Chapters
Shownotes Transcript
Hey everyone and welcome to Seriously Risky Business. I'm Adam Boileau. I'm joined by my colleague Tom Muran, author of Seriously Risky Business, the newsletter. How's it going, Tom? Good, Adam. How are you? I'm doing well, doing well.
This week's episode is brought to you by Socket, a company that makes tools to help you manage the very thorny thicket that the software supply chain has become, especially in the open source world. And this week you talk to Firas, who's the co-founder and CEO of Socket.
And one of the things I really liked about that conversation you had with him is Feroz really gets it. Like, he's an open source maintainer and he understands the realities of what that means. Yeah, I thought it was very interesting talking to Feroz. Yeah, he's a smart cat. One of the things he wrote about this week was...
some really quite sensible sounding regulations coming out of the United States Federal Trade Commission and Communications Commission. It's been a long time coming, but it feels like we're finally getting there with regulation. What do you think? Yeah, so I wrote about a speech that the director of the Bureau of Consumer Protection at the FTC, the director's name is Samuel Levine, and he wrote
gave a speech recently that basically laid out, I guess I'd call it the philosophy or the thinking behind what the FTC is trying to do. And I was...
pleasantly surprised by how much it made sense. And so a couple of the elements that stuck out to me were, first of all, there's this procedure that you do when you sign up to any kind of online service where they present you with 78 or more pages of terms and conditions and you press agree and
Have you read them thoroughly and consulted your legal representative? Yes. You know, once you use, like, say, Gmail or anything like that, after a number of years, you get rusted on and they just change the terms and conditions. So what are you going to do, right? Are you going to move your entire platform, stop receiving a mail just because there's a new 78-page terms of service? Yeah, and he rightly calls this a fantasy world.
Divorce from reality of how people live or how firms operate. And so the conception is that you're given all the knowledge you need to make a decision and then you can say yes or no. And so that's what he's talking about as a fantasy world. And he says it's a way for companies to give invasive data practices a thin veneer of legitimacy. I thought, yes, that's spot on. Yeah, exactly.
People don't have the time or the expertise to read. And so I think that putting the finger on that as a problem, I think that's right. Yeah, because if you go to the supermarket and you're trying to make informed choices about the product you're going to buy, you can pick up the packaging, you read the ingredients, you decide, yes, I'm allergic to nuts, I can't buy this or whatever else. It's a point in time choice for a product that doesn't change. It's not like you buy...
you know, a box of cookies and then those cookies last for 15 years and you build an ongoing relationship with them and then the ingredients change after you've bought them, you know, and that process just doesn't work for...
long-term services. So yeah, I think it's a great thing to hear someone in a position of regulatory power say that this is a fantasy. Yeah, and also there's not much choice. So it's not like the supermarket where you've got different brands and you can choose different brands and there's a meaningful...
amount of choice so there's sort of the two sides you can't understand the terms and conditions or you don't have time and like what are you left with anyway like are you going to become a digital luddite um and for the vast majority of people that's just not practical no i mean if you're trying to find a job these days can you avoid being on linkedin
Probably not, right? You have to agree to those terms and conditions if you want a job. Yeah. And another thing that stuck out to me was he mentioned dark patterns. So that's the idea that there's manipulative user interfaces where it's very hard to make a choice that may well be in your interest. So the choices that are in the company's interest are very easy to pick out and
choose. So one of the examples is the FTC acted against Amazon and Amazon had a process where it was very very difficult to unsubscribe from the Amazon Prime subscription service and it says in the complaint on the case the FTC alleges that the primary purpose of the prime cancellation process is
was not to enable subscribers to cancel, but rather to thwart them. Which I 100% believe it, right? And anyone who's ever tried to unsub from anything knows that feeling. And it's not just Amazon. So the new... Like...
Newspaper subscriptions, you know, they get you in on very cheap terms and then to unsubscribe you have to ring up during business hours for some other time zone. The Amazon unsubscribe process, the code word was called the Iliad, which is Homer's epic about the Trojan War that went for 20 years. Yeah.
It's pretty on the nose, isn't it? Yeah, so I thought that was interesting. And part of his speech, Levine says that, you know, it's not just us. Like there's Republicans, there's Democrats, there's lawmakers, there's other regulators that all have this same approach. And I thought, okay, that's interesting. Is that actually true? And I looked at the American Privacy Rights Act. So that's the most recent legislation
possible federal US privacy legislation, and it hits on all the exact same points as the FTC does. So yes, he is reflecting the broader thinking of the legislature, other regulators. And so I think that is a strong signal that those are the kinds of elements that people will be focused on. And it's not just those. There's also data minimization,
which I really like as you can collect people's data, but only what you need it for. And it's got to be for particular reasons. And if you don't need it, you have to get rid of it. There's a whole lot of other elements in the legislation, but that all kind of makes sense. Yeah, that sounds pretty sensible. Certainly, the US does need some kind of, you know, overhaul of the privacy legislation. One of the things you wrote about was
the FCC fining US telcos for selling location data, right? And that's a thing that, you know, as a consumer, if you sign up for mobile service, you didn't understand that your location was being sold and, you know, having some kind of, this is what regulations and regulators are for, you know, helping us make choices. In fact, the backstory to that is that there was regulation in 2007 that
that said that if you wanted to sell that kind of data, you need to get consumers affirmative consent. So if you were full bottle on all that regulation, you would assume that your data was not being sold because you didn't give affirmative consent. And it was just shipped out the back door and despite that regulation. So it's
I think the whole problem is that there's just this very permissive culture about how to deal with data. So you hear from startups that they get telemetry on the way that people behave and they talk about it as if it's their data. Like, you know, we can do stuff with this and it's really good for our business. And it is, but also like there's other people involved...
And they also have an interest in what happens to that data. Are we going to see more sensible legislation, do you think? Or beyond regulation, into actual legislation like that, privacy, AP, you're talking about. Is that likely? Or is it going to survive contact with...
the legislative process and lobbying? Well, so the story is that it is bipartisan and also people in both the House and the Senate agreed to the draft. So that's a positive sign. It's bad. People say it's the best chance.
And so I've written over the last few years about different possibilities. And I've always, you know, had some hope that it might pass different types of privacy legislation. And they never have so far. So who knows? I mean, I guess the message is that even if the legislation doesn't pass, regulators will try and aim for the same results.
like trying to achieve the same things. Now, that's a lot harder when you're just pushing regulation because there's more grounds for court action, whereas legislation, there's fewer, not no grounds, but it's a bit easier. Yeah, and overall that sounds reassuring because even if they don't get a GDPR-style omnibus
you know privacy legislation that at least the regulators are chipping away at the problem in you know in smaller steps so that's that feels like progress well like it even to me feels better than the gdpr because as far as i can tell the only effect of the gdpr was to get cookie cookie notifications like that achieve nothing i'm so sick of cookie notifications
Staying with kind of regulatory process, another thing you wrote about this week was a pushback from a trade group that represents a number of cloud providers saying,
against kind of rumblings about maybe introducing know your customer requirements for cloud services and you know the fact that you can rock up to you know amazon or google or microsoft and just like buy their computers for a while with a credit card and not much else you know there are a bunch of harms that can come from that kind of thing so yeah tell us about uh about kyc for cloud
Yeah, so I think the key that you hit on there is that there's a bunch of harms that can come from it. And so if you could rent computers in an entirely harmless way, never hurt anyone, you know, it would be fine. Why do we care? Go for it. It's like renting, I don't know, puppy dogs to pet or whatever. I wish you could do that. That sounds great. But the problem is that those computers...
can be used to do harm and people are deliberately renting US domestic cloud infrastructure in order to run operations in the States. And so the thought there is that there's less ability for US organizations to monitor domestic traffic. The justification sites theft of intellectual property, espionage and targeting of US critical infrastructure.
So those all seem very good reasons for cloud companies to be expected to do something, like to try and reduce that threat. Now, the question is, is KYC the best possible thing they could do?
Or is there some other program that they could be expected to do that would be cheaper, better, more effective? Yeah, I mean, it's certainly a possible approach. But yes, best is hard, isn't it? Yeah, well, who knows, right? And what would that even look like? And I guess people look to banking. Yes. Where, you know, it's the same sort of thing. People do...
stuff in the banking system that harms people broadly. So that's money laundering, fraud, enabling the drug trade. That's the sort of external harms that come. Now, the similarity is that an amoral bank and a like, I'm not calling out any particular bank, but corporations are sort of in a way amoral in, you know, if it makes us money and it doesn't hurt us, what's the problem?
And those sorts of corporations in general mostly need to be forced to do things that are in the public good when it doesn't harm them. So banks do a tremendous job against fraud that's targeted against them personally. But sometimes they need encouragement.
to sort of deal with those broader harms and I think it's the same principle here and so people look at the banking system and know your customer KYC is what people have implemented there and so you know are banks the same as cloud companies no they're not the same but that's something that's worked at least to some degree there so it seems to me like you should do something
We know KYC works in a different environment. Let's at least give it a go. I know I've used plenty of cloud things for, well, I mean, I was authorized, so like I wasn't doing a crime, but as far as the cloud service provider is concerned, like I was probably violating terms of service and so on. There's also a similarity to domain name registration. Yes. Where even though the requirement to like actually know your customer is very, very low, you
that information is still very, very useful for tracking down badness. Even just because people like, you know, they use the same email addresses, they use the same contact numbers without the requirement to actually like, you know, without any stringent requirements. So, you know, it seems like I think it's worth trying. I agree. And I think the example of domain names is an interesting one too, because like, you know, you think about how many things Brian Krebs has Krebsed
through that kind of analysis even though it's as you say very flimsy kyc um yeah even flimsy seems like it might be useful in the cloud environment so yeah we will we will see like i mean this is still pretty pretty early days and of course a trade group representing cloud providers is going to be like well you know we don't want extra complexity and cost but
I'm sure the finance industry said the same thing, you know, when KYC was being shoved down their throats as well. So yeah, we'll see whether that progresses. You wrote up some concerns in the US about the Chinese drone manufacturer DJI, which for me, the interesting point was you drew a line between them looking at DJI and what
whether we're going to see that for Chinese-made vehicles, electric vehicles being very, very similar to airborne drones. There are lots of sensors. They drive around. They're connected to the internet. And that, as a Chinese electric car owner, was interesting to me. Yeah, so the sort of flip side is that in the PRC,
the Chinese government has banned Teslas from certain locations, so military bases and government-affiliated venues.
And so it doesn't seem to me that a drone is all that different from a car, like, you know, whether it flies or drives. And in fact, you know, one of the capabilities of DJI drones, which is both reassuring and worrying, is that there's like geo-banned or geo-blocked areas that are no-fly zones. And so I think they're around...
airports and probably military bases, I'm guessing. I'm not entirely sure. But it's reassuring because you can't fly them near an airport. Great for aviation. But it's also concerning because the way you get those geoblocks is by talking over the internet to some server in, I don't know, Shenzhen or wherever. And so the US...
CISA has warned about the use of DJI or Chinese manufactured drones in national security and critical infrastructure.
And I think there's also a sort of part of industrial policy here. Like drones have become, it's not mentioned in the, there's legislation to potentially ban the Chinese-made drones. And it's not mentioned in the legislation, but drones have become such a big part of warfare in Ukraine that it actually does make sense to have, to invest in building an indigenous capability, I think. Yeah, I think so. I remember you and Grok talked about
a case in Ukraine where the Ukrainians owned the system that reflashed the DJI drones with custom firmware that the Russians were using? Yeah, that's right. So it is very much tied up with the stuff. But of course, the fact that they already have to do that to put combat firmware on these drones, we always end up with this kind of conflict between which of these is security in the...
you know, technical sense and which of these is geopolitical competition and trade, you know, trade war kind of stuff. And the lines are a bit blurry. Yeah. I think it's even worse for cars because the U S has a domestic car making industry and they, uh, I'm sure they don't want it to get wiped out by cheap Chinese EVs. Now I'm in Australia and, uh, domestic car manufacturing, uh,
quite some decades ago. So from a security point of view, I'm fine with having cheap Chinese EVs. We all get to drive around in cheaper, nicer cars. And if you're a particularly important person, maybe just...
Buy a different car? Ban them from certain sites? That's fine. I think that's probably about us for today, Tom. Thank you for joining me to talk through the newsletter. If you'd like to read it, you can go to news.risky.biz and check out Tom's work. There's plenty of great content in there for you to read. So yeah, thank you for your time, Tom. And I will speak to you again next week. Thanks, Adam.
