Benlog

Many folks, like John Gruber, are responding to criticisms of the iPad’s closed ecosystem with the “it’s a tradeoff” idea: to have such a great computer, you need to lock it down. Some use the argument that Linux has never conquered the desktop, so there, open is incompatible with good usability (I’m looking at you engadget).

That is some twisted backwards logic.

Apple needs to remove apps it finds “not useful enough” for the iPad to work well? Apple needs to be the sole app distributor for the iPad to be so desirable? It would make the iPad worse if, say, Firefox were allowed to compete with Safari on it? No, absolutely not. There is no inherent tradeoff. Apple chose to close the ecosystem. They could have had just as good a product with an open ecosystem… or, gasp, maybe an even better product where fixing a bug doesn’t require approval from the appstore overlords.

So enough with the uni-dimensional thinking. Those of us criticizing the iPad aren’t saying it’s all bad. If it were all bad, we wouldn’t be spending any time worrying about its impact on computing, because, if it were all bad, it wouldn’t have an impact. John Lilly and Ben Fry, who also expressed issues with the iPad, are probably getting one. I may well be getting one.

Apple is very good at bundling a little bit of badness with a lot of goodness and making you think there’s an inevitable tradeoff: iPod DRM, iPhone approved apps to prevent the phone network from being “taken down by a rogue app,” etc. But the only tradeoff here is that, if Apple opened the ecosystem, they would make a little bit less money. (Apple does not benefit as much as others do from an open ecosystem because their closed hardware is already so freaking popular.) For the user, the closed ecosystem is not a trade-off, it’s an unnecessary constraint.

Ben Fry recently explained his concerns about the iPad:

I want to build software for this thing. I’m really excited about the idea of a touch-screen computing platform that’s available for general use from a known brand who has successfully marketed unfamiliar devices to a wide audience.
[..]
It represents an incredible opportunity, but I can’t get excited about it because of Apple’s attempt to control who creates for it, and what they can create for it. Their policy of being the sole distributor of applications, and even worse, requiring approval on all applications, is insulting to developers.
[..]
I find it offensive on a very basic level, because I know that if such restrictions were in place when I was first learning to write software — mostly on Apple machines, no less — I would not have a career in the field.

John Lilly followed up brilliantly:

In a nutshell, what worries me about the trajectory of computing is not so much the emergence of tightly-controlled, non-tinkerable boxes, but the presumption that “normal people” don’t ever want to tinker, don’t want to be bothered with understanding how things work. I think it’s not true, really — certainly not for everyone — but I even think that this distinction between “normal people” and “tinkerers” or “techies” or “makers” is bogus at best, and really dangerously corrosive at worst.
[..]
It’s not like I was born an engineer — the instinct to fiddle with things isn’t something we’re born with. I became a tinkerer because I was exposed to surfaces that allowed — that invited — it. I figured out that I liked tweaking and building and creating because I got a bunch of chances to do that stuff, from hardware to software and everything in between. I knew I could do it because Dad modeled that behavior, but also because the stuff we had around the house was inspectable and malleable.
[..]
We all have the potential inside us to make things. But we’re not born into the world as makers — the world around us — the people in it and the artifacts in it — help us to discover what we can be.

I don’t know that I agree 100% with John: not everyone is a tinkerer. But, for sure, we need “surfaces that invite tinkering,” otherwise those who would be tinkerers might never discover it.

I was a tinkerer from an early age, but most of my tinkering in the physical world sucked, because, well, I don’t have good instincts about physics or analog things: I’m a digital kind of guy. So my egg-drop competition entries were overly complicated, my solar ovens were a perfect fit for a raw diet, my matchstick suspension bridges were unsafe at any speed, and my analog-circuit-based room-alarm systems would go off at random times in the middle of the night, or not at all, but at least would consistently end up blowing out the LED indicator (what do you mean you can’t connect the power source straight to the LED?)

I might have given up on tinkering, were it not for software… that was something else.

When my father brought home our first computer, a Thomson MO5, I was hooked. I spent hours transcribing BASIC programs from the 3 magazines I could find on the topic (this was Paris, France, not exactly Silicon Valley.) My dad took me to the office so I could talk to some Thomson engineers and debug my floppy disk drive. Later came the TO7, and eventually the Apple IIGS, my first “major” Pascal program to help my mother schedule carpooling (and my first taste of how hard it is to write a scheduling algorithm), my second “major” Pascal program to manage the Prom guest list. I wrote my final Geography report using a page-layout program on the Apple IIGS that probably cost me hours of extra time because of its bugs and the work-arounds I had to find, and got a worse grade for it because “not everyone can afford such fancy software, so we took off a couple of points” (for those of you still confused, THAT is socialism.) Not long after that I was applying to MIT and tinkering with one of the first e-commerce web sites. I love what I do, but would I have discovered this love without those first few lines of BASIC on that MO5 computer, written without anyone’s permission or knowledge?

Over time, though, I have become a little bit complacent about openness. I own an iPhone, and I’ve bought a few apps. I bought music on iTunes, and figured the DRM was not so problematic. I got a Kindle and bought some books. And then one day Apple’s DRM server went down and I couldn’t play music for a few hours. And Amazon decided to recall the book “1984″. And Apple decided to retroactively remove a bunch of apps they considered “not useful enough.” So I started thinking, maybe it’s time to get a different phone.

But I can’t. See, in the interim, I got unexpectedly locked in. I sync my calendar via MobileMe. I sync my music/TV shows via iTunes. Moving to something like a Palm Pre is going to take a significant effort. So how much worse will it be if I get an iPad, get some apps, and Apple decides to change the rules in a way that I don’t like? How locked in will I be then?

This change is happening gradually. At no point are you going to be shocked by an unfortunate Apple decision. You’ll enjoy your iPad, you’ll buy more apps, you’ll enjoy it even more. Apple will make a few decisions that inconvenience you, but you’ll deal. Until one day you’re inconvenienced enough that you might begin to look elsewhere. But you won’t be able to, because your data will be locked in. 3 years ago, we didn’t even have 3rd-party apps on the iPhone. Today, we have more than 100,000, and they’re all rushing to the iPad at warp speed. Change is happening.

One last point. A few months ago, I became a father. My wonderful little boy has an incredible appetite for life. Will he be a tinkerer? I don’t know, but if I had to bet I’d say yes. Will I be able to do for him what my father did for me? What will he tinker with, if everything in the house is a polished, professional, touch-but-don’t-tinker device? If he is to be a maker, a tinkerer, will he be able to fully explore his ideas if the rules of his digital universe are decided by the whims of Apple, Facebook, and Google?

I’m not sure. Maybe he will find a way, the way that kids do. Or maybe we, the generation that is witnessing this change, need to make sure that the rules of computing do not become a permanent, universal, inescapable sandbox.

I had an invigorating and thought-provoking chat with my good friend Oliver Roup today. We agreed that the Apple iPad is going to be an unbelievable success. I’ve thought from day one that it would be huge, but I think it will be bigger than huge. Before the end of the summer, millions of people will own one. Content producers, looking for a way to make money, will flock to it. A virtuous circle will be created. More users. More content. More users. More content.

And so, while killing Flash with one hand, Apple may put a dent in the Open Web with the other. Because if the content producers suddenly have, at their disposal (as Oliver put it) the ultimate platform with identity, micro-payments, a gorgeous interface, and automatic DRM, used by millions of people, why would they continue to funnel millions into their open-web efforts?

Put it all together, and we may begin to see the Great Content Lockdown of 2010. The best, most usable way to read online content will be via iPad apps. Copy-and-paste? Probably disabled. Share via Google Buzz? Only if Google pays to be featured in the “Wall Street Journal app.” In other words, the Web as a platform goes away: there is one client for a given type of content, and it behaves only in the way the producer of this content expects it to. Mashups? Unexpected, serendipitous combinations of features and data? Not likely.

Steve Jobs said the iPad is the most important thing he’s ever done. I think that’s true. I’m just not sure it’s the best thing he’s ever done.

When a web site links to another web site, the link appears in a different color, usually a lighter shade of blue, if you’ve already visited the site. Unfortunately, this means that a malicious web site can learn what sites you visit by putting up a few links and checking to see how your browser is rendering them. Arvind explained the shockingly bad outcome of this small flaw a few weeks ago.

Today, Mozilla is proposing an interesting way to “plug” this leak, by attacking the problem from both ends. First the style changes for visited links are now limited: you can’t change the font-size of a visited link. Second the web page can no longer fully introspect and discover those small style variations that are still allowed. It’s really fantastic to see Mozilla working on this particularly nefarious issue, which has been one of the elephants-in-the-room of web security for the last few years.

But I’m not sure this approach is the right one. It is, exactly as Mozilla put it, a “plug” for a leak. It doesn’t really address the essence of the issue, and I suspect clever attackers will find other, smaller leaks to exploit. Meanwhile, setting the precedent that the browser will now fake some of its rendering information to the page’s own JavaScript is a little bit odd.

The core issue is that a web page is allowed to use private information it should never have access to as a kind of black-box processor on its own rendering. That may have been fine when web pages were static content, but now that web pages are full-fledged programs that can attack these black boxes a thousand times a second without the user noticing, it’s a problem.

An Alternative: tweaking the meaning of ‘visited’

So here’s my proposal (which may well have been mentioned by others before me.) a proposal I thought I’d come up with, but really is just a subconscious reappearance of work by Collin Jackson, Andrew Bortz, Dan Boneh, and John Mitchell: safehistory.

A browser should consider a link “visited” depending on where that link appears. If I’ve clicked on cnn.com/stories/123 from fooblog.com, then the next time that link is shown on fooblog.com, it should appear as visited. But if that same link appears on barblog.com, then it should simply be considered a new link.

That way, a web page only has access to information that it technically already could have collected itself, by tracking the outgoing clicks on its site. No more black-box access to private data that it can manipulate thousands of times a second. No more leaks to plug (in this context). Conceptually, this is cleaner and much more in line with the security model we need for the Web.

Also, I have a feeling that this might be a better mental model of how most people think of visited links. A visited link, in this new model, means “I have already followed this path from A to B,” rather than “I have already seen B via some other site C.” After all, how often do people find the same link from two different sources at different domains? It happens, of course, but how often is it useful to know that this link was visited via a different path when the anchor text at both sites will almost certainly be different, making the information that you’ve already visited this site fairly vague (which site was it?)

But what about link aggregators, like reddit, digg, etc…

Some sites just aggregate tons of links to stories around the web, and in those cases you might want to know that you’ve already seen the story via some other link-aggregator or even on your own. Now, that need may be a lot less important than you think initially: often links from aggregators are customized with outgoing link-tracking, referrer codes, etc.. that actually prevent visited-link-highlighting from activating anyways. But, this may be a legitimate case where advanced users want to know that they’ve seen these stories before. In those cases, I can imagine a “super-referrer” whitelist in the browser, where certain sites are trusted not to abuse their ability to use your history black-box rendering processor. Advanced users would have to add the link aggregators they trust to this whitelist.

Because it’s about trust

At the end of the day, it’s about trust. We should not trust random web sites with black-box access to programs that depend on our private data. If I’ve never clicked on a link from site A to site B, then site A should know nothing about site B, and should not be able to run some program that very tightly depends on information about my visit to site B.

A visited link should mean “you’ve already walked this path before,” not “you’ve already seen this destination.”

This year, the voting process for the Oscars has changed. Rather than indicating a single choice as they have done since 1946, members of the Academy will provide a first choice, a second choice, etc.. potentially ranking all 10 nominees for Best Picture if so desired. Some are speculating that this will affect the results. Some are writing really confusing articles about this change, with very misleading lines like “Getting the most votes is no longer enough.” Here’s the short version of this post: (1) of course ranked-voting is going to affect the Oscar results! and (2) this year, the result will actually reflect the will of the Academy far better than previous years.

Debating voting methodology can usually get very heated. In fact, if I say anything negative about ranked-voting, more formally called instant-runoff voting (IRV), a legion of IRV fans will descend upon this blog with tremendous fury. Thankfully, in this case, there’s little room for disagreement: it’s pretty obvious that IRV will much more adequately represent the opinion of the Academy. In fact, it’s surprising that the Academy has been using plurality single voting, which can easily yield wildly inaccurate results. It makes one question the validity of past Oscar winners, and not only because the election is completely un-auditable by anyone other than the designated auditor firm.

Say, for example, that 30% like Avatar best, 25% Hurt Locker, 20% Inglorious Bastards, 15% Up in the Air, and 10% District 9. (Apologies to the other Oscar nominees, but I need a simple example.) Using last year’s voting method, Avatar wins. With 30% of the vote. But wait, what if the fans of District 9 hated Avatar, and really prefer Hurt Locker second best? Since their first choice was District 9, a less popular movie, it seems they effectively don’t have an impact on the result of the election… unless we take their second choice into account. Ok, so we give those 10% to Hurt Locker, and now Hurt Locker wins. But wait, what if the fans of Up in the Air mostly prefer Avatar to Hurt Locker, so we eliminate “Up in the Air” for not having received enough votes, then give those to Avatar, then Avatar wins, but wait… you get the picture. It’s not that complicated. Basically, it means that if the movie you really want to see win has no chance of winning, then we’ll look at your second choice instead. The really crazy thing is that, with last year’s method, it’s conceivable that, even if all the fans of Inglorious Bastards, Up in the Air, and District 9 prefer Hurt Locker to Avatar, meaning that in a 2-way-only election, Hurt Locker would win 70-30, Avatar STILL wins under the system used for the last 64 years.

Because of this oddity, the fans of District 9 might realize that their favorite has no chance and be tempted to select only between the two favorites, Avatar and Hurt Locker. In other words, the dark horses are inherently handicapped. With IRV, there’s no reason to resort to such silliness: vote for the dark horse first if that’s really your preference, and if not enough others agree, your second choice will be “activated,” and you won’t have lost your chance to influence the result. So, this year, a dark horse movie has a better chance of winning. But not because the voting system gave the dark horse an unfair advantage! Rather, because IRV better represents the will of the Academy. Even if one of the favorites does win, it will be a much more legitimate win than every year prior.

And here’s the funny thing. That crazy plurality single vote system I just described… that’s how we vote for President in the United States.

Wait a minute…

Did I just imply that IRV is awesome? I should be more careful. Everything I just explained assumes that voters are well informed and rational. I’m willing to believe that voters are mostly rational, but I don’t think they’re well informed. Specifically, a voter might easily believe that voting first for District 9, then for Avatar yields a “weaker” vote for Avatar if District 9 is knocked out of the running. Or, they might think that voting only for District 9 will yield a stronger vote than if they add a second or third choice because, in some sense, District 9 is then the only acceptable winner for those single-movie voters. In other words, I suspect voters will still vote strategically with IRV, only this time with an incorrect, ill-informed strategy. This is speculation, I don’t have hard numbers to back it up, only (significant) anecdotal experience with voters who find IRV deeply confusing.

What we really want is a voting system that assumes realistic behavior from voters who are typically not fully informed experts. In a way, we need to reduce flexibility for voters so that the average voter will be less likely to choose an ill-informed strategy. That method is probably approval voting, where a voter marks every candidate they find acceptable. No ranking, just a checkmark next to each candidate. Instructions are then very straight-forward: mark every candidate you would be happy to see win. Not perfect in terms of ill-informed-strategy-resistance, but a heck of a lot better than all the misconceptions that come with IRV.

Oscar voting is actually even weirder

Of course, as if the insanity of the Oscars’ voting system over the last few years weren’t enough, there’s more weirdness.

To select the nominees, the Oscars effectively run a multi-seat Single Transferable Vote, which is like IRV where you rank the options, but this time you’re filling multiple spots. This is the way that Cambridge, Massachusetts elects its City Council, and it’s the way Australia elects its Parliament, and it’s incredibly confusing because of how votes are redistributed when a candidate is knocked out of the running or, more importantly, how to redistribute extra votes for a candidate that already has passed the victory bar. How confusing? Well, in Cambridge, the result of the election may depend on the order in which you count the ballots. Yep, you read that right, in a close election, the order of the ballots matters.

I’m not sure how it works exactly for the Oscar nomination process, but apparently the Oscars add a second complication: a nominee must be selected as a first choice by at least one person. Even if the movie is everyone’s second choice, it cannot be a nominee.

So, what this now means is that the Oscars are using a weirdly modified version of multi-seat Single Transferable Vote to select the nominees, and then a plurality single-vote to choose among those nominees, except this year where they’re re-running an IRV vote for Best Picture.

And to top it all off, you have to fully trust PriceWaterhouseCoopers, the auditors, who don’t even provide tallies, only the name of the winners.

Whoever said elections are simple?

I was speaking with a colleague yesterday about Loopt, the location-based social network, the rise of location-based services and the incredible privacy challenges they present. I heard the Loopt folks give a talk a few months ago, and I was generally impressed with the measures they’re taking to protect their users’ data.

I particularly enjoyed the problem Loopt faced with respect to abusive spouses: if your spouse is spying on you, it’s not enough to turn off your location services, because then your abusive spouse will know that you’re hiding something. You have to actually be able to lie about your location, in other words Loopt has to let you fake your location data. And they do. And that’s awesome.

It’s just like voting: to be free to vote the way you want to vote, you have to be able to claim that you voted a certain way, even if you voted another way, and that claim has to be believable. In fact, when you think about it, because Loopt offers this “fake my data” feature, there’s no way for you to prove to someone else that you really are where you claim to be, at least not via Loopt. Because, if there were a way to say “okay, really, I’m here, no faking this time,” then there would be no deniability since abusive spouses could simply ask for the extra-no-faking version of the location.

In other words, to truly achieve deniability, you have to take away the user’s ability to certify their own data. That’s not obvious, and it’s interesting that location-based services and voting have this point in common.

The worst part of my job is dealing with the mess of document formats and coding systems in healthcare. The acronym soup is insane: HL7, CCD, CCR, CDA, Green CDA (which I just heard about from John Halamka’s blog but… no link!), and that’s just the document formats. Then there are coding systems like LOINC, SNOMED, SNOMED-CT, UMLS, ICD9, ICD10, RxNorm, … Interestingly enough, the issue is not how many there are. The issue is how they’re licensed. Here’s a screenshot from the HL7 website that should tickle your funny bone:

So, HL7 is unlocking the power of health information, and to do that they’re going to sell you a standard.

Meanwhile, the National Library of Medicine has toiled for years on the Unified Medical Language System (UMLS), which attempts to codify *everything* in medicine, from anatomy to viruses. It’s a pretty impressive piece of work. Conveniently, they provide a “meta-thesaurus” that maps other coding systems, like SNOMED, to UMLS. Brilliant! Awesome! Except… to use UMLS, you have to register. And you have to fill out a yearly survey. And you’re not allowed to redistribute the UMLS codes. Oh, and you have to sign a 10-page licensing agreement that explains how you can use UMLS, but you can only use SNOMED under these conditions, and this other coding system you can only use in these other conditions, and if you don’t have three lawyers and a few weeks on your hands, good luck answering this simple question: “can I use this in my open-source library and release it freely to the world?”

Imagine, for a second, if we had a similar situation without computers. Doctors would have to pay a fee to speak official medical terms when discussing your health. You would have to pay a fee to have those terms translated into plain English. Canon would have to pay a licensing fee before making fax machines able to send medical documents from one doctor to another. In short, every time a health transaction occurs using standardized language, there would be a tax.

This is insane. Folks in the health IT world are focused on much harder problems while ignoring this blatant ball-and-chain on innovation.

I submit that the quickest path to health-IT reform is the complete and unconditional freeing of these medical vocabularies and data formats. And I mean complete. No access fees, no yearly surveys, no constraint on redistribution, country of origin, commercial or non-commercial. Free. like HTTP and HTML. Like English. Like a patient-doctor conversation.

Take a precise example: my group at Children’s Hospital Boston just released Indivo X, the latest version of our Personally Controlled Health Record. It’s great, but there’s one key feature we had to strip out before shipping this free, open-source tool built using federal grant money: SNOMED codes. Sure, we’re a hospital with a license, we can use them internally. But we can’t redistribute them. So now, to install Indivo, instead of a 30-minute process, you need to go get a UMLS ID, wait 3 days for approval, then download the files, extract the codes we think are useful, and load them into the database. No exaggeration, you’ve now multiplied your time-to-working-install by 100.

This must change. Either the existing formats must be opened up, or new formats must emerge that do to the existing formats what HTTP and HTML did to Gopher: kill them with freedom. Taxing human interactions, simply because they’ve been digitized, is an unacceptable brake on innovation, and in a complex field like Health IT, it’s the last thing we need and the first thing we need to eliminate.

Everyone is talking about the privacy disaster that was the Google Buzz launch, and oh my goodness it was. I’ve never been so thankful that I don’t use gmail. I’m frankly surprised that they didn’t do a smaller beta first, or that there isn’t a group at Google charged with thinking about the privacy implications of every product release who would have clearly screamed “stop!”

If you want to think about the deep issues at play here, you really want to be reading Arvind Narayanan’s blog in general, and in particular his post on this issue:

When I enabled Buzz and realized what had happened, something changed for me in my head. I’d always regarded email and chat as a private medium. But that’s not true any more; Google forced me to discard my earlier expectations. Even if Google apologizes and retracts auto-follow (not that I think that’s likely), the way I view email has permanently changed, because I can’t be sure that it won’t happen again. I lost some of the privacy expectation that I had of not only Google’s services, but of email and chat in general, albeit to a lesser extent.

What I’ve tried to do in the preceding paragraphs is show in a step-by-step manner how Google’s move changed social norms. The larger players like Google and Microsoft have been very conservative when it comes to privacy, unlike upstarts like Facebook. So why did Google enable auto-follow? By all accounts, their hand was forced: they needed a social network to compete with Facebook and Twitter. Given the head-start that their competitors have, the only real way to compete was to drag their users into participating.

This is what deeply worries me about the current Cloud: for the convenience of universal access to our data, we are giving up control in the long run. We imagine these providers, Google, Facebook, etc., to be good custodians of our data, but their strategy, their needs, may significantly affect the way they do their jobs. Sometimes this is good: users will be protected by these custodians. But often, this will be bad in ways we can hardly imagine.

I mean, think about it: would you have believed it if two weeks ago, someone told you that Google was about to make public the list of the top 25 people you email? Heresy! That would be gmail suicide! And yet it happened. The backlash is strong, the feature will probably change, but in many ways the damage is done, and Google will probably suffer a lot less than one would have expected a priori.

As a computer scientist with a penchant for security, privacy, and autonomy, I hope I’m not the only one who feels I have a professional duty to help people avoid these kinds of situations. Computer scientists who handle other people’s data need a professional code of privacy ethics, and there need to be serious consequences, legal and financial, to this type of negligence.

So I made a couple of predictions about the iPad, Apple’s tablet, and I realize in retrospect that, while I got some of the details right, I got the gist completely wrong. I thought it was going to be a special-purpose device. And most commentators are saying just that. But I was wrong and they are wrong. The iPad is very much meant to be a new approach to how we use computers in general. Still think it’s just a big iPhone? Watch these few minutes of video, a summary of how you interact with the iPad to create slides and edit documents in Apple’s productivity suite:

This is different. Much more natural to use, a different experience altogether. It’s going to sell like mad, and developers will be building apps for this in no time.

The real Apple fanboys (I’m only a poser Apple fanboy) are saying almost what I’m saying: this is a new model of computing, the critics are suffering from future shock. Yes, and yes.

That said, the Apple fanboys are taking one critical step too many by accepting the hand-waving argument that this revolutionary computing model justifies the Apple-controlled App Store. Apparently, it’s like driving an automatic vs. a stick-shift, or better yet it’s like the Prius where you need special skills to maintain it. Spare me the kool-aid, these analogies are incredibly bad. If you really want to use that analogy, at least realize that adding your own app to a computer is more like installing a GPS on the dashboard, not tuning the engine. Would you be okay with a Prius if somehow you didn’t have the right to install Honda-made seat covers, or tires made by Michelin? Well, if the Prius were good enough, you’d grind your teeth and deal, but in what world would you argue that it’s a feature that you can only install seat-covers approved by Toyota?

Yes, the iPad looks amazing, and yes, it will sell lots, and yes, it will redefine the way we interact with computers. But would we lose any of those things if Apple allowed you to add your own applications? No. The Apple death-grip is entirely orthogonal to all of those wonderful things. There could be a scary-red toggle deep down in the preferences, or a magical swipe pattern, or a software download from the Apple site with a big fat warning that says “be careful, if you enable the ‘risky install’ feature, you may be forced to reset your iPad to factory settings.” Most people would use the iPad untouched, but the ability to open it up to other stores would bring more competition and would prevent the App Store overlords from making clearly anti-competitive decisions like rejecting the Google voice app.

So I was right about one thing: the iPad is going to move us one step closer to Zittrain’s dystopic Future of the Internet. But because the iPad is much more of a general computing device than I expected, that step is going to be a much larger step, and Zittrain’s vision is coming true much faster than I thought. And that part is incredibly sad, no matter how badly I want to edit slides using finger-swipe gestures.

Bruce Schneier writes that it’s reasonable for unmanned drones to broadcast unencrypted video streams, because

1. the video stream is not that useful to enemies, and
2. given that many people need access to the video feed, the key distribution problem would be very difficult to manage, and some allies could be severely handicapped if they happened not to have the key.

So, Bruce is typically fantastic at finding those interesting areas of security where the answer is counter-intuitive. But huh? How can both of those points be true? If the video stream is valuable to allies, then I’m guessing it’s valuable to enemies.

But let’s say that, somehow, these contradictory points are, in fact, both true.

There isn’t a key management problem here. The command-and-control signal is already encrypted and authenticated, so the video feed could be encrypted via the same exact route back to the home base (which needs to happen anyways so the NSA pilots can, you know, pilot), at which point it is decrypted and can be syndicated to allies, troops on the ground, commanders, etc… I just don’t see the argument for the signal to be directly received by local troops, when the one person who needs the signal the most anyways is already sitting thousands of miles away.

Bruce is right that key management is often a very complicated problem. But I just don’t see how it’s relevant in this case.