that.

What I’m saying is that, regardless of the state of online voting security, I think it’s a losing battle to expect voting to remain the only activity we still do in person and on paper. With the Oscars moving to online voting, the Federal Voting Assistance Program making $15M available in grants for activities related to online voting (even if it supposedly doesn’t involve online vote casting), parts of Canada moving to online voting, France considering online voting for its 2M+ expats (more than the margin of victory in the last Presidential election), what you’re hearing is the sound of inevitability.

Enforced Privacy is Dead

There’s another interesting issue, when you think about problem (4): even if we keep voting on paper in person, voting requires enforced privacy: we have to make sure it’s just you in the voting booth, not you plus a coercer. That’s great. Now, how many ballots do you think we’re going to see next year published on Instagram?

We have a deeper problem here due to the now omnipresent Internet. Voluntary privacy is not dead, since users can choose to isolate themselves. But enforced privacy, privacy imposed on the voter, the kind needed to prevent coercion, that’s quite dead. I’m very concerned about what that means for democracy. But again, this is inevitable.

Doing the Best We Can

So, if it’s inevitable, maybe the best we can do is make online voting as secure as possible. We’ll probably have a few disasters, maybe even a few thrown elections. So we’d better start now on the problems we have.

I think we can solve Problem (2) with open-audit, end-to-end voting systems like Helios (but not only Helios, there are others.) I think we can minimize the risk of Problem (1) by moving to a longer voting period (1 week instead of 1 day). I suspect we have to eventually give up on some aspects of (4), whether or not we do online voting, though some technical tricks might make voter coercion a good bit more difficult (it’s never completely impossible). The hardest problem is (3): we have no way of ensuring that people are using trustworthy software that captures their intent properly.

Again, I’m not endorsing online voting for public office. I’m saying it’s inevitable, and it’s time to face that inevitability.

Importance of the User Agent and why I joined Mozilla

This issue of trustworthy user software is a much larger problem than voting. As human activity increasingly moves online, the central question is: what software is truly on the side of the user? How does the user know for sure that the software they’re using is their true agent? There’s only one piece of Internet architecture today that can be the user’s true agent, and that’s the Web browser (which technologists call the User Agent, unsurprisingly.) And, among the web browsers, there’s one that particularly stands out as the ultimate user agent, backed by a company whose mission is focused on the user and only the user.

That’s why I joined Mozilla. Because for voting and beyond, everything people do is online or soon to be online, and users better have an agent on their side. The best agent users can get today is Firefox, and I hope to contribute to making it an even better user agent in the next few years.

[It's worth noting that Mozilla has no intention of getting into the voting business, that's just my personal interest.]

OK, you may now get out your pitchfork.