• Weekly Byte, 01/2019

    Here are the eight bits of news I found most interesting this week, along with some brief commentary.

    1. NBC finally jumps in the streaming wars — announces a new service to compete with Netflix, Disney and Amazon.

    NBC has announced it will launch a streaming service in Q1 2020, free for pay-tv subscribers but ~$12/month for everyone else. Amazon, Disney, Hulu, AT&T/WarnerMedia, now NBCUniversal are all jumping, or have jumped, into the streaming space… Watch out Netflix! So much for that monopoly. On the topic of Netflix, it recently decided that now is the appropriate time to raise the price of its most popular plan (for US customers only) from $10.99 to $12.99 per month; good luck with that! Consumers 1, antitrust lawyers and wannabe monopolists 0.

    2. RCS Chat is launching on Google Fi.

    Google is rolling out Rich Communication Services (RCS) messaging support on the Google Fi network available on its Pixel phones, the Moto G6, LG V35, LG G7, and Android One Moto X. There is one crucial element missing from Chat, however. While the original RCS protocol allowed the implementation of client-to-server encryption, Chat will not offer end-to-end encryption like iMessage or Signal. In short, it allows for the same legal intercept standards as its predecessor. Lame. In an increasingly privacy-conscious world, I don’t think Google has a winner here.

    3. “Underappreciated” consequences of Encryption Bill could damage Australian security industry for years.

    A survey (so take it with a grain of salt) but two-thirds of Australian technology companies believe the federal government’s new encryption laws will compromise trust in their products and damage their export prospects in the long term. I wrote in detail about the foolishness of the bill here.

    4. Facebook’s ‘10 year challenge’ is just a harmless meme - right?

    Why do people trust anything Facebook says or does? In response to the question of why so many people willingly handed over their information to Facebook, CEO Mark Zuckerberg replied “I don’t know why. They “trust me”. Dumb f**ks.” No doubt he’s saying the same again (but probably not in an email this time), as “thanks to this meme, there’s now a very large dataset of carefully curated photos of people from roughly 10 years ago and now… that could be used to train a facial recognition algorithm on aging”. The sooner this company goes belly up, the better.

    5. HSBC banks on blockchain to finesse forex trades.

    Probably the best real world use-case for cryptocurrencies (so far)? An exciting space and I plan to write about it in more detail at some stage. “The London-headquartered bank, a heavy-hitter in forex dealing, has processed more than 3m FX transactions worth $250bn using blockchain technology in the past year, it said on Monday. That represents a tiny sliver of its overall currencies business, but still offers a rare example of a blockchain-based product that has proven its worth in wholesale finance.”

    Elon Musk wants to “save the human race”. As he explains, his main goal is to wire a chip into your skull to give you the digital intelligence needed to progress beyond the limits of our biological intelligence. Note to self: don’t go out for drinks with Elon Musk.

    7. DuckDuckGo will use Apple Maps for local searches on the web.

    DuckDuckGo, the privacy-focused search engine that promises not to track you, has announced that Apple Maps will now power its local search results on both desktop and mobile web browsers. DuckDuckGo says that it will now have “improved address searches, additional visual features, enhanced satellite imagery, and continually updated maps”. A good move, I suppose; while Apple is no angel, it’s less evil than Google.

    8. Random: An Egg, Just a Regular Egg, Is Instagram’s Most-Liked Post Ever.

    A simple picture of an egg posted by an anonymous Instagram user has set the world record for most likes, surpassing Kylie Jenner’s 18m record. “There’s nothing special about the egg. Seems like a fine enough egg. But more than 22 million people have liked it, dethroning Kylie Jenner’s birth-announcement post.”

    Yep. Welcome to the internet. Your move, Kylie Jenner.

    Image of the week

    No business model lasts forever (music edition). It seems peak music spending was 1998 - 2000. The music industry over time

    That’s all for this week, have a great weekend.

  • The age of centralisation

    The bits

    • Many of the services we use on a daily basis are very centralised.
    • It’s not just social networks. Banks, utilities, soft drinks - the list goes on.
    • Industry concentration is the new normal, but it’s not necessarily a bad thing.
    • But it does mean we are living in an age of centralisation, especially in tech.
    • Instead of charging you directly, they sell targeted access to you.
    • A random individual’s data aren’t worth much, but a centralised database is.
    • The best thing you can do is just not give it up so easily.
    • Most importantly, use a password manager secured with a strong passphrase.

    I’ve been thinking for some time about how centralised many of the services we use on a daily basis really are. For example, for a true social network - that is, primarily text-based with a user’s content preserved but limited to “friends” only - you really only have Facebook. There are certainly alternatives but in terms of keeping in touch with a wide group of diverse associates, it’s Facebook or bust (curse those network effects!).

    Social networks by number of active users

    But as I discussed last week, Facebook is not a monopoly in the true sense of the word. While Facebook itself might be entirely centralised, it operates in a decentralised environment where its position at the top of the food chain is fickle at best. As the late Harold Demsetz (1988) put it in The Organization of Economic Activity: Ownership, Control and the Firm:

    “The analytical usefulness of the concept of decentralization derives precisely from the fact that it allows the analyst to ignore the behavior of a single individual or a small group of individuals. It implicitly asserts that the tactical measures taken by incumbent firms to bar entrants from an industry cannot long hold at bay the continuous onslaught of more efficient organizations and techniques of production.”

    The only way Facebook can prevent entrants from eventually usurping it is by constantly improving, or through artificial barriers, which is precisely why regulators should keep clear (I really, really don’t want to be stuck with Facebook any longer than necessary).

    Industry concentration is the new normal

    But what I realised is that it’s not just social networks where a person’s choice is limited: banks; utilities; transport - both public and private (e.g. Uber/taxi) - universities; soft drinks (60% of the global non-alcoholic beverages industry is controlled by Coca-Cola and Pepsi); insurance; and even super markets, are all relatively concentrated. As this chart by the Economist shows, most sectors in the United States have become more concentrated since 1997.

    Industry concentration by sector

    That’s not necessarily a bad thing; it might be optimal to have one or a few providers of a good or service instead of a number of smaller ones, and the relationship between industry concentration and higher profits all but disappears when firm size is taken into account (see for example Yale Brozen’s 1982 book Concentration, Mergers, and Public Policy).

    Living in an age of centralisation

    But it does mean we are living in an age of centralisation, especially in the tech sector. I find it somewhat ironic that one of the most innovative, adaptive and decentralised (using Demsetz’s description above) sectors is also the one in which a few companies tend to dominate at a given task.

    In the past, industry concentration wasn’t an issue because the firms were essentially direct service providers. Your bank charged you account fees, and/or lent out your deposits, to make a profit. Your internet provider, water and power utilities charge you a monthly fee based on some combination of fixed and usage charges. But that all changed with Google and its “free” services, a model later copied by Facebook and countless other start-ups around the world.

    Defining the divide in tech

    Instead of charging you directly, they sell targeted access to you (or the means, via the data it stores about you, for some other entity to target you). Individually your data aren’t worth much, as Gregor Barber noted in a recent Wired article when trying to sell his Facebook data, but when you have more than a billion users you can start to do some funky things with their information (data scientist roles have grown over 650% since 2012).

    “My tipping point was the Facebook hack, exposed in September, in which I—along with some 90 million other potential victims—was temporarily locked out of my account. I imagined my identity rippling across the internet, thanks to the single sign-in convenience of Facebook Connect. After a long season of leaks, hacks, and shady data pillaging, I’d had enough. I considered simply deleting my account. But then I landed on a different strategy: making a profit.

    …I was ready to call it quits—unless, that is, my proceeds reeled me back in. I tallied up my fiat (that’s money, to the rest of us): 162 WIB, 1 DAT, 0 NRN. My earnings, while eclectic, were worth approximately 0.3 cents.”

    What you can do about it

    As Barber found out, a random individual’s Facebook data aren’t worth much, but Facebook’s centralised database clearly is (otherwise no one would pay for access). For now, free services paid for with targeted advertising tailored via “big data” stores of user information are the business model. It won’t be that way forever, but while it is there are some things you can do to protect yourself. Barber had a good suggestion:

    “My efforts had simply heightened my sense of just how much I was sharing, and made me inclined to expose a little less: to leave my phone at home when I went on a run, or to conceal my phone number and real email address from Facebook.”

    It’s safe to say that the likes of Facebook and Google already know a LOT about you. The list of data gathering techniques they employ are virtually endless, whether it’s direct collection through a combination your web searches, online purchases, music and video preferences, etc., or indirectly via your family, friends and co-workers’ data (so-called “shadow profiles”).

    Even if you’re being careful, they’re also able to “fingerprint” your web browser and device, allowing them to track you when you don’t want to be tracked. Those Facebook “like” buttons at the end of a blog post? They’re specifically designed to track you and your web browsing activities, linking what you do while not on Facebook to your shadow profile. The list of tracking tools and techniques employed by these companies is ever-growing and evolving as their advertising business model depends upon knowing more about you than their competitors.

    But for the vast majority of people - myself included! - your data are probably about as valuable to these firms as Gregor Barber’s above, i.e. not very. The best thing you can do is just not give it up so easily: change your privacy settings, block third-party cookies, use browser extensions that block trackers and switch to open source and/or encrypted alternatives where you can (for example, use Signal instead of Facebook Messenger and ProtonMail instead of GMail). If you sync your data into the cloud (e.g. with Dropbox), consider using something like Cryptomator to encrypt it before it ever leaves your device.

    Most importantly, use a password manager such as KeePass or BitWarden, secured with a strong passphrase and ideally a physical token (e.g. a YubiKey). While the likes of Facebook and Google are as creepy as they come, for the average person your primary threat will come from using a weak password on multiple websites or apps, exposing you to malicious actors seeking to hurt you financially (or worse).

  • Why Facebook shouldn't be regulated

    The bits

    • There’s a strong and growing impetus around the world to subject Facebook to sterner regulation.
    • Facebook’s morally opaque business model has resulted in all sorts emerging from the woodwork.
    • Fair enough, too; Facebook is as creepy as they come.
    • You can make any company into a monopoly if you narrow your definition of “market” enough.
    • While Facebook may fail an economist’s definition of monopoly, good politics is not necessarily good economics.
    • Given the money and politics involved, designing the perfect regulation is virtually impossible and not without cost.
    • Facebook has only been able to grow by giving consumers what they want.
    • Please don’t regulate Facebook and entrench an advertising company as the social media gold standard.

    If you follow EconByte then you’re probably aware of my dislike of Facebook and so I apologise in advance for yet another Facebook-related post. But in light of even more revelations of Facebook’s abuse of its user’s data, it may come as some surprise to see me, of all people, advocating against the regulation of Facebook. Hear me out.

    Regulating Facebook will only make it more dominant

    There’s a strong and growing impetus around the world to subject Facebook, and by proxy all other social media companies, to sterner regulation. For example, British politician Damian Collins issued a statement calling for authorities to investigate Facebook and for it to once again appear before his committee to “explain how their policies work on access to user data, and whether policies are a breach of data privacy law, as it would appear that user data was made available to firms without the informed consent of the user having been given”.

    Investigations are already underway both in Washington and Germany, with both countries trying to determine whether or not Facebook is a monopoly and should be regulated as such. As Collins stated:

    “Given the dominant market position they enjoy in social media, this gives real concerns about whether they are behaving as a monopoly, exercising their considerable power to further dominate the commercial environment in which they trade; making some businesses, and breaking others in the process.”

    Fair enough, too; Facebook is as creepy as they come. Even with location tracking turned off, Facebook uses IP addresses, check-ins, and cities on profiles to approximate user locations for ads and other services. Then there are the bugs, such as the one where app developers were mistakenly granted permission to access the photos of up to 5.6 million users. Oh and who could forget its dodgy VPN application, supposedly developed to provide users with “greater privacy and control around their data”, but in reality was literally designed to spy on people.

    Facebook and privacy

    That said, I would be surprised if regulators managed to define Facebook as a monopoly without somehow bending the rules. A popular economics textbook by Greg Mankiw defines monopoly as “a firm that is the sole seller of a product without close substitutes… is a price maker… earns extraordinary profits for an extended period… price is greater than marginal cost… [and] market power is based on substantial barriers to entry”.

    While there is no exact replica of Facebook, and certainly none with the network effects that it has developed over time, there are plenty of close substitutes. As for being a price maker, Facebook doesn’t even sell a product to consumers - it’s an advertising company and its users pay with data instead of dollars. The barriers to entry are also tiny; at the end of the day, Facebook is just another website and plenty of alternatives have come and gone throughout its existence.

    But when you’re an antitrust lawyer, everything’s a monopoly.

    The enormous amount of media attention directed at Facebook and its morally opaque business model has resulted in all sorts of critters emerging from the woodwork, including antitrust lawyers. Former antitrust assistant attorney general Sally Hubbard, writing for CNN Business, had this to say:

    “Facebook, for example, doesn’t need to have a monopoly over a market as broad as “all social media.” All social media platforms are not substitutes for Facebook. You can’t see baby pictures on LinkedIn, and you can’t keep in touch with Grandma on Twitter. The closest substitute to Facebook is Instagram, which isn’t much of a choice since Facebook owns it.”

    There’s plenty more in the article but it’s painful stuff. I mean, you can make any company into a monopoly if you narrow your definition of “market” enough. All electric vehicles are not substitutes for a Telsa. Monopoly! I control the market for EconByte posts. Monopoly!

    But baby pictures, really? You want to see some distant associate’s baby pictures that badly, but not enough to accept Facebook’s conditions or I don’t know, ask them for a picture, that you would prefer to cry monopoly and drag Facebook through the courts?

    As for grandma, if you truly wanted to keep in touch, why not call once in a while? Email? SMS? The possibilities are virtually endless. I would go on but the article is so dimwitted and ignorant of the subject with which it deals that I just can’t.

    Politics is not economics

    While Facebook may fail an economist’s definition of monopoly, good politics is not necessarily good economics (in fact, it often runs contrary). To a politician, Facebook is ripe for regulation and its constant exploitation of its user’s data has shaped up as the perfect justification.

    But alas, without forcing it to change its business model entirely, regulating Facebook will do little to help its users and will in all likelihood further entrench its status as a monopoly.

    A key problem with regulating Facebook as a monopoly is that it will require a myriad of generalised, industry-wide regulations. No doubt the end package will have a noble aim and name, with the Eurozone’s “General Data Protection Regulation” (GDPR) the most prominent example. But Facebook already operates in Europe and so has been subject to the GDPR even as the list of accusations against it continues to grow.

    The sad fact is people just don’t care about their data and will consent to almost anything put in front of them so as to continue using the free service, meaning while regulations such as GDPR might sound all warm and fuzzy, in practice they have few privacy-boosting effects.

    Facebook and GDPR

    A study by Jared Spool of User Interface Engineering found that less than 5% of users change their settings at all. Indeed, the only thing the average user will have noticed as a result of the GDPR is the return of the annoying pop-up in the form a “we use cookies” consent box. Worse, it has already worked to further centralise power in the hands of Google and Facebook:

    “GDPR, the European Union’s new privacy law, is drawing advertising money toward Google’s online-ad services and away from competitors that are straining to show they’re complying with the sweeping regulation.

    The reason: the Alphabet Inc. ad giant is gathering individuals’ consent for targeted advertising at far higher rates than many competing online-ad services, early data show. That means the new law, the General Data Protection Regulation, is reinforcing—at least initially—the strength of the biggest online-ad players, led by Google and Facebook Inc.”

    I have no doubt that on some margins, regulating Facebook will help. But given the money and politics involved, designing the perfect regulation is virtually impossible and not without cost. Every piece of additional red tape will not only increase Facebook’s costs, but also the cost of a potential competitor from competing with Facebook as a place for you to share and store your cat photos. It risks turning Facebook into a utility; it will create artificial barriers to entry not just for a Facebook clone, but for some yet to be conceived idea that may fail at the first hurdle given the additional costs of getting started.

    What happens to the small start-up that hopes to one day replace Facebook by competing on a slightly different margin if it needs to raise tens (or hundreds) of thousands of dollars to comply with the new regulations? It could be an end-to-end encrypted social network, where by “friending” someone you essentially exchange a cryptographic key that decrypts particular content. It could be a completely decentralised, federated system. Whatever. Broad-based “social media” regulation will nip such start-ups in the bud before they can ever see the light of day.

    Those pesky unintended consequences

    There’s also a very real risk of rent seeking and regulatory capture. You can bet your bottom dollar that Facebook will throw billions of dollars at “guiding” industry regulation through lobbying, political donations and “industry consultations”. Facebook will be willing to pay the cost of being regulated if it means its competitors, both present and not yet conceived, will have to pay it as well. How is a startup supposed to compete with the 20,000 security and content reviewers and small army of lawyers already on Facebook’s payroll?

    Just as Uber decimated the taxi industry, unless a future competitor’s product is leaps and bounds above Facebook’s, the heavily regulated legacy provider will linger on. Facebook will divert some of its profits to political campaign contributions and regulatory compliance costs but will become even more entrenched - ‘utilified’ - in the process.

    Regulating Facebook would be a win for Facebook, regulators, politicians, lawyers, accountants, content screeners, the NSA, etc., but would represent a large unseen loss for consumers who will be stuck with Facebook and its data abuse for far longer than they should. Contrary to what the media, politicians and antitrust lawyers claim, there are lots of alternatives to Facebook, including social media abstinence.

    People dont care about data privacy

    People like Facebook

    A study recently found that the average Facebook user would require more than $1,000 to deactivate their account for just a single year. At the end of the day, Facebook has been able to grow not through monopoly status (e.g. as might a water utility) but by giving consumers what they want in a highly competitive market. In this case, that happens to be a free platform to share their lives to the world in exchange for their data, which it sells to advertisers to fund itself.

    The fact that Facebook maintains so many active users in probably the most competitive sector in the world is proof enough that they are happy with the exchange, so for heaven’s sake please don’t regulate it and unintentionally entrench an advertising company as the social media gold standard for years to come.

  • Australia's foolish encryption experiment

    The bits

    • Australia just rushed through anti-encryption legislation that is at best useless and at worst downright dangerous.
    • It seeks to do the impossible, providing secure access for police while keeping malicious actors out.
    • The people supposedly targeted by the legislation will be able to circumvent it relatively easily.
    • It will fall back on targeting points where information is not encrypted, something it already had the power to do.
    • However, it will still have very real, if difficult to calculate, economic and social costs.
    • If properly implemented, the Australian technology sector will suffer the most, but it will be largely unseen.
    • Every Australian is now exposed to unintended consequences, such as data theft.
    • What could possibly go wrong? I offer some predictions.

    I try not to dabble in day-to-day events, especially when politics are involved. But Australia’s parliament just passed legislation, with the full support of both major parties I might add, that is at best useless and at worst downright dangerous. It’s called the Assistance and Access Bill (AAB), and here’s why it’s so bad.

    It seeks to do the impossible

    According to TechCrunch:

    The bill, in short, grants Australian police greater powers to issue “technical notices” — a nice way of forcing companies — even websites — operating in Australia to help the government hack, implant malware, undermine encryption or insert backdoors at the behest of the government.

    The problem is that it’s impossible to provide a secure way to allow law enforcement in while simultaneously keeping malicious actors out. If the government goes ahead with mandating backdoors in encrypted software - one of the problems with the AAB is it’s ill-defined, so its reach could be tiny or enormous - it undermines the security of everything from your loyalty cards to your banking details.

    Pandoras iPhone

    While no one can be sure, I suspect the technical difficulties and security risks of mandating backdoors will be a bridge too far for Australia. More likely it’ll go with what I call the “wrench” strategy, whereby it’ll metaphorically beat people/corporates into backdooring specific people, or blocking access to popular encrypted applications entirely.

    The wrench strategy

    The people supposedly targeted by the AAB - the “criminals, the terrorists, the paedophiles”, as Home Affairs Minister Peter Dutton described them - will be able to circumvent it relatively easily. If you have something to hide, it’s not difficult to independently acquire or develop your own encryption without relying on a third-party. Sharing files could be done with something as simple as an AES-256 encrypted 7-Zip archive. For chats, a relatively easy option would be the XMPP protocol with off-the-record (OTR). Email communication could be secured with PGP via GnuPG.

    Even if it tried, the Australian government wouldn’t be able to compel foreign individuals or companies which derive little (if any) revenue from Australia, have their full source code available online (open source) and are generally privacy advocates, to backdoor their products. No number of local laws will change that fact. I already use several of these services (e.g. Signal, ProtonMail, Standard Notes) and I’m sure plenty of other “innocent” people, concerned about the privacy violations committed by the likes of Facebook, do as well.

    I admit it’s a different story for major corporations. End-to-end encrypted services may refuse to comply with the AAB (although I suspect Facebook will melt faster than a snowball in hell), forcing the government to lean on Apple or Google - through their App/Play Stores - to deny Australian users access based on their geolocation (or inject malware themselves). It wouldn’t be the first government to do so: a messaging app called Telegram was banned in Russia for refusing to turn over its private keys.

    XKCD on security

    But if all else fails - as it will for the vast majority of encrypted applications - the government will need to take its wrench to the end points where information is not encrypted (e.g. the user, or his/her device), something it already had the power to do.

    It was rushed

    Despite having nearly two years to debate and consider numerous issues relating to the AAB, it was rushed into law before Christmas to avoid an “egg on face” political moment. You see, if an attack occurred over the holiday season - regardless of whether the AAB would have done anything to prevent it - the governing Liberal party would be able to call the opposition Labor party “weak on national security”. 2019 is an election year, meaning as usual political incentives triumph over logic, reasoning and the people of Australia.

    The laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia.

    The above quote is from former Prime Minister Malcolm Turnbull, who was defending the AAB way back in the middle of 2017. It was a silly thing to say but it has also been taken out of context by privacy advocates, which did them no favours.

    What Malcolm Turnbull meant was people living in Australia have to obey the laws of Australia. The laws of mathematics always apply but if you’re heavily fined or even incarcerated for using them, then there’s a good chance Australians won’t be building or using products based on the laws of mathematics. Not only that, but foreign companies may not want to develop or launch their products in Australia if their and their clients’ data are at risk.

    Now that it’s law, the AAB will have very real, if difficult to calculate, economic and social costs.

    It leaves people exposed

    The target of the AAB (I think; it’s deliberately opaque) is end-to-end encryption, which works as follows (image courtesy of ProtonMail):

    End-to-end encryption

    The AAB was designed to circumvent the above without “breaking” encryption, which was its original intent. For example, the government may try to compel providers of encrypted services to inject a second, hidden public key right at the beginning of an encrypted conversation. In the above case, Bob would believe he’s encrypting his message only for Alice, but in reality he’d also be encrypting it for the government as well. It’s a strategy the British have publicly discussed, and the Americans have already tried (ibid).

    In a world of encrypted services, a potential solution could be to go back a few decades. It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call… The service provider usually controls the identity system and so really decides who’s who and which devices are involved - they’re usually involved in introducing the parties to a chat or call. You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication.

    Businesses operating in Australia will have to comply with requests such as the one above and it will have unintended consequences. But practically none of the providers of encrypted communication have servers in Australia, meaning the AAB will be difficult if not impossible to enforce in the vast majority of cases.

    Fortunately, there is virtually no way to enforce this law outside of Australia because it has no foreign equivalent. ProtonMail, a Swiss company with datacenters only in Switzerland, is not under Australian jurisdiction. Any request for assistance from Australian agencies under the A&A [AAB] law would need to pass the scrutiny of Switzerland’s criminal procedure and data protection laws. Tech companies with a corporate presence in Australia however, are more likely to be impacted.

    My predictions

    I’m not a betting man but if I were, I think the following outcomes are most likely to occur:

    • The Australian technology sector will suffer, but it will be largely unseen. Just the existence of the AAB means clients outside of Australia cannot be sure their data are secure. Australian coders and tech entrepreneurs will increasingly have to move overseas.
    • Large foreign companies such as Facebook will fold and give the government secret access to their users’ conversations. Apple will refuse.
    • At some point in the future, a request made through the AAB and the subsequent security hole (e.g. poorly implemented malware) will result in the theft of hundreds of thousands of users’ private data.
    • Very few criminals, if any, will be apprehended as a direct result of the AAB, nor will any terrorist attacks be thwarted because of it.

    Benjamin Franklin wrote that “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety”. The worst thing about the AAB is there is no demonstrable gain to safety, with Australia’s politicians almost unanimously trading their constituents’ liberty for a few magic safety beans.

    As a “nothing to hide” passive consumer of encryption, whether through WhatsApp or even TLS (the padlock next to a website’s name), you are the target of the AAB. Not from the Australian government but from criminals or foreign governments that will be able to, at some point in the future, exploit poorly implemented or undermaintained vulnerabilities injected into the numerous applications you use on a daily basis.

    The whole AAB debacle, from inception to implementation, reads like a bad joke. But I suppose it was to be expected from the same politicians under whose watch hundreds of top secret cabinet documents were found in two locked filing cabinets at a second-hand furniture store.

    What could possibly go wrong?

    Note: The festive season draws near and I will be travelling over the next two weekends. I hope to get at least one article out over that period but if not, now you know why.

  • The internet and the cost of free

    The bits

    • Much of the internet seems free, but there’s no such thing as a free lunch.
    • Some services have altruistic intentions, others sell their users’ attention and data.
    • People are generally happy with the trade-off, but I’m not.
    • There are other ways, such as the pay-to-surf model.
    • I’m not sure whether it’ll survive it’s a move in the right direction.
    • Amazon is on the blockchain, releasing its centralised Amazon Quantum Ledger Database.
    • I would love to see more decentralisation to reduce large data breaches.
    • Unfortunately, I think we’re still a while away from that model.

    The internet as we know it today is largely one where most things we encounter are provided for free. You can browse this website for free. When you search for something on Google, it doesn’t charge you. Facebook? Free. But as we economists are fond of saying, there’s no such thing as a free lunch. Someone is paying. In terms of this website, I provide the content for free because I enjoy writing about technology and want to share my thoughts on a platform where I have full creative control. GitHub bears the cost of hosting this site on the hopes that I’ll upgrade to a paid plan sometime in the future. But that’s not true for Google and Facebook, two very profitable public internet companies that directly charge their users very little.

    Google and Facebook net income

    I would have added EconByte to the chart but there’s not much point when it would only show as a flat line across the $0 intercept. Also, note that I’m singling out Google and Facebook only because they’re the largest companies with “free” products of which I’m aware. So how do Facebook and Google generate those profits? One word: advertising.

    Facebook revenue by segment

    Follow the money

    Google and Facebook charge companies for access to their users. The more people that use their services, the more companies are willing to pay for access to those users. But that model essentially removes prices from one side of the equation, meaning users of the “free” service - unable to weigh up the costs and benefits in dollar terms - have to decide whether or not to consume more through some other means. One way is through simple enjoyment. If Google and Facebook show too many adverts, or adverts that are too intrusive, people will leave the platforms for a competitor. That’s one reason why Google’s adverts are so discreet - if it plastered obnoxious advertising all over its homepage, people - and then advertisers - would quickly abandon it.

    Facebook’s adverts are a bit more intrusive and show up either directly as adverts (e.g. in the right column) or as “sponsored” posts, images and videos. Here’s an example Facebook advert from Neil Patel:

    Facebook advert example

    The sheer number of people who use Google and Facebook mean that they’re generally happy with the trade-off. I’m personally not a fan of the exchange; the price of using Facebook is too high for me and I eschewed the social network several years ago. Admittedly Google can be hard to avoid and I still rely on it for a couple of services, but I haven’t missed Facebook.

    There are other ways

    I recently started using Brave browser instead of Firefox (I’ll post a referral link at the bottom of this post). It calls itself “a free and open-source web browser developed based on the Chromium web browser and its Blink engine”. It’s a privacy-focused browser which blocks adverts and trackers, but with one big difference: a pay-to-surf business model. Users help to support content creators through microtransactions by either tipping or through the “Brave Rewards” mechanism, whereby you set aside a pool of funds that is distributed every month to websites that grab your attention.

    The whole thing is built on top of the Ethereum blockchain, using the “Basic Attention Token” or BAT. That means transaction fees are far lower than with traditional banking, allowing microtransactions to actually take place (PayPal and Stripe, for example, charge around 2.9% and 30c per transaction).

    The BAT triangle

    I’m not sure whether it’ll survive in the long run but I think it’s a move in the right direction. Advertising is obnoxious and always involves a breach of trust and privacy to some degree. At least with the Brave browser, you’ll be able to opt-in to advertising and be compensated for the inconvenience.

    Amazon is on board

    Well, kind of. Amazon just announced the Amazon Quantum Ledger Database, or QLDB, based on blockchain technology (the “AWS Managed Blockchain”).

    Amazon QLDB is a fully managed ledger database that provides a transparent, immutable, and cryptographically verifiable transaction log ‎owned by a central trusted authority. Amazon QLDB tracks each and every application data change and maintains a complete and verifiable history of changes over time.

    Amazon's QLDB

    For crypto enthusiasts such as myself it’s good news: finally one of the big tech companies has entered the blockchain space. I wasn’t sure which of the FAANGS would get there first but was pretty sure it would be Apple or Amazon, given neither of those companies rely on advertising for their revenue. It also makes sense for it to be Amazon over Apple; the company’s most profitable division is AWS (its on-demand cloud computing platform), whereas Apple is still in the device business.

    Amazon’s blockchain implementation looks to be centralised, with the AWS Managed Blockchain run only on Amazon’s servers. Amazon will charge a fee for the service based on usage, a step in the right direction - and the centralised solution is essential for corporates that need to tick all of their regulatory boxes - but it’s certainly nothing revolutionary.

    What I want

    What I would love to see is more decentralisation with data controlled by individuals, not corporates. Centralised solutions are always going to be more vulnerable to failure (e.g. hacking) than their decentralised equivalents. As I was writing this post, news broke that the Marriott hotel chain had been breached, exposing 500 million customers’ data, including names, addresses, phone numbers, email addresses, date of birth, gender, trip and reservation information and passport numbers.

    If a more robust, decentralised system had been available for the Marriott to store its data - for example, a distributed blockchain where user data are encrypted with private keys - there would have been nothing to steal in the first place. Hotel guests would verify themselves when booking or checking in using their private key, ideally secured with multi-factor authentication (e.g. a password and physical token such as a YubiKey). No backdoors or master key for hackers to exploit.

    Unfortunately, I think we’re still a while away from that model. The Marriott hack was no doubt a public relations nightmare, but I’d bet that from a purely financial point of view a centralised option would still be preferred. For if it had a fully distributed, decentralised database as described above, it wouldn’t be able to harvest its users’ personal information to sell to a third party or improve its own direct marketing ability. There’s also the fact that privacy and security are less convenient for the average user than more vulnerable, centralised alternatives, meaning some clients might be put off by having to take responsibility for their own data.

    People vote with their feet (or in the internet’s case, their hands) and so the evidence suggests we’re not yet at a point yet where the cost of “free” is greater than the inconvenience of having to pay a few dollars for an alternative. Facebook was hacked and has an awful history of abusing its users’ privacy, yet not only do people keep using it but its user base keeps growing. It’s not as if there aren’t alternatives.

    I think whatever model eventually triumphs, it won’t just have to equal the likes of Google and Facebook, but far exceed them. People can be reluctant to pay for something that they currently get for “free”, even if it’s not actually free.

    P.S. the referral code I mentioned earlier is here - https://brave.com/eco530 - if you install and decide to use Brave browser, EconByte will get 5 USD in BAT tokens.