The Insanity of Simplicity

My claim is that we would be better off having regulations that do exactly two things:

  1. Require some specific disclosures related to whatever we currently prescribe, rather than prescribing the behaviors themselves.
  2. Have teeth to revoke charters or otherwise blow away any company that fails to meet the disclosures in a timely and truthful manner.

I’ll be writing more about this in the future, but for now I’ll just say that I’d be very happy/curious to hear arguments against my claim or examples that show it’s wrong.  Note that I mean that instead of a law saying, “you cannot sell baby cribs made out of gremlins,” it would say, “you have to tell people exactly what your cribs are made out of.”

Obviously, I’m going with the idea, “if people know the cribs are made out of gremlins, they won’t buy them, and the crib maker will start using marshmallows instead.”  Does this bear out?  More later.


Privacy is Security

Without privacy, there is no such thing as security.  You can call systems and laws that do not account for privacy secure, but they are not.

One of the most vital aspects of securing any system is protecting it from internal attacks; that is, attacks due to the corruption of its actors.  Most systems ignore these threats, and they are all the more vulnerable for it.  If a system can be taken down by a lone actor that has privileged access, it is not secure.  Likewise, if your data can be leaked to Wikileaks by a lone actor, it’s not secure.

Simultaneously, the act of properly securing against such things removes the ability for a system to behave in an anti-human fashion.  This is because the abuse of authority that allows for harming people (eg, a private prison system that needs more prisoners and has the ability to get them through legislation) becomes impossible.  The same protections on privacy that thwart leaking also preclude deal-making that creates malformed laws or rules.

The level of conspiracy required to actually attack a secure system always requires that those that would be harmed give voluntary, informed consent.  They will almost never do so.

The systems that exist today are not secure, and most of the time that is by design: the parties that have ultimate responsibility for overseeing security are too enamored with their abilities to manipulate the systems for their own naive interests (which are actually against their true interests) to order proper security measures.

We will begin to see truly secure systems emerge in the next waves of web applications; distributed applications require a separation of concerns to function properly, and, when coupled with next-generation authentication, they move toward privacy (is security).