• The cost of change

    The bits

    • There is no such thing as a free lunch, and it’s as true for the tech unicorns as it is elsewhere.
    • Facebook is an example of an imperfect institutional arrangement. But that doesn’t mean it’s inefficient.
    • People hate switching, because it costs them the most important resource of all: time.
    • Switching costs make it difficult for an individual to change, especially when they currently pay nothing.
    • The most recent example is that of cryptocurrencies and the blockchain technology that underpins them.
    • It’s important to bear the cost of change in mind whenever the next latest and greatest technology is discovered.
    • Today’s institutional arrangements exist for a reason.
    • Until the cost of change is sufficiently lowered the advertising model will remain at the top, warts and all.

    I often write about the flaws of Facebook, Google and other Silicon Valley “unicorns” (companies with one billion+ valuations), but I don’t talk enough about the economic realities of their persistence. Economists are fond of the phrase “there is no such thing as a free lunch”, and it’s as true for the tech unicorns as it is elsewhere. It’s easy to point out flaws and potential improvements from the outside, but the fact is those alternatives come with their own costs.

    The nirvana fallacy

    Coined by Harold Demsetz in 1969, the nirvana fallacy describes a situation where some ideal solution is pitted against the flawed status quo, often with the full costs of that ideal omitted. As Demsetz put it:

    “The view that now pervades much public policy economics implicitly presents the relevant choice as between an ideal norm and an existing ‘imperfect’ institutional arrangement. This nirvana approach differs considerably from a comparative institution approach in which the relevant choice is between alternative real institutional arrangements. In practice, those who adopt the nirvana viewpoint seek to discover discrepancies between the ideal and the real and if discrepancies are found, they deduce that the real is inefficient.”

    In my opinion, Facebook is an example of an imperfect institutional arrangement. But that doesn’t mean it’s inefficient, given how imperfect the alternatives are. Have you ever tried GNU social, Diaspora*, Friendica or Pump.io? I have, and let me tell you that for the average punter they are not even close to becoming Facebook equivalents. I love that they exist, but they fill a geeky niche that is entirely different to Facebook’s one-size-fits-all model.

    The same can be said for regulating Facebook. Proponents point out all of the flaws in the existing arrangement, but compare it to an ideal state where internet companies are perfectly regulated to a point where they safeguard their users’ data while simultaneously sell it. It’s just not possible, even if we ignore all of the flaws in the political process such as lobbying, rent-seeking and regulatory capture.

    The reason Facebook persists is because its users like it more than the alternative options available to them right now.

    Switching costs

    People hate switching, because it costs them the most important resource of all: time. Even if there were a Facebook alternative that ticks all of the boxes, people would be reluctant to expend time and effort researching it, convincing their friends to join, and so on. Switching costs apply to everything, from social networks to car insurance. For example, Energy Consumers Australia undertakes a monthly survey, with one of the questions being: “Which of the following have you ever done?”.

    People don't like to switch

    It turns out that Australians don’t switch energy providers very often, with 43.9% of the surveyed population having never switched their gas or electricity providers. As a result, CHOICE estimates that Australian energy consumers are paying about $400 too much every year, with Australian households as a whole paying about an additional $1.2 billion every year. Competition is great, but unless the alternative is significantly better or the switching costs are sufficiently low, people will stick with their existing service providers.

    That makes the case of the Silicon Valley unicorns all the more interesting. How much do you pay for Google searches? Your Facebook profile? Scrolling your Twitter feed? Reading a review on Yelp? Sending a Snap? For most people, the answer is $0.

    All of the companies I mentioned above derive their revenues from advertising, and by now it’s common knowledge that they take your data and monetise it. But even knowing that, less than 5% of Facebook users care enough to bother changing their privacy settings, and the average user would want more than $1,000 to deactivate their account for a year.

    Switching costs are very real and they make it difficult for an individual to change providers, especially when they currently pay nothing (in dollar terms).

    Google spent $560 million on its social network, Google Plus, yet ultimately failed because the switching costs were too great (its product wasn’t good enough to offset them). While a competitor with a different, non-advertising business model might have a better chance if it can offer users value greater than the switching costs, that ideal alternative doesn’t yet exist.

    Blockchain, meet reality

    Perhaps the most recent example of the cost of change is that of cryptocurrencies and the blockchain technology that underpins them, which was hailed as a revolution that would not only replace existing, fiat currencies, but would change banking as we know it. No longer would people need to rely on centralised bastions of trust; instead, a decentralised, trustless ledger would allow transactions to be processed for a fraction of the cost.

    But as the fog of euphoria parted, it became clear that the technology was not even close to achieving its lofty goals. A number of papers are starting to emerge that highlight the costs involved in using a blockchain ledger. As Arnold Kling wrote recently:

    “…you cannot just look at the costs imposed by centralized record-keepers and say ‘all those costs just go away with blockchain.’ Other costs are introduced.”

    It’s important to bear the nirvana fallacy and the cost of change in mind whenever the next latest and greatest technology is discovered. Today’s institutional arrangements exist for a reason and to successfully disrupt them a competitor will need to first overcome the hefty switching costs, a task easier said than done. As a recent Twitter thread highlighted:

    • Uber launched by going to black car companies and paying drivers to be available on Uber during certain hours, ensuring that riders would be able to find a ride.
    • Relationship Hero, a relationship coaching marketplace, scaled to dozens of customers with just one coach–its cofounder! But the website listed 10 fake coaches, to give users the sense that it was a more active platform with diverse coaches who fit their particular situation.
    • The founders of Home Depot used to stock empty boxes on the shelves to make the stores look like they were full of merchandise.
    • According to Reddit cofounder Steve Huffman, the first Redditors populated the site’s content with tons of fake accounts.

    I don’t know how the advertising model currently in favour with Silicon Valley will eventually be disrupted. Microtransactions via blockchain showed promise - and developments in the sector continue to show promise - but it has its own costs that many people are too willing to ignore. Until the cost of change is sufficiently lowered the advertising model will remain at the top, warts and all.

  • Assorted bits, 01/2019

    Here are the eight bits of news I found most interesting this week, along with some brief commentary.

    1. NBC finally jumps in the streaming wars — announces a new service to compete with Netflix, Disney and Amazon.

    NBC has announced it will launch a streaming service in Q1 2020, free for pay-tv subscribers but ~$12/month for everyone else. Amazon, Disney, Hulu, AT&T/WarnerMedia, now NBCUniversal are all jumping, or have jumped, into the streaming space… Watch out Netflix! So much for that monopoly. On the topic of Netflix, it recently decided that now is the appropriate time to raise the price of its most popular plan (for US customers only) from $10.99 to $12.99 per month; good luck with that! Consumers 1, antitrust lawyers and wannabe monopolists 0.

    2. RCS Chat is launching on Google Fi.

    Google is rolling out Rich Communication Services (RCS) messaging support on the Google Fi network available on its Pixel phones, the Moto G6, LG V35, LG G7, and Android One Moto X. There is one crucial element missing from Chat, however. While the original RCS protocol allowed the implementation of client-to-server encryption, Chat will not offer end-to-end encryption like iMessage or Signal. In short, it allows for the same legal intercept standards as its predecessor. Lame. In an increasingly privacy-conscious world, I don’t think Google has a winner here.

    3. “Underappreciated” consequences of Encryption Bill could damage Australian security industry for years.

    A survey (so take it with a grain of salt) but two-thirds of Australian technology companies believe the federal government’s new encryption laws will compromise trust in their products and damage their export prospects in the long term. I wrote in detail about the foolishness of the bill here.

    4. Facebook’s ‘10 year challenge’ is just a harmless meme - right?

    Why do people trust anything Facebook says or does? In response to the question of why so many people willingly handed over their information to Facebook, CEO Mark Zuckerberg replied “I don’t know why. They “trust me”. Dumb f**ks.” No doubt he’s saying the same again (but probably not in an email this time), as “thanks to this meme, there’s now a very large dataset of carefully curated photos of people from roughly 10 years ago and now… that could be used to train a facial recognition algorithm on aging”. The sooner this company goes belly up, the better.

    5. HSBC banks on blockchain to finesse forex trades.

    Probably the best real world use-case for cryptocurrencies (so far)? An exciting space and I plan to write about it in more detail at some stage. “The London-headquartered bank, a heavy-hitter in forex dealing, has processed more than 3m FX transactions worth $250bn using blockchain technology in the past year, it said on Monday. That represents a tiny sliver of its overall currencies business, but still offers a rare example of a blockchain-based product that has proven its worth in wholesale finance.”

    Elon Musk wants to “save the human race”. As he explains, his main goal is to wire a chip into your skull to give you the digital intelligence needed to progress beyond the limits of our biological intelligence. Note to self: don’t go out for drinks with Elon Musk.

    7. DuckDuckGo will use Apple Maps for local searches on the web.

    DuckDuckGo, the privacy-focused search engine that promises not to track you, has announced that Apple Maps will now power its local search results on both desktop and mobile web browsers. DuckDuckGo says that it will now have “improved address searches, additional visual features, enhanced satellite imagery, and continually updated maps”. A good move, I suppose; while Apple is no angel, it’s less evil than Google.

    8. Random: An Egg, Just a Regular Egg, Is Instagram’s Most-Liked Post Ever.

    A simple picture of an egg posted by an anonymous Instagram user has set the world record for most likes, surpassing Kylie Jenner’s 18m record. “There’s nothing special about the egg. Seems like a fine enough egg. But more than 22 million people have liked it, dethroning Kylie Jenner’s birth-announcement post.”

    Yep. Welcome to the internet. Your move, Kylie Jenner.

    Image of the week

    No business model lasts forever (music edition). It seems peak music spending was 1998 - 2000. The music industry over time

    That’s all for this week, have a great weekend.

  • The age of centralisation

    The bits

    • Many of the services we use on a daily basis are very centralised.
    • It’s not just social networks. Banks, utilities, soft drinks - the list goes on.
    • Industry concentration is the new normal, but it’s not necessarily a bad thing.
    • But it does mean we are living in an age of centralisation, especially in tech.
    • Instead of charging you directly, they sell targeted access to you.
    • A random individual’s data aren’t worth much, but a centralised database is.
    • The best thing you can do is just not give it up so easily.
    • Most importantly, use a password manager secured with a strong passphrase.

    I’ve been thinking for some time about how centralised many of the services we use on a daily basis really are. For example, for a true social network - that is, primarily text-based with a user’s content preserved but limited to “friends” only - you really only have Facebook. There are certainly alternatives but in terms of keeping in touch with a wide group of diverse associates, it’s Facebook or bust (curse those network effects!).

    Social networks by number of active users

    But as I discussed last week, Facebook is not a monopoly in the true sense of the word. While Facebook itself might be entirely centralised, it operates in a decentralised environment where its position at the top of the food chain is fickle at best. As the late Harold Demsetz (1988) put it in The Organization of Economic Activity: Ownership, Control and the Firm:

    “The analytical usefulness of the concept of decentralization derives precisely from the fact that it allows the analyst to ignore the behavior of a single individual or a small group of individuals. It implicitly asserts that the tactical measures taken by incumbent firms to bar entrants from an industry cannot long hold at bay the continuous onslaught of more efficient organizations and techniques of production.”

    The only way Facebook can prevent entrants from eventually usurping it is by constantly improving, or through artificial barriers, which is precisely why regulators should keep clear (I really, really don’t want to be stuck with Facebook any longer than necessary).

    Industry concentration is the new normal

    But what I realised is that it’s not just social networks where a person’s choice is limited: banks; utilities; transport - both public and private (e.g. Uber/taxi) - universities; soft drinks (60% of the global non-alcoholic beverages industry is controlled by Coca-Cola and Pepsi); insurance; and even super markets, are all relatively concentrated. As this chart by the Economist shows, most sectors in the United States have become more concentrated since 1997.

    Industry concentration by sector

    That’s not necessarily a bad thing; it might be optimal to have one or a few providers of a good or service instead of a number of smaller ones, and the relationship between industry concentration and higher profits all but disappears when firm size is taken into account (see for example Yale Brozen’s 1982 book Concentration, Mergers, and Public Policy).

    Living in an age of centralisation

    But it does mean we are living in an age of centralisation, especially in the tech sector. I find it somewhat ironic that one of the most innovative, adaptive and decentralised (using Demsetz’s description above) sectors is also the one in which a few companies tend to dominate at a given task.

    In the past, industry concentration wasn’t an issue because the firms were essentially direct service providers. Your bank charged you account fees, and/or lent out your deposits, to make a profit. Your internet provider, water and power utilities charge you a monthly fee based on some combination of fixed and usage charges. But that all changed with Google and its “free” services, a model later copied by Facebook and countless other start-ups around the world.

    Defining the divide in tech

    Instead of charging you directly, they sell targeted access to you (or the means, via the data it stores about you, for some other entity to target you). Individually your data aren’t worth much, as Gregor Barber noted in a recent Wired article when trying to sell his Facebook data, but when you have more than a billion users you can start to do some funky things with their information (data scientist roles have grown over 650% since 2012).

    “My tipping point was the Facebook hack, exposed in September, in which I—along with some 90 million other potential victims—was temporarily locked out of my account. I imagined my identity rippling across the internet, thanks to the single sign-in convenience of Facebook Connect. After a long season of leaks, hacks, and shady data pillaging, I’d had enough. I considered simply deleting my account. But then I landed on a different strategy: making a profit.

    …I was ready to call it quits—unless, that is, my proceeds reeled me back in. I tallied up my fiat (that’s money, to the rest of us): 162 WIB, 1 DAT, 0 NRN. My earnings, while eclectic, were worth approximately 0.3 cents.”

    What you can do about it

    As Barber found out, a random individual’s Facebook data aren’t worth much, but Facebook’s centralised database clearly is (otherwise no one would pay for access). For now, free services paid for with targeted advertising tailored via “big data” stores of user information are the business model. It won’t be that way forever, but while it is there are some things you can do to protect yourself. Barber had a good suggestion:

    “My efforts had simply heightened my sense of just how much I was sharing, and made me inclined to expose a little less: to leave my phone at home when I went on a run, or to conceal my phone number and real email address from Facebook.”

    It’s safe to say that the likes of Facebook and Google already know a LOT about you. The list of data gathering techniques they employ are virtually endless, whether it’s direct collection through a combination your web searches, online purchases, music and video preferences, etc., or indirectly via your family, friends and co-workers’ data (so-called “shadow profiles”).

    Even if you’re being careful, they’re also able to “fingerprint” your web browser and device, allowing them to track you when you don’t want to be tracked. Those Facebook “like” buttons at the end of a blog post? They’re specifically designed to track you and your web browsing activities, linking what you do while not on Facebook to your shadow profile. The list of tracking tools and techniques employed by these companies is ever-growing and evolving as their advertising business model depends upon knowing more about you than their competitors.

    But for the vast majority of people - myself included! - your data are probably about as valuable to these firms as Gregor Barber’s above, i.e. not very. The best thing you can do is just not give it up so easily: change your privacy settings, block third-party cookies, use browser extensions that block trackers and switch to open source and/or encrypted alternatives where you can (for example, use Signal instead of Facebook Messenger and ProtonMail instead of GMail). If you sync your data into the cloud (e.g. with Dropbox), consider using something like Cryptomator to encrypt it before it ever leaves your device.

    Most importantly, use a password manager such as KeePass or BitWarden, secured with a strong passphrase and ideally a physical token (e.g. a YubiKey). While the likes of Facebook and Google are as creepy as they come, for the average person your primary threat will come from using a weak password on multiple websites or apps, exposing you to malicious actors seeking to hurt you financially (or worse).

  • Why Facebook shouldn't be regulated

    The bits

    • There’s a strong and growing impetus around the world to subject Facebook to sterner regulation.
    • Facebook’s morally opaque business model has resulted in all sorts emerging from the woodwork.
    • Fair enough, too; Facebook is as creepy as they come.
    • You can make any company into a monopoly if you narrow your definition of “market” enough.
    • While Facebook may fail an economist’s definition of monopoly, good politics is not necessarily good economics.
    • Given the money and politics involved, designing the perfect regulation is virtually impossible and not without cost.
    • Facebook has only been able to grow by giving consumers what they want.
    • Please don’t regulate Facebook and entrench an advertising company as the social media gold standard.

    If you follow EconByte then you’re probably aware of my dislike of Facebook and so I apologise in advance for yet another Facebook-related post. But in light of even more revelations of Facebook’s abuse of its user’s data, it may come as some surprise to see me, of all people, advocating against the regulation of Facebook. Hear me out.

    Regulating Facebook will only make it more dominant

    There’s a strong and growing impetus around the world to subject Facebook, and by proxy all other social media companies, to sterner regulation. For example, British politician Damian Collins issued a statement calling for authorities to investigate Facebook and for it to once again appear before his committee to “explain how their policies work on access to user data, and whether policies are a breach of data privacy law, as it would appear that user data was made available to firms without the informed consent of the user having been given”.

    Investigations are already underway both in Washington and Germany, with both countries trying to determine whether or not Facebook is a monopoly and should be regulated as such. As Collins stated:

    “Given the dominant market position they enjoy in social media, this gives real concerns about whether they are behaving as a monopoly, exercising their considerable power to further dominate the commercial environment in which they trade; making some businesses, and breaking others in the process.”

    Fair enough, too; Facebook is as creepy as they come. Even with location tracking turned off, Facebook uses IP addresses, check-ins, and cities on profiles to approximate user locations for ads and other services. Then there are the bugs, such as the one where app developers were mistakenly granted permission to access the photos of up to 5.6 million users. Oh and who could forget its dodgy VPN application, supposedly developed to provide users with “greater privacy and control around their data”, but in reality was literally designed to spy on people.

    Facebook and privacy

    That said, I would be surprised if regulators managed to define Facebook as a monopoly without somehow bending the rules. A popular economics textbook by Greg Mankiw defines monopoly as “a firm that is the sole seller of a product without close substitutes… is a price maker… earns extraordinary profits for an extended period… price is greater than marginal cost… [and] market power is based on substantial barriers to entry”.

    While there is no exact replica of Facebook, and certainly none with the network effects that it has developed over time, there are plenty of close substitutes. As for being a price maker, Facebook doesn’t even sell a product to consumers - it’s an advertising company and its users pay with data instead of dollars. The barriers to entry are also tiny; at the end of the day, Facebook is just another website and plenty of alternatives have come and gone throughout its existence.

    But when you’re an antitrust lawyer, everything’s a monopoly.

    The enormous amount of media attention directed at Facebook and its morally opaque business model has resulted in all sorts of critters emerging from the woodwork, including antitrust lawyers. Former antitrust assistant attorney general Sally Hubbard, writing for CNN Business, had this to say:

    “Facebook, for example, doesn’t need to have a monopoly over a market as broad as “all social media.” All social media platforms are not substitutes for Facebook. You can’t see baby pictures on LinkedIn, and you can’t keep in touch with Grandma on Twitter. The closest substitute to Facebook is Instagram, which isn’t much of a choice since Facebook owns it.”

    There’s plenty more in the article but it’s painful stuff. I mean, you can make any company into a monopoly if you narrow your definition of “market” enough. All electric vehicles are not substitutes for a Telsa. Monopoly! I control the market for EconByte posts. Monopoly!

    But baby pictures, really? You want to see some distant associate’s baby pictures that badly, but not enough to accept Facebook’s conditions or I don’t know, ask them for a picture, that you would prefer to cry monopoly and drag Facebook through the courts?

    As for grandma, if you truly wanted to keep in touch, why not call once in a while? Email? SMS? The possibilities are virtually endless. I would go on but the article is so dimwitted and ignorant of the subject with which it deals that I just can’t.

    Politics is not economics

    While Facebook may fail an economist’s definition of monopoly, good politics is not necessarily good economics (in fact, it often runs contrary). To a politician, Facebook is ripe for regulation and its constant exploitation of its user’s data has shaped up as the perfect justification.

    But alas, without forcing it to change its business model entirely, regulating Facebook will do little to help its users and will in all likelihood further entrench its status as a monopoly.

    A key problem with regulating Facebook as a monopoly is that it will require a myriad of generalised, industry-wide regulations. No doubt the end package will have a noble aim and name, with the Eurozone’s “General Data Protection Regulation” (GDPR) the most prominent example. But Facebook already operates in Europe and so has been subject to the GDPR even as the list of accusations against it continues to grow.

    The sad fact is people just don’t care about their data and will consent to almost anything put in front of them so as to continue using the free service, meaning while regulations such as GDPR might sound all warm and fuzzy, in practice they have few privacy-boosting effects.

    Facebook and GDPR

    A study by Jared Spool of User Interface Engineering found that less than 5% of users change their settings at all. Indeed, the only thing the average user will have noticed as a result of the GDPR is the return of the annoying pop-up in the form a “we use cookies” consent box. Worse, it has already worked to further centralise power in the hands of Google and Facebook:

    “GDPR, the European Union’s new privacy law, is drawing advertising money toward Google’s online-ad services and away from competitors that are straining to show they’re complying with the sweeping regulation.

    The reason: the Alphabet Inc. ad giant is gathering individuals’ consent for targeted advertising at far higher rates than many competing online-ad services, early data show. That means the new law, the General Data Protection Regulation, is reinforcing—at least initially—the strength of the biggest online-ad players, led by Google and Facebook Inc.”

    I have no doubt that on some margins, regulating Facebook will help. But given the money and politics involved, designing the perfect regulation is virtually impossible and not without cost. Every piece of additional red tape will not only increase Facebook’s costs, but also the cost of a potential competitor from competing with Facebook as a place for you to share and store your cat photos. It risks turning Facebook into a utility; it will create artificial barriers to entry not just for a Facebook clone, but for some yet to be conceived idea that may fail at the first hurdle given the additional costs of getting started.

    What happens to the small start-up that hopes to one day replace Facebook by competing on a slightly different margin if it needs to raise tens (or hundreds) of thousands of dollars to comply with the new regulations? It could be an end-to-end encrypted social network, where by “friending” someone you essentially exchange a cryptographic key that decrypts particular content. It could be a completely decentralised, federated system. Whatever. Broad-based “social media” regulation will nip such start-ups in the bud before they can ever see the light of day.

    Those pesky unintended consequences

    There’s also a very real risk of rent seeking and regulatory capture. You can bet your bottom dollar that Facebook will throw billions of dollars at “guiding” industry regulation through lobbying, political donations and “industry consultations”. Facebook will be willing to pay the cost of being regulated if it means its competitors, both present and not yet conceived, will have to pay it as well. How is a startup supposed to compete with the 20,000 security and content reviewers and small army of lawyers already on Facebook’s payroll?

    Just as Uber decimated the taxi industry, unless a future competitor’s product is leaps and bounds above Facebook’s, the heavily regulated legacy provider will linger on. Facebook will divert some of its profits to political campaign contributions and regulatory compliance costs but will become even more entrenched - ‘utilified’ - in the process.

    Regulating Facebook would be a win for Facebook, regulators, politicians, lawyers, accountants, content screeners, the NSA, etc., but would represent a large unseen loss for consumers who will be stuck with Facebook and its data abuse for far longer than they should. Contrary to what the media, politicians and antitrust lawyers claim, there are lots of alternatives to Facebook, including social media abstinence.

    People dont care about data privacy

    People like Facebook

    A study recently found that the average Facebook user would require more than $1,000 to deactivate their account for just a single year. At the end of the day, Facebook has been able to grow not through monopoly status (e.g. as might a water utility) but by giving consumers what they want in a highly competitive market. In this case, that happens to be a free platform to share their lives to the world in exchange for their data, which it sells to advertisers to fund itself.

    The fact that Facebook maintains so many active users in probably the most competitive sector in the world is proof enough that they are happy with the exchange, so for heaven’s sake please don’t regulate it and unintentionally entrench an advertising company as the social media gold standard for years to come.

  • Australia's foolish encryption experiment

    The bits

    • Australia just rushed through anti-encryption legislation that is at best useless and at worst downright dangerous.
    • It seeks to do the impossible, providing secure access for police while keeping malicious actors out.
    • The people supposedly targeted by the legislation will be able to circumvent it relatively easily.
    • It will fall back on targeting points where information is not encrypted, something it already had the power to do.
    • However, it will still have very real, if difficult to calculate, economic and social costs.
    • If properly implemented, the Australian technology sector will suffer the most, but it will be largely unseen.
    • Every Australian is now exposed to unintended consequences, such as data theft.
    • What could possibly go wrong? I offer some predictions.

    I try not to dabble in day-to-day events, especially when politics are involved. But Australia’s parliament just passed legislation, with the full support of both major parties I might add, that is at best useless and at worst downright dangerous. It’s called the Assistance and Access Bill (AAB), and here’s why it’s so bad.

    It seeks to do the impossible

    According to TechCrunch:

    The bill, in short, grants Australian police greater powers to issue “technical notices” — a nice way of forcing companies — even websites — operating in Australia to help the government hack, implant malware, undermine encryption or insert backdoors at the behest of the government.

    The problem is that it’s impossible to provide a secure way to allow law enforcement in while simultaneously keeping malicious actors out. If the government goes ahead with mandating backdoors in encrypted software - one of the problems with the AAB is it’s ill-defined, so its reach could be tiny or enormous - it undermines the security of everything from your loyalty cards to your banking details.

    Pandoras iPhone

    While no one can be sure, I suspect the technical difficulties and security risks of mandating backdoors will be a bridge too far for Australia. More likely it’ll go with what I call the “wrench” strategy, whereby it’ll metaphorically beat people/corporates into backdooring specific people, or blocking access to popular encrypted applications entirely.

    The wrench strategy

    The people supposedly targeted by the AAB - the “criminals, the terrorists, the paedophiles”, as Home Affairs Minister Peter Dutton described them - will be able to circumvent it relatively easily. If you have something to hide, it’s not difficult to independently acquire or develop your own encryption without relying on a third-party. Sharing files could be done with something as simple as an AES-256 encrypted 7-Zip archive. For chats, a relatively easy option would be the XMPP protocol with off-the-record (OTR). Email communication could be secured with PGP via GnuPG.

    Even if it tried, the Australian government wouldn’t be able to compel foreign individuals or companies which derive little (if any) revenue from Australia, have their full source code available online (open source) and are generally privacy advocates, to backdoor their products. No number of local laws will change that fact. I already use several of these services (e.g. Signal, ProtonMail, Standard Notes) and I’m sure plenty of other “innocent” people, concerned about the privacy violations committed by the likes of Facebook, do as well.

    I admit it’s a different story for major corporations. End-to-end encrypted services may refuse to comply with the AAB (although I suspect Facebook will melt faster than a snowball in hell), forcing the government to lean on Apple or Google - through their App/Play Stores - to deny Australian users access based on their geolocation (or inject malware themselves). It wouldn’t be the first government to do so: a messaging app called Telegram was banned in Russia for refusing to turn over its private keys.

    XKCD on security

    But if all else fails - as it will for the vast majority of encrypted applications - the government will need to take its wrench to the end points where information is not encrypted (e.g. the user, or his/her device), something it already had the power to do.

    It was rushed

    Despite having nearly two years to debate and consider numerous issues relating to the AAB, it was rushed into law before Christmas to avoid an “egg on face” political moment. You see, if an attack occurred over the holiday season - regardless of whether the AAB would have done anything to prevent it - the governing Liberal party would be able to call the opposition Labor party “weak on national security”. 2019 is an election year, meaning as usual political incentives triumph over logic, reasoning and the people of Australia.

    The laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia.

    The above quote is from former Prime Minister Malcolm Turnbull, who was defending the AAB way back in the middle of 2017. It was a silly thing to say but it has also been taken out of context by privacy advocates, which did them no favours.

    What Malcolm Turnbull meant was people living in Australia have to obey the laws of Australia. The laws of mathematics always apply but if you’re heavily fined or even incarcerated for using them, then there’s a good chance Australians won’t be building or using products based on the laws of mathematics. Not only that, but foreign companies may not want to develop or launch their products in Australia if their and their clients’ data are at risk.

    Now that it’s law, the AAB will have very real, if difficult to calculate, economic and social costs.

    It leaves people exposed

    The target of the AAB (I think; it’s deliberately opaque) is end-to-end encryption, which works as follows (image courtesy of ProtonMail):

    End-to-end encryption

    The AAB was designed to circumvent the above without “breaking” encryption, which was its original intent. For example, the government may try to compel providers of encrypted services to inject a second, hidden public key right at the beginning of an encrypted conversation. In the above case, Bob would believe he’s encrypting his message only for Alice, but in reality he’d also be encrypting it for the government as well. It’s a strategy the British have publicly discussed, and the Americans have already tried (ibid).

    In a world of encrypted services, a potential solution could be to go back a few decades. It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call… The service provider usually controls the identity system and so really decides who’s who and which devices are involved - they’re usually involved in introducing the parties to a chat or call. You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication.

    Businesses operating in Australia will have to comply with requests such as the one above and it will have unintended consequences. But practically none of the providers of encrypted communication have servers in Australia, meaning the AAB will be difficult if not impossible to enforce in the vast majority of cases.

    Fortunately, there is virtually no way to enforce this law outside of Australia because it has no foreign equivalent. ProtonMail, a Swiss company with datacenters only in Switzerland, is not under Australian jurisdiction. Any request for assistance from Australian agencies under the A&A [AAB] law would need to pass the scrutiny of Switzerland’s criminal procedure and data protection laws. Tech companies with a corporate presence in Australia however, are more likely to be impacted.

    My predictions

    I’m not a betting man but if I were, I think the following outcomes are most likely to occur:

    • The Australian technology sector will suffer, but it will be largely unseen. Just the existence of the AAB means clients outside of Australia cannot be sure their data are secure. Australian coders and tech entrepreneurs will increasingly have to move overseas.
    • Large foreign companies such as Facebook will fold and give the government secret access to their users’ conversations. Apple will refuse.
    • At some point in the future, a request made through the AAB and the subsequent security hole (e.g. poorly implemented malware) will result in the theft of hundreds of thousands of users’ private data.
    • Very few criminals, if any, will be apprehended as a direct result of the AAB, nor will any terrorist attacks be thwarted because of it.

    Benjamin Franklin wrote that “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety”. The worst thing about the AAB is there is no demonstrable gain to safety, with Australia’s politicians almost unanimously trading their constituents’ liberty for a few magic safety beans.

    As a “nothing to hide” passive consumer of encryption, whether through WhatsApp or even TLS (the padlock next to a website’s name), you are the target of the AAB. Not from the Australian government but from criminals or foreign governments that will be able to, at some point in the future, exploit poorly implemented or undermaintained vulnerabilities injected into the numerous applications you use on a daily basis.

    The whole AAB debacle, from inception to implementation, reads like a bad joke. But I suppose it was to be expected from the same politicians under whose watch hundreds of top secret cabinet documents were found in two locked filing cabinets at a second-hand furniture store.

    What could possibly go wrong?

    Note: The festive season draws near and I will be travelling over the next two weekends. I hope to get at least one article out over that period but if not, now you know why.