

Feudal Security - skeltoac
http://www.schneier.com/blog/archives/2012/12/feudal_sec.html

======
uvdiv
_...it's time we step in in our role as governments (both national and
international) to create the regulatory environments that protect us..._

Or putting on other imaginary hats:

 _...it's time we step in in our role as technology corporations to circumvent
and mitigate broken government regulations which harm our customers..._

 _...it's time we step in in our role as malevolent crackers to cease-and-
desist thieving things which do not belong to us..._

 _...it's time we as terrorists, child pornographers, and film pirates stop
doing naughty things, so that people stop asking for digital surveillance..._

How is the counterfactual, "we the governments", any more sensible than the
"we the corporations", or the sillier ones? Schneier isn't a government.
Inference along the aligns of "If I were the government I would...", in a
democracy where you and everyone who kind-of agrees with you are an
insignificant fringe, is barely more rational than pretending to be any other
third party.

The main effect of this reasoning flaw is to accede more powers to the biggest
digital-rights threat of all, national governments, out of the fatal illusion
that they will be used to protect you, as imagined in your "If I were
government" fantasy. The evidence strongly suggests that the government--which
you are not--would much rather use new powers _against_ you, to the benefit of
established, paying clients (MPAA).

 _...we, as private citizens, should oppose regulation of our networks,
because governments have been very bad at it, and we do not control them well
enough to expect better._

~~~
ap22213
I, for one, would be much happier with government brokering than corporate. At
least with the (democratic) government, I will have some control. There are
parliamentary processes, voting, constitutional rules, albeit often slow, that
give me a say.

With the corporation, I only have illusion of control, zero transparency, and
often contractual binding to an entity that only has incentive to take
advantage of me.

Now, as far as government working properly: surely, it often doesn't work
well. For one, governments are often too large (in citizen count) for
individuals to participate effectively. This often leads to powerful interests
taking over. But, perhaps this is because our governmental structures were
invented way too long ago to be current.

The 'private citizen' part is interesting. I would prefer to have peer-to-peer
relationships that are effective and strong enough. But, that's a ways off,
isn't it?

~~~
signalsignal
When dealing with a corporation, I can dump their services and go with a
competitor. When dealing with a government, there are no competitors. You are
automatically in their jurisdiction.

~~~
thisrod
_I can dump their services and go with a competitor_

Says who? Or, more to the point, whose army? When the corporations that hold
your email and bank statements refuse to be dumped, you'll need someone to
break into their server rooms, wipe their hard drives, and arrest or shoot
anyone who resists. I want those people to obey the law, and be under
democratic control.

~~~
dmix
How exactly could an email provider or bank legally prevent me from using
another provider by holding back my information?

If I opted into using their service and agreed to their TOS that included them
keeping my data. Then thats my fault.

But if they act maliciously, them having my data is hardly going to keep me
from continuing to use their service.

~~~
adityab
> If I opted into using their service and agreed to their TOS that included
> them keeping my data. Then thats my fault.

You forget that _all_ service providers have these TOS. You don't have a
choice.

> Them having my data is hardly going to keep me from continuing to use their
> service.

If you've been using a Gmail account for several years, good luck closing it
if you don't want to lose future emails sent to that address.

------
dsr_
People tend to infer two-way bargains that have some degree of fairness; they
are upset when those expectations are violated.

The general bargain is "You provide some services, I agree to let you see the
data that I put in and either show me some advertising or charge me a small
fee." This holds true for Facebook, Google, Apple... The problem is that many
people assume that their data will be kept reasonably (not perfectly) private.
Advertisers get to specify the attributes of people who will see their ads
(age, large geographical area, expressed interests) and not, say, phone
number, name, birthday and address.

But that bargain has not actually been struck.

And if you do read the pages and pages of legalese, and manage to comprehend
it all, it can still all be changed out from under you.

People who realize this generally aren't happy about it.

------
jiggy2011
My guess is we get far less cases of minor security breaches "my computer has
a virus and I lost some files" but occasionally suffer massive scale data
breaches. For example "somebody got into my facebook, bank and dropbox and has
stolen my identity".

The amount of software that is being automatically downloaded , installed and
executed every day on millions of devices from a handful of "trusted" servers
is really quite frightening.

You just know that someone out there is busy trying to work out how to forge
Apple certificates.

------
spindritf
I'd rather have the freedom of choosing a feudal e-lord than trust
governmental regulations. Maybe there's a reporting bias but the ones I hear
about are always god-awful.

From seizing domains[1], blocking fairly random sites[2] to threatening ISPs
over content[3], governments make Google, Canonical and the like look very
attractive in comparison. Especially considering you can dump them with only
moderate effort and cost.

[1] [http://arstechnica.com/tech-policy/2012/11/feds-
seize-101-do...](http://arstechnica.com/tech-policy/2012/11/feds-
seize-101-domains-for-counterfeiting-in-cyber-monday-operation/)

[2] [https://torrentfreak.com/uk-isps-block-pirate-bays-artist-
pr...](https://torrentfreak.com/uk-isps-block-pirate-bays-artist-
promotions-121202/)

[3]
[http://olgierd.bblog.pl/wpis,jak;urzad;celny;bogu;ducha;winn...](http://olgierd.bblog.pl/wpis,jak;urzad;celny;bogu;ducha;winny;portal;odcinal;od;internetu,86592.html)

~~~
jff
Is the government offering to provide Internet services to you? You're
comparing apples and oranges.

A government still can, and will, seize domains, block sites, and issue
takedowns and warrants on content to Google. Suppose I own xyzzy.com, set up
to use Google Apps to handle mail and serve some web pages. Just like if I was
hosting at home or in a colo somewhere, the government can still come in and
demand the data. In fact, the biggest difference is that companies like Google
are more likely to just roll over--see the stories about cell carriers just
handing over tons of information just because law enforcement said please.

~~~
spindritf
And did the actions governments have taken inspire your trust to give them
even more control?

> companies like Google are more likely to just roll over

More likely than who?

~~~
jff
If I self-host, for example, then I can hold on to my stuff until either I get
a subpoena or the cops show up with a warrant. In the meantime, I can decide
if I want to risk charges for destroying any evidence, I can call for lawyers,
all these various actions I can take before my data gets handed over. Beats
the hell out of getting an email to your backup account: "Your domain has been
taken down at the request of law enforcement. Please have a nice day. Do not
reply to this message."

~~~
uiri
How exactly does self-hosting protect you from the government taking down the
domain? Unless you run your own domain registrar, the government can just
change the DNS servers for your domain. That doesn't give them the data but it
takes it off of the internet (as far as they're concerned; depending on how
dynamic your IP is, it could be a nightmare for anyone to try to find via IP
address or IP address range).

~~~
jff
Yeah, that's one you're kind of screwed on.

------
olalonde
I'd rather trust cloud provider X then have the government regulate the
Internet. Please, let's not go down that slippery slope!

~~~
xmpir
I don't agree. The cloud provider is a company only existing for the sake of
generating revenue for the share-holders of this company. The government is a
(usually) democratically elected institution. That is why I prefer to trust
governments.

~~~
charonn0
The advantage of a cloud provider is that you can unilaterally sever the
relationship without serious penalty.

~~~
B-Con
You can? Migrate _everything_ from Google to Apple. Then check back in 5 years
and see if it's as painless.

That was one of the author's points. We're becoming a culture where you pretty
much buy into one provider or another provider. One of his assumptions was
that it's only going to get more locked in and more difficult to switch. His
conclusions were thinking about the future based on those assumptions.

~~~
charonn0
I never said painless. However Apple doesn't have (yet) the power to imprison
or execute anti-Apple subversives.

Vive la résistance!

------
debacle
Nothing is going to happen with digital security rights so long as the NSA
wants to be able to store everything indefinitely and we have a Congress that
can't even agree on more critical issues like the budget.

It wont be an issue unless people make it, and for most people security isn't
even a consideration.

------
saturdaysaint
repost - <http://news.ycombinator.com/item?id=4831842>

