License to *

Do you own your mobile device? What is the right amount of ownership for a corporation to have over a device, versus the amount of ownership the user has? I think any user would understand if not accept a certain level of ownership that allowed the company to do things like maintain a warranty on the device, and enough control over the software that they could send updates for security or functionality reasons.

But what happens when the company wants more control? What happens when a company (like Verizon) wants to tell you that you’re a tenant – that you’re not the owner of that device, just its current tenant? This isn’t done for no reason, I’m sure Vzw considers it “saving the user from themselves”, but it seems to be giving up a lot. Really, it should be fine as long as the user is able to revoke that level of control – sacrificing their warranty and any guarantee of updates to claim full ownership over the device. If we’re not able to exert full control over our devices, I would say we should shop elsewhere.

Ultimately, like most things, I have more questions than answers.

A Response to WH.Gov’s request for more infomation

I’m sure it could have been better, but here’s what I sent:

The American economy increasingly runs on top of the technology industry, the former using the latter to establish communications channels between transaction partners that can be trusted with the most important thing in capitalism – capital itself.

Our economy can be broken down to an incredible number of transactions. Capital (in the form of information about an amount of money being subtracted from one bank account and added to another) is exchanged for other information – a purchase order signifying that goods are exchanging hands, information in the form of digital goods sent in exchange, or invoices for services being rendered. For a transaction of any type to have any utility it must be confidential, authenticated, consistent, available, and possessed solely by the transacting parties. Many of these tenets are undermined by the lack of strong encryption.

When a company uses backdoored encryption for production transactions, all it takes to destroy trust that company is the backdoor being published on the internet. This is an inevitability – criminals can and will hack their way into highly protected information as in the OPM breach. Even without a hand from criminals, things like the TSA Master Key leak happen. And even without leaks, there will be research done on the weakened algorithm, to ensure it is not susceptible to attack. This continual research on existing algorithms can discover the backdoor, as was the case with Dual EC DRBG.

After it is exposed, everything is vulnerable. In the case of online e-commerce transactions, this may not be terrible in a case-by-case basis – fraud protections can be utilized to make consumers and/or banks whole again. But quickly a proof of concept will make it into the wild. Soon after, there will be automated attacks. And finally, soon after attacks are automated, viruses will be created and botnets built that will decrypt every e-commerce transaction on the internet. E-commerce will cease to be a bankable business model, and the American economy goes back to the 90’s.