Threat Models and Domination Systems
Are you afraid of Big Brother? Are you concerned that secret spy satellites monitor your every communication, from greeting the first person you see in the morning to shutting down your Mac after a long day of using email and the Web? I’m not, though some people are. And what’s more, I’m still not personally concerned about Big Brother despite spending a few days at the mecca of privacy – this year’s Computers, Freedom and Privacy (CFP) conference in Toronto.
Should you be concerned about Big Brother? Perhaps; perhaps not. I’ve long been slightly bothered by my lack of concern for my personal privacy. Perhaps it’s because the life I’ve chosen gives me public stature only in a virtual world. It may also be that my opinions are so well known that revealing my private communications to the world would be at most embarrassing. Of course, I also feel that I have little to hide.
None of this means I don’t place value on personal privacy. The mass media spotlight aimed at the personal lives of public figures shows at best an utter professional lack of manners and at worst a moral bankruptcy. In my (perhaps naive) world view, everyone is entitled to some level of privacy, and that entitlement is so basic that it shouldn’t be something we have to worry about on a regular basis.
Would that it were so.
Hyenas & Big Brother — Novelist Neal Stephenson (author of Cryptonomicon and other well-received cyberpunk novels, including the classic Snow Crash) gave a keynote at CFP that brought into focus the reason I wish I was more concerned about security. The heart of his talk looked at "threat models" – simple pie charts he used to express the things that worried people. Neal claimed that early humans suffered significantly from the depredations of hyenas, which, he said, tended to attack the belly area, rather than the throat. In short, it’s a bad way to die, and regardless of the anthropological and paleontological accuracy of the claim, this scenario allowed Neal to construct the first threat model used by early people. It consisted of a pie chart, 95 percent of whose volume was labeled "Hyenas," the remaining 5 percent marked by an "Other" label. The point is that early people spent most of their time worrying about hyenas, and relatively little impinged on that concern, no matter that this fear was disproportionate to the relative threats of hyenas compared to lions, Giardia, or neighboring tribes.
Fast forward to the present. Informed by George Orwell’s novels of totalitarian regimes and nurtured by very real government intelligence abuses across the globe, many people have developed a threat model that replaces hyenas with Big Brother, the all-knowing all-seeing government of George Orwell’s "1984." Other concerns exist, but none compete with Big Brother. It’s within the confines of this threat model that most of the rhetoric about privacy emanates, and single-mindedness of this threat model explains precisely why many of the rest of us find that rhetoric unrealistic and overblown. We may worry about Big Brother, but we also worry about many other things.
Neal explained those "other things" by borrowing some terminology from Walter Wink, who coined the term "domination systems" while writing about the effect of authoritarian structures on individuals. In essence, a domination system is any authoritarian group that has the capability to exert power over you. Domination systems, in the abstract, are morally neutral, although specific domination systems, like Big Brother, may not be; they can do both good and evil, and if they do evil, they can make up for it. Big Brother is all-encompassing, whereas domination systems have edges – you can move from the area of influence of one domination system into another, or the boundaries of the systems may change on their own.
Neal then cited, as an example of interaction among domination systems, the story of John Brodeur, a whistle-blower at the Hanford Nuclear Reservation in eastern Washington State. On his way to work one morning after he’d gone public with allegations of hazardous waste leakage, Brodeur was tailed to a Hanford parking lot by a menacing "road-rager." During the confrontation in the parking lot, Brodeur drew his handgun, which caused onlookers to call the local police. The point is that two domination systems (menacing thug and the Hanford establishment unhappy about Brodeur’s whistle-blowing) merged when it turned out that the "road-rager" was in fact an employee of Hanford security. Furthermore, another domination system (the local police ostensibly coming to arrest the pistol-packing Brodeur) ended up neutralizing the threat of the road-rager when they arrived and, after seeing Brodeur’s concealed weapons permit, let Brodeur on his way. (Neal noted ironically that, were the story fiction, he could never have gotten away with endowing the road-rager with a hook in place of one hand – apparently a true detail!)
To tie it all together, the majority of us have a threat model whose pie chart may include Big Brother, but is filled mostly with a variety of different domination systems. We worry in small ways about our employers, the airline whose planes we most regularly use, the HMO that controls our health care, the electric companies that provide power to our houses, and the banks that safeguard our money. Even when governmental organizations appear in the threat model pie chart, they’re often seen independently, as would be the case for people in the U.S. who worry about their property tax assessment, the effect of being ticketed by the police in the local speed trap, and the safety of drugs approved by the Food and Drug Administration.
Guns & Crypto — The problem this multifaceted threat model presents to the privacy community is that normal people simply don’t care sufficiently about any one threat. Sure, everyone is generally in favor of medical records remaining private, but how many people have read through their entire file at the doctor’s office? And how many of those people know the rules regarding the distribution of that information? None of this means that privacy of medical records isn’t tremendously important, but for a variety of reasons, that section of the threat model’s pie chart is small for many people.
You can apply this lack of concern with medical records to any other aspect of privacy, and you’re likely to find a similar approval of the generalities but apathy regarding the specifics. This apathy manifests itself in the trouble that privacy technologies have faced in gaining widespread adoption. For instance, in the real world Tonya and I recently mailed a packet of financial information to our accountant so he could prepare our taxes. For some unknown reason, the envelope took almost six weeks to travel the 25 miles between our house and his office, leading us to believe it had been lost in transit. Needless to say, we were upset when we heard that he hadn’t received the packet since it contained copies of our financial records from 1999, but we weren’t sufficiently upset to use a more reliable method of delivery for the replacement package (which ended up arriving before the original).
The same level of apathy affects use of PGP encryption. I have an older version of PGP installed on my Mac, and I’ve even used it within Eudora several times when sending passwords around, but it’s simply too much work for me to encrypt anything less sensitive than passwords to well-known computers accessible via the Internet.
Crypto suffers from other problems as well. First off, if your threat model gives Big Brother top billing, you’re probably ignoring other threats. As Neal dryly noted, solving the hyena threat model with improved weapons probably extended the average lifespan an early human by about three weeks. Similarly, concentrating all of your energies on encrypting your communications can’t leave much room for handling other threats, privacy-related or not. Second, Neal quoted security expert Bruce Schneier in saying that using PGP with an extremely strong key is akin to protecting your house with a fence composed of a single picket a mile high. No one will get through that picket – but they can just walk around it.
(A quick aside: PGP’s inventor, Phil Zimmerman, who was also at the conference, got up after Neal’s keynote and agreed with the picket analogy, and then asked why the encryption system Neal used in Cryptonomicon was given a fictitious name. Neal replied that if he used the real name, he would actually have to bother with making its use accurate.)
Where To? This may all sound dismissive and thoroughly defeatist, but I think a threat model concerned with multiple domination systems offers the clue we need to improve privacy across the board. The difference between the Big Brother worriers and those of us who are equal-opportunity worriers is that Big Brother worriers have often been driven by their concerns to act. They use crypto; we don’t. They never let their Web browsers accept any cookies; we prefer easy shopping. They refuse to provide their actual name and address on forms; we just fill in the silly things.
So far the most common approach used by the privacy extremists is public education, or the attempt to modify our threat model by increasing the size of one of the sections of the pie chart. If you assume that the threat model is the amount of time or energy spent worrying, an increase in the size of one section must require either a decrease in another section or an overall increase in the size of the pie. The first possibility is unlikely, since I’m not going to worry less about my HMO just because you tell me that the U.S. National Security Agency can read my email. And the second possibility is equally problematic – we’re all short on time and energy as it stands, so trying to convince us to spend more time worrying is a hard sell. Worse, I think the public education approach tends to create a "boy who cried wolf" scenario: relatively few people can point to privacy abuses in their own lives, so the constant warnings of potential abuses tend to desensitize us and minimize the otherwise worthy message.
The recent problems with security certificates expiring in older Web browsers highlights this issue, since users can just continue through the confusing warnings and complete the transaction with no loss of security. However, continuing through not only neutralizes the only assurance that the vendor isn’t a fraud, it also adds to the sense that the warnings are almost always false alarms. Moreover, many smaller merchants defeat the original point of the security certificate by using their ISP’s certificate; you’ve learned nothing reassuring about the authenticity of the site if you think you’re reaching "ishopalot.com" and you get an alert that instead identifies the vendor as "superduperhighspeed.net."
Clearly, then, solutions must fit within the size of our existing threat models. We won’t expand any one section, and we won’t expand the size of the pie. The only approach is to simplify privacy protection technologies and systems and build them into everyday tools. For instance, if I didn’t have to go to extra effort to encrypt my email – and my recipients didn’t have trouble decrypting it – then I’d be happy to keep all of my email communications encrypted. Similarly, if using Mac OS 9’s Keychain to store passwords didn’t interfere with my long-established manners of working (and more applications supported it) I’d be happy to use the Keychain more consistently.
Some efforts are being made in this direction; increasingly well-financed companies, like Hush Communications, Network Associates (owners of PGP), PrivacyX, and ZeroKnowledge are attempting to build such easy to use tools with varying degrees of success (particularly with respect to producing Macintosh versions of their products).
There is another way of helping the privacy situation. Improved privacy legislation, pushed through by the privacy community and well-publicized by the mainstream media, could have the effect of reducing the size of a section of the pie, which would then allow someone to devote more time and energy to another section. Or, even better, help us shrink the size of our threat model pies overall so we can devote that time to more productive or enjoyable activities.
To the privacy community then, a challenge. Simplify your tools, improve your documentation, evangelize software makers to include privacy technologies, and generally make privacy something that requires minimal effort and attention. While you’re at it, continue lobbying for improved privacy legislation and increased media coverage. But my suspicion is that you’ll have to do all these things because you believe in them, not because the general public will applaud or even necessarily recognize your efforts. Your results will have to be reward enough.