Friday, August 22, 2014

No, Wired - The Internet is Actually Pretty Safe

Wired ran this article today:

The Internet Is Way Too Fragile and Insecure. Let's Build a New One

Featuring this:

You may have had the bad luck of being stuck on a runway when a router failure in Utah grounded commercial flights around the country for several hours. Or maybe you were frustrated by not being able to access government websites the day the .gov domain administration had a glitch in its system. These minor mishaps over the past decade are early rumblings of an uncomfortable truth: The Internet is more fragile than it appears.

The problems with the .gov websites and the FAA were caused by accidents, but such accidents can have widespread effects. In 2008, censorship efforts by the government of Pakistan unintentionally caused YouTube to become inaccessible throughout the world. In another incident in 2010, much of the Internet was rerouted through China for a few hours, including traffic between US military sites. China Telecom plausibly claimed this was also an accident, but scenarios like this could be easily arranged.

Well, two main problems here:

1. As the article admits, those were human errors. A secure internet is never going to fix PEBKAC.
2. You may remember that recently there were reports of a Russian gang stealing over a billion passwords. Bruce Schneier, world-renowned security expert, had this to say in his recent Cryptogram:

I don't know how much of this story is true, but what I was saying to reporters over the past two days is that it's evidence of how secure the Internet actually is. We're not seeing massive fraud or theft. We're not seeing massive account hijacking. A gang of Russian hackers has 1.2 billion passwords -- they've probably had most of them for a year or more -- and everything is still working normally. This sort of thing is pretty much universally true. You probably have a credit card in your wallet right now whose number has been stolen. There are zero-day vulnerabilities being discovered right now that can be used to hack your computer. Security is terrible everywhere, and it it's all okay. This is a weird paradox that we're used to by now.

On this count, I am going to side with Schneier.


9th Circuit Takes Closer Look at Arbitration Clauses in Browsewrap Agreements

This decision was handed down by the 9th Circuit the other day, which, for those who follow such things, covers all of California, and is of extremely high importance for the entire tech industry as a result.

Let's summarize why it is important:

1. Browsewrap contracts have traditionally been upheld as valid by the Courts - this means that when you click "I Agree" when signing into a website or installing a piece of software, you are, in fact, agreeing to the dozens of pages of legalese you absolutely have not read.

2. Recently, big companies have been inserting a variety of very troubling, anti-consumer clauses into such contracts, including mandatory arbitration clauses and waiver of right to join class action suits.

(2) has been very troubling, because recently, the Supreme Court basically upheld the notion that by entering a shrinkwrap or browsewrap contract, you can agree to waive your right to participate in a class action suit, and instead have the dispute move to arbitrationThis is bad for consumers because, as customers of corporations themselves, arbitration bodies have a very strong incentive to side with corporations, over consumers, in order to get repeat business.

What is interesting in the above linked case, however, is that the Court basically said that an arbitration clause itself, as opposed to a clause relating about the waiving the right to participate in a class action suit in favor of arbitration, was being thrown out, with the reasoning of "Seriously... who reads those things!?" In other words, the Court said that a browsewrap contract that doesn't bring the mandatory arbitration clause to the forefront gives insufficient notice to the consumer - a very interesting ruling.

SCOTUS is the next step on this particular train - as it has the ability to undo a troubling history of the overreach of browsewrap contracts. It is yet to be seen how SCOTUS will rule on it - given the very pro-corporate history of its browsewrap and shrinkwrap agreements, I'm not holding my breath - but this decision has the possibility to wind back the clock a few steps in the favor of the average web consumer. It may also wind up, however, that next time you buy something on B&N you agree once to a clickwrap contract - and then hit "I Accept" a second time specifically when agreeing to arbitration language. Only time will tell.