Keywords: entrepreneurship; digital identity; IoT; healthcare

As serial entrepreneurs, working on the next opportunity is a peculiar moment. The time when you can reflect on past experiences. When you get to figure out where you might make a difference, and where your efforts will be focused on for the next 10 years. That preliminary research is a lot of hard work, from new ideas to technical prototyping. Our open source project being sponsored by EU's next generation internet is a fantastic possibility to discuss with our peers and disseminate those findings.

During the pandemic, digital platforms have helped keep the population safer, for instance via the remote tracking of chronic respiratory diseases or other co-morbidities. This has led to an increase in the number of telehealth solutions and of medical devices being deployed in the field. We started by analyzing past security breaches.

The results show that healthcare boasts one of the highest average rates of severe security findings. Not all types of healthcare organizations share the same struggles. Because they’re still operating in closed legacy environments, hospitals are able to maintain their level of cyber hygiene, compared to ambulatory or nursing care facilities. In the current state of affairs, integrating with saas vendors or third-party connected medical equipment increases the risks, because most of them exhibit an inverted ratio for exposure relative to their internet surface area. The industry should therefore put more emphasis on privacy-and-security-by-design as an integral part of their duty of care. And it will. Because public regulators, both in Europe and overseas, have acknowledged the vulnerability of those sensitive information systems and data, with new requirements taking the force of law.

Despite those well established challenges, finding the right product-market fit has proven difficult. During our interviews with industry participants including CISOs, IT professionals, biomedical engineers, third-party vendors, healthcare professionals and patients, appeared a silo-ed approach to innovation. Most of the participants took improvement actions, but had the feeling of institutional resistance from their other counterparts. A way to reconcile those initiatives was to put medical efficiency at the center. People didn’t care much about network segmentation or machine identity, but were asking very pragmatic questions: what’s our inventory of medical equipment? are they well used and maintained? how can a remote maintenance process be integrated into the medical activities and how the various stakeholders, and the end-users in particular, would be involved and benefit from it? how do you handle the large majority of devices that can’t be updated? So we designed various experiments to test our hypotheses.

This had a profound impact on our technological choices. When implementing the security protocols, this helped us focus on a human-centric approach. Apart from those field discoveries, the project followed its course as planned. We implemented minimum viable product experiments, got accepted three peer reviewed research articles, published some dissemination blog articles, updated an upcoming IETF standard and published a patent.

The NGI Trust helped us a lot in our journey, as it offered great mentorship and advice from recognized experts, both on the technical and business perspectives. We also appreciated a lot the focus on how to build upon an open source strategy.

The public documentation is available at mediam

Summary

The Grant Negotiation and Authorization Protocol, also known as GNAP, is currently being formulated in an IETF working group. Its objective is to take into account the experience from OAuth 2 and its large ecosystem. GNAP therefore gives the opportunity to reflect on the strengths and weaknesses of existing authorization frameworks (and OAuth 2 in particular), and highlights the new directions to improve digital access. We compare with the approach taken by OAuth 2 and show that designing authorization servers primarily as “token issuers” provides insightful consequences for security and privacy.

Before we dive into the serious stuff, you should know that GNAP is already widely used by some smurfs.

Lessons from OAuth2

A short history

The year was 2012, and an authorization protocol called OAuth 2 (Open Authorization 2) swept the web, allowing users to use security providers to easily log in to websites. Coupled with OpenID, OAuth 2 enables an end-user to “authenticate with” one of its providers (google, facebook, github, etc.) to a completely different website or application, therefore reducing the need to define yet another password.

OAuth 2 aims to solve the delegated authorization problem. Delegation happens when a third party application, acting on behalf of a natural person, requests access to a protected resource. The naive way to solve this problem is for the natural person to give its password to the third party, but sharing passwords is a security risk and must be avoided. OAuth 2 defines flows to grant access without having to share secrets. A typical flow (figure 1) between a client application and an authorization server involves a redirection to ask the consent of the resource owner, before an access token can be used to access a protected resource.

Fig. 1: high-level OAuth 2 flow (source: [Ri17])

Solving the delegation use case had such an impact because OAuth 2 landed at a time where Application Programming Interfaces (API) really became mainstream. In 2020, 83% of the internet traffic was due to APIs (compared to the remaining 17% through HTML). Cloud based companies in particular found it convenient to better secure the access to their protected API endpoints. As Gartner points out, this trend is accelerating [Ze19]: “90% of web-enabled applications have more surface area for attack in the form of exposed APIs rather than the UI, up from 40% in 2019.”

Relying on a common framework enabled easier integrations across services too, as exemplified by the widespread use of zapier amongst software as a service providers. It also reduces the risk of vendors inventing their own security mechanism. Most major services now support OAuth 2, often associated with OpenID Connect for single-sign on. OAuth 2 is heavily used to protect API first services, such as open banking (and the related PSD2 regulation in Europe). The decade experience that exists with OAuth 2 and its extensions got recently consolidated into an OAuth 2.1 draft version. If approved, this update will obsolete certain parts of OAuth 2.0 and mandate security best practices (as described in [Pa19]).

Ecosystem

The “core” OAuth 2.0 spec, RFC 6749 [Ha12], isn’t a specification, it’s a “framework” you can use to build specifications from. It defines roles and a base level of functionality, but leaves a lot of implementation details unspecified or optional. The IETF OAuth Working Group has published many additional specifications (figure 3) to fill in the missing pieces. Implementers need to decide which grant types to support, whether or not refresh tokens are one-time use, and even whether access tokens should be bearer tokens or use some sort of signed token mechanism. One critical extension is OpenID Connect, which defines an ID Token for returning user information.

Fig. 2 : OAuth 2.0 as an extensible framework (source : [Pa19])

This maze has often been quoted as the biggest failure of OAuth 2, but the extensibility it shows also explains why OAuth 2 has been successfully deployed at scale.

Pilars

OAuth 2 has been designed through an open standardisation process, managed by the IETF. OAuth 2 wasn’t the first authorization protocol. As the name suggests, OAuth 1 came before, and the two versions are not compatible. OAuth 1 had custom methods to deal with various attacks. Instead, OAuth 2 delegates its security model to the HTTP/1.1 protocol (and TLS) and makes it easier to carry out a formal analysis of its guarantees [Fe16]. OAuth 2 supports modern technologies such as REST and JSON. In particular, it relies on JSON Web Tokens [Jo15] as the default format for access tokens. The access token format is considered opaque to the client.

The protocol seeks to enable a separation of concerns, decoupling authentication from authorization. This is a significant difference to previous protocols, such as Kerberos, Radius or SAML. OpenID Connect (OIDC) is the de-facto identity layer on top of OAuth 2.0. Extensions are now emerging from the decentralized identity space, to support self-issued credentials (SIOP [Te20]). A complete introduction to the capabilities of OAuth2 is beyond the objective of this article, the interested reader may refer to the book “OAuth2 in Action”[Ri17].

Limitations and challenges

Despite its widespread use and impressive success, OAuth 2 also has downsides. The terminology is not clarified in the standard. It makes the concepts harder to understand by newcomers. Based on our teaching experience, it’s not intuitive for a developer to understand that his own application is called client and needs to register against an authorization server.

More fundamentally, the delegation model is only partially implemented. The core specification focuses on the case where the end-user connects to their own subscribed services. However, there are other important cases where the assumption end-user = resource owner doesn’t hold. A child may ask for parental agreement to watch a movie. A doctor may ask for one of a patient’s medical records. The patient is the owner of the resource and is asked whether they consent to grant access to their doctor. This specific case is handled by the UMA2 (User-Managed Access [Um18]) extension from the Kantara initiative, but handling the consent of a remote resource owner is generally unsolved.

In particular, a smooth interaction with end-users is of critical importance, but the choice of provider may look overwhelming (known as the “NASCAR problem”). As we’ll discuss in the next paragraphs, this inconvenience has led to the reliance on a few gatekeepers only.

Fig.3 : The NASCAR problem

OAuth 2 is also very browser-centric. While OAuth 2 introduced various flows to better support non-browser agents, the interaction still needs to start from a web browser. This complexifies integrations with native devices, such as mobile phones or connected things.

The internet of things (IoT) is not the main target of the standard, but the reliance on HTTP/1.1 has limited the applicability of the standard to that domain area. Due to the drastic energy and bandwidth constraints, the vast majority of IoT networks do not follow the internet model based on IP protocols and TLS based security. Due to the limitations of HTTP/1.1, a protocol called CoAP has been gaining in popularity and is used by some OAuth 2 profiles (such as ACE [Se20]). CoAP being specific, interoperability with the rest of the internet still requires the use of gateways. This not only presents an interoperability problem but a security issue too, since end-to-end encryption becomes harder when intermediaries are required, and leads to unnecessary least privilege access. In the future, HTTP/3 might allow a more natural fit for battery powered devices, thanks to more efficient congestion controls and header compression.

Access policies also come with their limitations. In Oauth 2, scopes are used to limit an application’s access to some owner’s data by issuing an authorization grant that is limited only to the scopes granted by the user. OAuth 2 scopes are merely strings (e.g. “read”, “write”, or whatever makes sense in a specific context, e.g. “dolphin”). Some business cases require more than a fixed string. If you want to authorize a payment, you need to pass an amount, a currency, a recipient, and the purpose to the authorization server. Otherwise, the authorization server cannot gather the user’s consent for that particular transaction and generate an access token that is really constrained to the transaction’s parameters (e.g., the amount).

Essentially, scopes are proxies for role based access (RBAC) or attribute based access (ABAC). Those access policies are convenient ways to handle the case where the resource owner is a corporate entity. For instance, an administrator end-user may be issued an “admin” role for a set of applications, and the corporate system grants privilege access based on that admin role. However, modern cloud architectures spread beyond the traditional network perimeter and require more dynamics rule engines than a static scope parameter. NIST has proposed a “next generation access control” (NGAC [Fe15]) standard, while the usage control model (UCON [Pa04]) formalized six core components: subjects (with attributes), objects (with attributes), rights, authorizations, obligations, and conditions. Despite their ease of use, JWT tokens effectively limit what is possible. For instance, in cloud environments, a single request could result in hundreds of internal requests between microservices or lambda functions, each requiring a verification of authorization, making it impractical due to latency issues.

Bearer tokens also tend to be abused by developers for stateful session handling. The revocation of access tokens is possible but its details depend on each implementation provider. OAuth 2 is more a framework than a protocol, as compatibility between two authorization service (AS) providers is not guaranteed, making it impossible to mix various ASs.

Therefore, in practice, applications stick to just a few digital gatekeepers. This poses a major privacy concern, as the gatekeepers are able to know what grant is asked by whom and when. There’s no mechanism within OAuth 2 to guarantee the privacy of end-users from a curious AS. The European Commission is now considering imposing legal obligations on digital platforms to remedy or prevent “commercial imbalances” [Re20]. This includes digital IDs, as customers using a single ID to login to a range of unrelated 3rd-party services could be locked in. “Restrictions or separations of digital ID services from platforms’ commercial operations may be necessary” [Re20]. This debate is amplified by the regulatory work currently being planned for the Digital Service Act. According to a position paper published by the EPP group [Ep21], the largest parliamentary group in the EU, “[We] firmly support the right to be anonymous on the Internet (as it is acknowledged by the GDPR) but at the same time reject the idea of being unidentifiable online (= what is illegal offline, is illegal online). To make sure that, while maintaining anonymity, everyone is digitally identifiable where this is necessary, a protected European digital identity should be created, using, for example, the blockchain technology. The level of responsibility of the platforms should be tailored to the identifiability of the users”. While it’s hard to tell if that is an awkward way of referring to the self-sovereign identity (SSI) space, the ethical questions raised by such a proposal shouldn’t be ignored [Im21]. As Sheldrake explains [Sh20], “in centralising identity on the individual, as SSI does, it removes some identification, authentication, and claims processes from being subject to law and organisational governance (e.g. the GDPR does not apply to individuals), and into the chaos of social groups and the formation and reformation of social norms and other societal structures.” Policy makers and technologists should reflect on the rationale and impact of decentralizing identities, essentially revisiting the “laws of identity” [Ca05], 15 years later.

The centralization of the authorization framework is also questioned. Would it make sense to deploy the AS on the end-user’s mobile phone, to protect sensitive consent requests? There have been early experiments [Jo20] to provide an openid:// deep linking scheme to a local HTTP server, with the caveats that browsers do not currently recognize this as a common scheme. The target architecture for a more decentralized framework is a work in progress, with the aim to enable interoperability between decentralized identity wallets and authorization servers.
Some of the mentioned challenges are gradually addressed in the OAuth 2 community by creating new complementary standards: an example is the RAR (Rich Authorization Request [Lo20]), which solves some of the issues related to fixed scopes, especially for open banking use cases. Yet, past design choices limit what can be improved. The healthcare use-case is again well suited to explain the advanced interactions which would be very hard to achieve through state-of-the-art delegation protocols:

1. A credentialed doctor (Dr. Bob) uses a secure wallet (capable of a non-repudiable signature) to make a request (relying party credentials, scope of resource server access, purpose of access) to patient Alice's authorization server;
2. The AS responds with a scoped capability and holds Bob accountable for its invocation;
3. Dr. Bob passes that capability to his employer institution or to another healthcare partner. Dr. Bob may attenuate the capability before or after it is passed to the system;
4. Another physician in the team, Dr. Carol, signs-in to the employer system and clicks on the capability associated with Alice;
5. The client (e.g. a mobile application) used by the healthcare team (Dr. Bob or Dr. Carol) presents the capability to the protected information and gains scoped accesses to the resource. Organizational policies would likely require an audit trail that includes the doctors’ credentials and/or the root of trust of a software statement presented by the client to ensure its authenticity.

OAuth2 would have trouble handling such a complex but realistic and common scenario, possibly requiring coordination between several ASs and resource servers, and involving delegations and policies between multiple users (the doctors) distinct from the resource owner (the patient). By focusing on the usability of privacy and security protocols within the real-world contexts in which they have to operate, we target a human centric design [Sa05]. We therefore propose to take a fresh look at how to design a delegation protocol.

Alternative design principles with GNAP

In this section, we explain how a new protocol currently being specified within the IETF GNAP (Grant Negotiation and Authorization Protocol) working group, goes away from some of the current OAuth 2 assumptions and limitations. The core specification document is publicly available as a draft [Ie20]. Many changes are still expected before the specification is officially published, but the general design principles have received consensus from the project charter. A formal terminology [Ie21] has been approved. Early versions of the draft are already implemented as open source projects by different stakeholders, to ensure those concepts are practically sound (as per the unofficial IETF motto: "we believe in rough consensus and running code").

Non goals

Non goals should be explicit. Just as with OAuth 2, GNAP doesn’t intend to specify the authentication process. Instead it integrates with existing standards, such as OIDC, WebAuthn/FIDO2 or decentralized identity protocols. OAuth 2 has shown the benefits of such a decoupling, but GNAP aims to enable better portability between various identity schemes. OAuth 2 comes with known benefits and GNAP also doesn’t intend to replace OAuth 2 or its extensions. An appendix in the GNAP core specification defines how to retrofit scopes and client_id from existing OAuth 2 systems and enable a progressive roll-out.

Cryptography based security

OAuth 2 uses shared bearer secrets, including the client_secret and access token, and advanced authentication and sender-constraining have been built on after the fact in inconsistent ways. In GNAP, all communication between the client instance and AS is bound to a key held by the client instance.

GNAP uses the same cryptographic mechanisms for both authenticating the client (to the AS) and binding the access token (to the resource server and the AS). It allows extensions to define new cryptographic protection mechanisms, as new methods are expected to become available over time. GNAP does not have a notion of “public clients” because key information can always be sent and used dynamically in addition to being pre-registered.

Interaction flexibility

OAuth 2 generally assumes the user has access to a web browser. The type of interaction available is fixed by the grant type, and the most common interactive grant types start in the browser. OAuth 2 assumes that the user using the client software is the same user that will interact with the AS to approve access. GNAP is designed to allow these users to be two different people, but still works in the optimized case of them being the same party.

GNAP allows a client instance to list different ways that it can start and finish an interaction, and these can be mixed together as needed for different use cases. GNAP interactions can use a browser, but don’t have to. Methods can use inter-application messaging protocols, out-of-band data transfer, or anything else. GNAP also allows extensions to define new ways to start and finish an interaction, as new methods and platforms are expected to become available over time.

Intent registration and inline negotiation

OAuth 2 uses different “grant types” that start at different endpoints for different purposes. Many of these require discovery of several interrelated parameters.

GNAP requests all start with the same type of request to the same endpoint at the AS. Next steps are negotiated between the client instance and AS based on software capabilities, policies surrounding requested access, and the overall context of the ongoing request. GNAP defines a continuation API that allows the client instance and AS to request and send additional information from each other over multiple steps. This continuation API uses the same access token protection that other GNAP-protected APIs use. GNAP allows discovery to optimize the requests but it isn’t required thanks to the negotiation capabilities.

Client instances

OAuth 2 requires all clients to be registered at the AS and to use a client_id known to the AS as part of the protocol. This client_id is generally assumed to be assigned by a trusted authority during a registration process, and OAuth 2 places a lot of trust on the client_id as a result and requires it throughout the protocol. Dynamic registration allows different classes of clients to get a client_id at runtime, even if they only ever use it for one request.

Instead of a client_id (related to a pre-registered client software), GNAP relies on client instances (identified by their key). GNAP allows the client instance to present an unknown key to the AS and use that key to protect the ongoing request. It also allows to define attestation mechanisms for the client software (for instance, the organization the client represents, a specific version, the posture of the device the client is installed on, etc.). GNAP’s client instance identifier mechanism allows for pre-registered clients and dynamically registered clients to exist as an optimized case without requiring the identifier as part of the protocol at all times.

Expanded delegation

OAuth 2 defines the “scope” parameter for controlling access to APIs. This parameter has been co-opted to mean a number of different things in different protocols, including flags for turning special behavior on and off, including the return of data apart from the access token. The “resource” parameter and RAR extensions expand on the “scope” concept in similar but different ways. GNAP defines a rich structure for requesting access and supports string references as an optimization.

GNAP defines methods for requesting directly-returned user information, separate from API access. This information includes identifiers for the current user and structured assertions. Like OAuth 2, GNAP can support various access token formats, including JWT which remains popular for its simplicity. Innovation provided by decentralized delegation and attenuation token mechanisms (such as macaroons [Bi14] or biscuits [Bi20][Im20]) enables more advanced behaviors.

Privacy by design

OAuth 2 has no protection against a curious AS.

GNAP intends to provide privacy preserving mechanisms based on two principles:

1. data minimization: minimizing the amount of attributes being disclosed by an end-user to the minimum necessary to achieve a stated purpose, and minimizing the number of parties this information is exposed to (such as the web browser);
2. untraceability: preventing an AS from knowing which resources are called by a client, and which operations are performed. For instance, hiding the url of protected resources from the AS.

Those mechanisms could either target a single AS or multiple ASs in order to reduce centralization and improve scalability.

Conclusion

This article provides a comparison of OAuth 2 and the more recent GNAP authorization protocol. The later covers simple delegation in a more consistent way but also enables advanced cases between various stakeholders involved in sensitive application domains.

In OAuth2, it is assumed that the AS is the device that’s authenticating the user, collecting consent, managing the client’s registration, and creating an access token based on whatever set of rights that are associated with all of those things. In UMA2, this is turned around by letting the resource owner present a bunch of “claims” interactively, but still at the AS. With both of these, a key aspect remains: the AS needs to gather necessary information, and issue the access token (or identifiers/assertions). Because of how GNAP works, the client software has a better opportunity to present information to the AS, either directly in the request, through external parties or by introducing the AS to another software component during the “interaction” phase. So GNAP asks, what if we think of authorization server(s) primarily as a “token issuer(s)”?

Beyond GNAP, reflecting on the current assumptions and limitations of OAuth 2 is a worthwhile exercise that would require a closer partnership between practitioners and academia. In particular, a better understanding of the security and privacy guarantees would benefit the general public and the regulatory bodies.

The opportunity to decentralize consent on the end-user’s devices still faces technical challenges. The applicability of those protocols to a broader class of devices, including the IoT, offers an avenue for further research.

Bibliography

• [Bi14] Birgisson A.; Gibbs, J.; Úlfar P.; Taly, A.; Vrable M.; Lentczner, M.; Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud, Network and Distributed System Security Symposium, Internet Society, 2014
• [Bi20] Biscuit authentication/authorization token, https://github.com/CleverCloud/biscuit
• [Ca05] Cameron K.; The laws of identity, https://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf, accessed 15/01/2021
• [Ep21] EPP; Position on the Digital Services Act (DSA), https://www.google.com/url?q=https://www.eppgroup.eu/download/file/NQKR4EpVyCuRQB66r9$ZDAAAAAIUAREDZmlkEQU0NzYxNQ&sa=D&source=editors&ust=1613299386782000&usg=AOvVaw34NPmzRhxtNW8YCykcyPeB, accessed 15/01/21
• [Fe15] Ferraiolo D.; Gavrila S.; Jansen W.; Policy Machine: Features, Architecture, and Specification, NIST IR 7987 Revision 1, 2015
• [Fe16] Fett D.; Kuesters, R.; Schmitz, G.; A Comprehensive Formal Security Analysis of OAuth 2.0, Proc. Conference on Computer and Communications Security, pp. 1204-1215, 2016, https://doi.org/10.1145/2976749.2978385
• [Ha12] Hardt, D.; The OAuth 2.0 Authorization Framework; https://tools.ietf.org/html/rfc6749
• [Ie20] IETF; Grant Negotiation and Authorization Protocol (gnap), https://datatracker.ietf.org/wg/gnap/documents
• [Ie21] IETF GNAP wiki, Terminology, https://github.com/ietf-wg-gnap/gnap-core-protocol/wiki/Terminology
• [Im20] Imbault, F.; biscuitsec.org; accessed 15/01/21
• [Im21] Imbault, F.; The ethical dilemma posed by Decentralized Identity, https://fimbault.medium.com/the-ethical-dilemma-posed-by-decentralized-identity-f8328b655544, accessed 15/01/21
• [Jo15] Jones, M.; Bradley, J.; Sakimura, N.; JSON Web Token (JWT), https://tools.ietf.org/html/rfc7519
• [Jo20] Jones, M.; Wallet UX Challenge for DHS, https://www.youtube.com/watch?v=Tq4hw7X5SW0, accessed 15/01/21
• [Lo20] Lodderstedt, T.; Richer, J.; Campbell, B.; OAuth 2.0 Rich Authorization Requests, IETF, draft 3, https://tools.ietf.org/html/draft-ietf-oauth-rar-03
• [Pa19] Parecki A.; It’s time for OAuth 2.1, https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1, accessed 15/01/21
• [Pa04] Park J.; Sandhu, R., The UCON ABC Usage Control Model, ACM Transactions on Information and System Security, 2004, https://doi.org/10.1145/984334.984339
• [Re20] Reuters; EU's Breton eyes rules for online platforms acting as gatekeepers, https://www.reuters.com/article/eu-tech-breton-idUSB5N28M01I, accessed 15/01/21
• [Ri17] Richer, J.; Sanso, A.; OAuth2 in Action. Manning, 2017
• [Sa05] Sasse, A.; Flechais, I.; Usable Security. Why Do We Need It? How Do We Get It? In: Cranor, LF and Garfinkel, S, (eds.) Security and Usability: Designing secure systems that people can use, O'Reilly, 2005
• [Se20] Seitz L.; Selander G.; Wahlstroem E.; Erdtman S.; Tschofenig, H.; Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework (ACE-OAuth), IETF, draft 37, https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-37
• [Sh20] Sheldrake, P.; The dystopia of self-sovereign identity, https://sheldrake.medium.com/the-dystopia-of-self-sovereign-identity-ssi-794435188863, accessed 15/01/21
• [Te20] Terbu, O.; Self-Issued OpenID Connect Provider DID Profile v0.1, DIF, https://identity.foundation/did-siop
• [Um18] Kantara Initiative; User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization, https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html
• [Ze19] Zumerle, D.; D’Hoinne J.; O’Neill, M.; API Security: What You Need to Do to Protect Your APIs, 2019

Online consent is not a trivial process. source: BBC

This discussion stems from a thought provoking tweet, to say the least. “Maybe consent should have no place in privacy law”.

A thought provoking tweet

Which makes it a great starting point to reflect a bit on our digital habits.

More than 50 years ago already, U.S. Justice Michael Musmanno, eloquently expounded on the importance of that right:

The greatest joy that can be experienced by mortal man is to feel himself master of his fate, — this in small as well as in big things. Of all the precious privileges and prerogatives in the crown of happiness which every American citizen has the right to wear, none shines with greater luster and imparts more innate satisfaction and soulful contentment to the wearer than the golden, diamond-studded right to be let alone. Everything else in comparison is dross and sawdust. — Commonwealth v. John Murray, 223 A.2d 102, 109 (Pa. 1966)

In the context of digital applications, privacy regulations appeared very recently. EU’s GPDR (General Data Protection Regulation) started in 2018.

Personal information may relate to many types of data:

The W3C DPV provides a data privacy vocabulary ontology

Contrary to popular belief, GDPR does not necessarily require businesses to obtain consent from people before using their personal information for business and data processing purposes. Rather, consent is just one of the other five legal bases outlined in Article 6:

1. Processing is necessary to satisfy a contract to which the data subject is a party (for instance, I need to deliver your purchase at your home address)

2. You need to process the data to comply with a legal obligation (for instance, apply tax codes based on your location)

3. You need to process the data to save somebody’s life (for instance, this has been discussed in relation to covid tracking apps)

4. Processing is necessary to perform a task in the public interest or to carry out some official function (for instance, computing statistics related to the pandemic)

5. You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, obviously.

This opens the door to interpretation, and there comes the almighty privacy policy. I mean, better safe than sorry, even if though consent remains a “fragile” legal basis because of the regime “easy obtained-easy revoked”. According to the GDPR, privacy policies should be delivered in a “concise, transparent and intelligible form, using clear and plain language”. But based on a review of 150 of those policies, “these are documents created by lawyers, for lawyers. They were never created as a consumer tool.” (source : NY times).

Consent is hard to do right

Each policy takes an “average of 10 minutes to read, an average individual encounters around 1500 of those each year. 76 work days!” (source: TheAtlantic). Consumers obviously don’t read, understand or acknowledge any of those terms (and even if they did once, the providers change them regularly). And that study was conducted in 2012, before data brokers were so prevalent. Without tools such as Scripta Manens, it would be impossible to decypher, to such a point that some artists denounced that situation visually:

Reading terms and conditions, by designer Dima Yarovinsky

We can do better to make consent more human friendly. CMU’s CyLab has tested many usability options to better inform consumers on privacy and security. They found that privacy options often remain hard to find. On March, 2021, California recommended adoption of a blue stylized toggle icon, which might serve as a starting point:

CCPA approved “Privacy Options” button (but the state opt-in/opt-out remains hard to guess from the flat icon, it would be good that designers further help on this). Source: cylab

New forms of user analytics (such as plausible or offen) focus on opt-in and opt-out mechanisms, as a technical solution. Application services can rely on authorization frameworks such as OAuth2 to include the resource owner’s consent, and the newer IETF GNAP (of which I am co-editor) strengthens privacy in the core protocol design. Other initiatives, such as Berners-Lee’s solid, try to implement personal data spaces.

Consent is no panacea

Despite all that technological goodwill, the practice of privacy notices often remains misleading, and sometimes harmful. Trust is coercive to the individual in the sense that a shrink-wrap license, or being forced to sign a privacy notice before getting care at a hospital is coercive to the sick and anxious person.

One also shouldn’t have to share “his” mobile phone contacts/address book containing “his friends” details in it. One individual’s “consent” shouldn’t undermine another individual’s rights. Period.

Clubhouse’s dark privacy pattern

The single fact that clubhouse could fund a 100 millions dollars serie B investment to implement their fear-of-missing-out strategy, with no concern whatsoever for privacy, is mind blowing.

Clubhouse is new but certainly not alone in its data hungering quest, despite consent regulation and technologies. With privacy labels now available for many of the top apps in the apple store, more data is now available:

Every time you search for a video on YouTube, 42% of your personal data is sent elsewhere. This data goes on to inform the types of adverts you’ll see before and during videos, as well as being sold to brands who’ll target you on other social media platforms. YouTube isn’t the worst when it comes to selling your information on. That award goes to Instagram, which shares a staggering 79% of your data with other companies. Including everything from purchasing information, personal data, and browsing history. No wonder there’s so much promoted content on your feed. With over 1 billion monthly active users it’s worrying that Instagram is a hub for sharing such a high amount of its unknowing users’ data.

Source: https://blog.pcloud.com/invasive-apps/

Those results confirm qualitative Bietti’s analysis: “Notwithstanding literature and findings lays significant doubts on notice and consent’s adequacy as a regulatory device in the platform ecosystem.”

It’s Time for a Mindset Shift

Privacy, like digital identity, is a shared property. “Consent is social and contextual” (source: Sheldrake). We now have a few years of experience, and it’s time we address consent fatigue.

Unlike the GDPR, which gives consumers the right to “opt-out” from the sale of their personal data, NY privacy act (reintroduced in 2021) would require consumers to “opt-in” for the use of their personal data. A U.S. Consumer Data Privacy Legislation is being drafted:

Towards a national privacy law in the U.S. ?

The upcoming EU’s Digital Markets Act is contemplating blacklisting bad data practices and identifying digital gatekeepers (i.e. mainstream platforms), while others focus on reasonable person tests layered on top of consent (e.g. PIPEDA in Canada). To the opposite, post-Brexit UK is considering relaxing the rules “to drive growth”, says UK Digital Secretary Oliver Dowden. Digital privacy remains an eminently political matter.

The difficulty is to find the right balance, and encourage actual enforcement by companies. Data isn’t the new oil, and regulators are coming. Alongside, we technologists, as well as social scientists, should find new ways to make the much needed change happen. Digital consent is a tool, not an aim.

One the internet, nobody knows you’re a dog

That’s a big problem to solve, famously cartooned by Steiner in 1993: “on the internet, nobody knows you’re a dog.”

Since 1993, the internet has taken the world. Identity and Access Management (IAM) systems know span a wide variety of uses, that include customers too. Privacy regulations define what is allowed and what isn’t, as far as individual data processing and storage is concerned.

Most of these systems are still very much centralized. Since passwords are creating large security gaps, protocols such as OAuth2 enabled the reuse of social accounts. People login through facebook/google/github/etc. The obvious downside is that those large networks get to know everything you authorize.

As a result, an internet of behaviors (IoB) is emerging, as many technologies capture and use the “digital dust” of peoples’ daily lives. The IoB combines existing technologies that focus on the individual directly — facial recognition, location tracking and big data for example — and connects the resulting data to associated behavioral events, such as cash purchases or device usage.

Gartner predicts that by year-end 2025, over half of the world’s population will be subject to at least one IoB program, whether it be commercial or governmental. As we already discussed in a previous article on surveillance capitalism, one can expect extensive ethical and societal debates about the different methods employed to affect behavior, and whether that’s even a legitimate approach in the first place.

Technologists should embed those new issues into their identity work. As an example, a new IETF protocol called GNAP, currently being specified, embeds a privacy by design approach to mitigate those issues (disclaimer, I’m one of the co-editors). End-user identity claims typically come from OpenID connectors, but there’s also a new kid in town that might reduce the risk of surveillance: decentralized identity.

Self-sovereign identity

The sovrin foundation has defined the concept of self-sovereign identity (SSI): only the end-user should own its identity data fully without the intervention from an external administration.

The idea has developed on the roots of public blockchains, but focuses on very specific types of data: decentralized identifiers (DID) and verifiable credentials (VC), as defined by another standardization body, the Decentralized Identity Foundation (DIF). Thimothy Ruff explains these new concepts through a transportation metaphor which is worth a read. It explains why experts and organizations such as Microsoft spend so much efforts on this line of work, including a semantic layer related to identity.

The objective on which everyone agrees is to give back control to individuals, so that their data cannot be shared without their consent. Maybe even people could own their identity and be paid by corporations such as facebook to use their profile data, as suggested by authors such as Gaspard Koenig, in France or Jaron Lanier, in the United States.

Or generative identity?

An idea strongly opposed by jurist scholar Elizabeth M. Renieris as well as Philip Sheldrake, who puts forward that the real issue should be the regulation of bigtech companies.

In centralising identity on the individual, as SSI does, it removes some identification, authentication, and claims processes from being subject to law and organisational governance (e.g. the GDPR does not apply to individuals), and into the chaos of social groups and the formation and reformation of social norms and other societal structures. It’s worth noting that social norms form without any real and widespread understanding of the technology and with little if any appreciation for potential emergent consequences — P. Sheldrake

The very philosophical underpinings to the SSI movements are indeed questionable. Renieris calls for a contextual identity, while Sheldrake introduced the notion of generative identity. Sheldrake argues, with good reason, that SSI is a technical movement that should introspect its potential for social dystopia (examplified by Aadhaar’s biometric centralized identification system in India, in which there is no opt-out possible for citizens in the country; a potential problem that any identity system, decentralized or not, needs to be purposely designed to avoid). Badly designed identity systems facilitate exclusion. The arguments are well grounded in social theory, here’s a visual summary that compares self-sovereign (noun-like) versus generative (verb-like) approaches.

Source : Akasha foundation

What Sheldrake tells us, is that we shouldn’t talk about “our data”, but “data about us”. For instance if you make a DNA test, the results also tell much about your relatives. Data is interpersonal by nature, and therefore cannot be owned by an individual.

This can further refer to Edouard Glissant’s definition of rhizomatic identity, whose epistemological shift was defined in the Poetics of Relation: “each and every identity is extended through a relationship with the Other”.

What technologists should do

What’s important is that identity specialists take into account the potential consequences of their work on society. “Decentralization” or “self-sovereignty” shouldn’t become marketing stands that are looking for category dominance in a technology arms race. These concepts shouldn’t be taken at their face value only; they’re not intrisically good; they’re merely tools which can be used to transform our world and relationships, for better or worse.

That leaves us with a question. What should technologists change in their approach?

We have a few hints that nobody has a clue:

• Phil Windley’s answer to the criticism remains very focused on technology, but in my view doesn’t address the core concerns. Likewise, INATBA, a European blockchain association, published in november 2020 a position paper explaining “what’s at stake” with decentralized identity. But stakes are only technical, focused on issues such as interoperability, there’s not a single word on the related ethical issues.

• On the opposite side, the generative identity charter itself says the technological aspects are out of its scope. This isn’t an issue per say, their role is to ask the right questions and provide a reflexive approach that transcends any technical framework. But still… one would expect some directions.

So I’ll give my take on that issue. I would suggest a divide between identity for humans and identity for machines.

1. Identity for machines would greatly benefit from decentralized identifiers, as detailed by sovrin’s workpaper on SSI for IoT. That’s the line of work I’ve been following on my work related to cybersecurity for connected medical devices (mediam EU project).

2. Identity for humans should remain a socio-technical construct, therefore mitigated through organisations subject to the laws where they operate. Thus the technical artefact that should be decentralized is the controlling key (as DIF KERI tries to do) that governs the access to derived identity information, which may well be relying on trusted parties in order to provide verified identities (for instance, to comply with AML and KYC obligations). Which highlights a terminology issue, as DIDs may not necessarily be decentralized. Whether identifiers themselves are centralized or decentralized should be a thoughtful architectural choice that depends on the use case and objectives, not a fundamental property.

Whether you agree or not with this idea, please let me know what you think.

Disclaimer: the mediam project has received funding from the European Union’s Horizon 2020 research and innovation programme under the NGI_TRUST grant agreement no 825618

Image credit: https://generative-identity.org

A (very) brief history of open software movements

Both free software and opensource have had tremendous success.

Steve Klabnik has provided a great historical review of the origin of free software with Stallman’s GNU announcement in 1983. Underpinning the free software movement was a profound critique of the role that patent law and private sourcing had come to play in stifling innovation and creativity.

The copyleft principle, e.g. GPL (Source : David Ing)

Fifteen years later, just when the internet was booming, the opensource reaction was devised to allow a more permissive use of the licences. As per Eric S. Raymond:

Specifically, we have a problem with the term “free software”, itself, not the concept. I’ve become convinced that the term has to go. The problem with it is twofold. First, it’s confusing; the term “free” is very ambiguous (something the Free Software Foundation’s propaganda has to wrestle with constantly). Does “free” mean “no money charged?” or does it mean “free to be modified by anyone”, or something else? Second, the term makes a lot of corporate types nervous. While this does not intrinsically bother me in the least, we now have a pragmatic interest in converting these people rather than thumbing our noses at them. There’s now a chance we can make serious gains in the mainstream business world without compromising our ideals and commitment to technical excellence — so it’s time to reposition. We need a new and better label.

Licensing under open source permissive conditions is friendlier to private source copyrights, allowing the path to opencore business models (typically an opensource project licenced apache 2.0 + an enterprise version that brings additional paying features).

The permissive principle, e.g. apache 2.0 (Source : David Ing)

Whatever your stand on the copyleft/permissive debate, a lot has changed since 1998. Enterprise IT is mostly organized around opensource, according to a survey from Redhat. Even Microsoft has become an opensource advocate, at the same time its strategy moved from selling a closed source operating system to a more agnostic cloud infrastructure. The general trend is that permissive licences are growing faster than copy-left ones, mainly due to the fact that most of the large companies forbid the internal use of GPL and its variants.

% split between licence types (Source: WhiteSource)

VCs also are quite fond of the opensource model, as many great ventures have been built upon it:

Levine describes the current trend as an opensource renaissance. Is that so?

Open software is at a crossroads

For many reasons, the opensource model, despite its successes, is now under enormous pressure, especially due to the asymmetry between cloud players and small projects.

Critical projects require more investment

This starts as a classical free rider issue: GAFAs in particular have been criticized for they take and don’t give back. At least not enough. One large complaint has been around the critical projects such as openssl, often maintained with very limited resources. The core infrastructure initiative was created after the famous heartbleed bug illustrated the lack of resources.

What heartbleed demonstrates is that opensource software requires substantial time and effort to create and to sustain. One way to do that is with direct funding, which is why foundations exist. Another idea is for employers to redirect some time to opensource projects, as suggested by the openfriday initiative for instance.

The (partial) shift to non-OSI licences

A more recent fight has been going on between AWS (and to a lesser degree, other cloud players) and some well-known projects, such as redis and mongo. This has led to new licences, such as the BSL (Business Source Licence) introduced by MariaDB, which aren’t recognized as opensource by the OSI. The said goal of project re-licencing is to protect and expand the revenues, as they claim they don’t get their fair share from cloud platforms. In short, they feel (rightly so) that they get the recognition, but not the money.

For instance, database vendor coackroachDB has published the rationale they’ve been following for choosing a relicencing between apache 2.0 to BSL (and falls back to apache 2.0 after a few years, leaving enough time for protecting their innovation). The source code is still available for use, except if you want to directly compete by selling it as a service. The licencing issue becomes a more direct competitive argument between projects, as demonstrated by their competitor’s statement, to use an opencore model instead.

We have removed every barrier that developers face in adopting a business-critical database and operations engineers face in running a fleet of database clusters.

So opensource versus BSL puts forward very similar arguments as opensource versus closed source. Back to origins.

Making money out of opensource is fundamentally difficult

At the core of the problem, is that a successful open source project in no way guarantees a successful business model. It also means that very good projects may fail, despite their technological soundness. We owe to the projects that described their journey, such as Rudder, or made a post-mortem analysis, such as RethinkDB. As with any other business, one needs to demonstrate its added-value.

Luckily, new initiatives such as COSS make the process of commercializing opensource more mainstream. Bruce Perens has published an early draft of what he calls post-open source, which is worth looking at.

Too much falls on individual maintainers

Recent trends include the use of opensource in decentralized projects, as a medium for protocol implementations. This aligns quite well with the cultural background of blockchain ecosystems, but relies in practice on a small number of contributors. Especially the Ethereum project is well-known for organizing decisions around a small number of core developers.

More generally speaking, maintainers are strained. Two thirds of the most popular projects rely on one or two people only, meaning that most projects are limited by the so-called truck factor, which risks incapacitating parts of the IT supply chain. Worse even. More and more maintainers have official said they quit. Sometimes due to reddit uproars, or for other legitimate priorities, the fact is that we’re living a form of disenchantment.

Some have developed new sponsorships to support their work, through platforms such as patreon. But that’s only concerning a few superstars or people willing to take the risk to spend most of their time on their project, including a large part on communication around the project. However interesting that is, it doesn’t seem to solve the real issues.

The tragedy of commons is under-optimal

We actually fall into a situation well-known to economists (Nobel winner Elinor Ostrom in particular), under the label, tragedy of the commons:

For end users, Open Source projects are public goods; the shared resource is the software. But for Open Source companies, Open Source projects are common goods; the shared resource is the (potential) customer.

This means we have makers and takers, and currently no governance model able to provide the right incentives for cooperation at scale.

Makers and Takers, according to Dries Buytaert

To many developers, this doesn’t seem either fair or sustainable. If we don’t find a solution, everyone will loose.

What comes after opensource?

Behaviour is more important than copyright

And so, Steve Kabnik poses an interesting question : what comes after opensource? He posits that programmers are very much interested in the production process of software. Said differently, open sourcing is about behaviour, even more than it is about copyright. That could maybe, he argues, open the path to “Open Development Certified” programs, or even “Developer Unions”. I don’t anything of the sort just yet, but it highlight the fact that there is a need for ecosystems that foster real collaboration.

The need for a sustained digital infrastructure

Institutional support is probably critical to set incentives right. In short we need to treat opensource as a digital infrastructure. Nadia Eghbal wrote an interesting report in 2016, “Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure”, that highlights the challenges that remain true as we speak. The current pandemic crisis further demonstrates that our societies are highly dependent on internet networks and applications, both for leisure (e.g. streaming, gaming) and work (e.g. videoconferencing, telemedicine). It is the first time that we really see, at planet scale, how critical it has become to our resilience.

Addendum August 2020: “Working in Public: The Making and Maintenance of Open Source Software”, by Nadia Eghbal, provides additional insights on how opensource projects are organized.

The 4 classes of opensource projects

The digital infrastructure therefore becomes a much more strategic asset, worth being sustained and defended. In Europe in particular, the extreme dependence on foreign companies is currently scrutinized. Most services aren’t designed with security in mind, despite growing fears around cyber threats, and the debates around zoom have publicly exemplified the issues to the general public. Opensource doesn’t make software more secure in itself, but at least it avoids security by obscurity and facilitates responsible disclosure policies, as shown by Github security lab for instance. Just the fact that the code can be reviewed by independent security researchers, without the fear of legal issues, is already a big deal. My take is that companies would also greatly benefit from a more transparent approach, possibly avoiding “name and shame” (a huge reputational risk) by demonstrating a real commitment.

At the same time, the worrying surveillance trend is making opensource even more required, especially for building privacy blocks such as encryption technologies, where states themselves are likely to interfere.

The openness extends to the rest of the supplychain

The current crisis also calls for a redesign of supplychains in general, not limited to software. There’s room for open publication (especially for scientific articles), open standards, open protocols (e.g. blockchain), open data, open hardware (e.g. RISC-V), open design, and so on. That makes both the issue both more important (as it spreads to full product life cycles) and more pressing. Otherwise, the same causes will lead to the same effects.

What about large companies?

Despite being well-funded, they can’t do everything. Their shareholders actually demand a high return on investment, so it’s in their best interest to find a collaborative ground with smaller, more specialized projects, so that they don’t have to do everything by themselves.

For successful opensource projects, redis and mongo and the likes, providing infrastructure as a service, is a different business. One could argue that part of their past success is also due to the fact that cloud providers embedded their product into their offering, enabling vast network effects. Even if their own investors logically push to get a larger piece of the cake, nothing proves it will work out as they expect. In effect, re-licensing is just an individual exit game strategy and doesn’t solve the systemic issue.

On the contrary, I would argue that it opens the path to legal disputes, as everyone comes with a new licencing variant, which impacts far beyond cloud companies. Take the example of Zeebe for instance (which implements BPMN like workflows): “Users are not allowed to use Zeebe for providing a Commercial Workflow Service in the Cloud”, what the hell is that supposed to mean? Any software vendor, providing an online workflow configuration tool based on their service, would likely fall into the category, but it’s not 100% clear. Using non opensource licences increases the risk of non compliance to Yet Another Specific Licence, willingly or not. We loose all the signaling attached to well-known licence terms.

Instead of a fight over licencing, there is therefore a way forward. A partnership in which cloud vendors would pay to support the integration and maintenance of opensource into their offering. Everyone remains focused on their core business proposal. However, this remains a case by case negotiation, and the power today clearly goes to the cloud vendor.

That is why we need to institutionalize good practices.

An O-Corp movement for digital commons?

In short, I believe we need a new IP and cooperation regime. The blunt fact is that financing and re-financing is the crux of the matter. A solution will likely require:

1. public and collaborative funding for core technological assets (development but also maintenance). This is what we start to see in critical infrastructure such as energy (already well accustomed to financing physical infrastructures and networks) or with cryptofunding (like gitcoin or psfoundation) ;

2. coupled with private funding to develop products and the related business model linked to those core assets. Those companies, startups or incumbants, would be bound to partly refinance the open assets. The trust in the system could therefore be objectified with a sort of digital “credit score” (based on how much you refinance the digital infrastructure, in %).

The good news is that there’s nothing revolutionary in the approach: it already exists, when for instance, one sub-licences, non exclusively, a patent. We would have to expand it to the specific case of open licencing, in practice replacing a mere membership (to a foundation) to include success fees. The investment (and return on investment) logic easily fits into the accounting and regulatory frameworks of large companies, while ensuring a longer term partnership with innovative projects. Of course, as I’m not a legal specialist, I’m sure it would be more complex that saying it could work, there are probably many hurdles, so I’d love to discuss the idea with other people.

Participating to the commons would also make sense with regards to B-Corp movements, which already provide a legal framework that can be used directly today, in many countries. Beyond the financial commitment, it would give ground to a more general impact and community orientation. Why not an O-Corp movement, in which the participation to the open commons is a mission as meaningful as the main business objective?

To conclude, I certainly don’t think I have the solution. Those are only preliminary thoughts, which I hope other people will find useful too. I’m open to the discussion.

The challenge (Kavka)

What will you do at midnight?

An eccentric billionaire places before you a vial of toxin that, if you drink it, will make you painfully ill for a day, but will not threaten your life or have any lasting effects. The billionaire will pay you one million dollars tomorrow morning if, at midnight tonight, you intend to drink the toxin tomorrow afternoon. He emphasizes that you need not drink the toxin to receive the money; in fact, the money will already be in your bank account hours before the time for drinking it arrives, if you succeed. All you have to do is. . . intend at midnight tonight to drink the stuff tomorrow afternoon. You are perfectly free to change your mind after receiving the money and not drink the toxin.

This problem was originally defined in 1983 by Gregory S. Kavka, as a thought experiment (called the toxin puzzle). Kavka had a great impact on contemporary moral and political philosophy (see a summary here).

The proposed answer and its interpretation

The interpretation of the paradox is as follows: can you intend to drink the toxin if you also intend to change your mind at a later time?

In the seminal paper, Kavka details:

“You are asked to form a simple intention to perform an act that is well within your power. This is the kind of thing we all do many times every day. You are provided with an overwhelming incentive for doing so. Yet you cannot do so (or have extreme difficulty doing so) without resorting to exotic tricks involving hypnosis, hired killers, etc. Nor are your difficulties traceable to an uncontrollable fear of the negative consequences of the act in question — you would be perfectly willing to undergo the after-effects of the toxin to earn the million.” p.35 “It reveals that intentions are only partly volitional. One cannot intend whatever one wants to intend any more than one can believe whatever one wants to believe. As our beliefs are constrained by our evidence, so our intentions are constrained by our reasons for action.” p.36

The impact of the paradox: the irrationality of nuclear deterrence

The puzzle has been used to evaluate the prudential and moral paradoxes of nuclear deterrence, since it lies entirely on the fact that your enemies believe you have the intention to respond.

Which can be rephrased as such:

1. It is rational to threaten the enemy of nuclear retaliation, but it is not rational to put that threat in action (because you and your people will get destroyed too) ;

2. If it is not rational to put a threat in action, the threat itself is not rational.

(as proposed by David Gauthier, another specialist of Hobbes).

The conclusion is that logic is fun, but politicians are not following logic. They’re serious guys after all.

Even younger Trump said so, in the very influential Playboy magazine:

I’ve always thought about the issue of nuclear war; it’s a very important element in my thought process. It’s the ultimate, the ultimate catastrophe, the biggest problem this world has, and nobody’s focusing on the nuts and bolts of it. It’s a little like sickness. People don’t believe they’re going to get sick until they do. Nobody wants to talk about it. I believe the greatest of all stupidities is people’s believing it will never happen, because everybody knows how destructive it will be, so nobody uses weapons. What bullshit.

https://www.playboy.com/read/playboy-interview-donald-trump-1990

Older Trump (now acting President…) decided that the US should further develop tactical nuclear weapons. Which makes the paradox much more likely to occur. Apocalypse now set to start in 100 seconds.

The doomsday clock, available at https://thebulletin.org/doomsday-clock/

Our survival is mostly threatened by nuclear arsenals and climate change. The rest, however painful, will actually look like a bucolic balade in respect.

I’m no degrowth fanboy, quite the opposite actually. Degrowth’s narrative usually starts by evoking a catastrophic threat, or even a collapse, and many people firmly believe that covid-19 is a pre-configuration of a climate catastrophe, that nature talks to us. Which is a very anthropomorphic view of the world. While I agree that systemic saturation is threatening the (supposedly) limitless growth trajectory, the degrowth theory seems to me depressing and unusable at scale.

It’s like hoping for a world of vertuous knight monks. Never going to happen in society at large. The world needs a change, but wishful thinking won’t help much. Modernity has never encouraged having more for having more, but having more for being better. And so, the Latouchian approach to change won’t help, just by trying to convince we need to have less. In its effects it’s like criticizing a tsunami or a cyclone.

As for the idea of big collapse, it’s of no more practical use, since if we believe in it, there’s no need to act: let’s just watch the last sunset.

What degrowth theory inspires me

Whatever your initial beliefs on the subject, you should have a look at Onofrio Romano’s book, Towards a society of degrowth (Routledge, 2019). As an italian professor of sociology at the University of Bari, he speaks an original and profound critique on the conformism of the degrowth alternative. Which actually makes it much stronger, and resonates with the covid-19 and climate crisis.

The birth of homo crescens

The individualization of the subject

History is full of paradoxes. Marshall Sahlins has an amazing theory that stone age was an “age of abundance” and that we, as modern humans, live in an “age of penury” (despite all our riches). In ancient civilizations, the individual belongs to a small circle, the family, the clan, the village, and doesn’t have a modern level of self-consciousness that makes him a fully discrete and autonomous entity. Around the 17th century, a fundamental change happens: due to the growth of food production and to the better general hygiene conditions, the mortality index decreases and the population rises (remember Malthus?). Traditional behavioral codes are unable to cope with the unheard of necessities of the times. Society needs a new type of conformity, the inner-directed individual (Riesman, 1950). At the same time, a new public sphere emerges: the individual builds himself against the principles of social coerciveness.

Growth is only a symptom

The Brahmanic tradition made a classification of man’s goals : pleasure (kama), interest (artha), duty (dharma) and dissipative liberation from all aims (moksha). But modern societies have mostly optimized for artha, self-interest and ultimately growth. Weber explained growth as one of the main distinctive feature of modern western capitalism, unheard-of in the world’s history.

The early utilitarists, Bentham (1839) in particular, recognized the multiplicity of human values and goals. The shifting idea, however, is that the best of all possible worlds is the one that allows everyone to better pursue its own goals. The invisible hand described by Smith will do the rest. The individualized subject has to respond to a new set of binding injunctions, a rationalization of behavior. The newly created nation states provide central administrative institutions that “protect the individual against attacks, against a brutal use of physical force; but at the same time, the individual is forced, in his turn, to repress the explosion of his passions, the aggressive impulses against the other” (Elias, Civilizing Process, 1969). A new area of cartesianism. The ideological genesis of need takes place. Economic usefulness becomes the universal ruling principle between nature and culture, and the fulfillment of the individual comes from the production and consumption of uses, potentially limitless. The pandora’s box has just opened.

The individual, released from any collective obligation of a magic or religious nature, “freed” from his archaic, symbolic or personal ties, finally “privatized” and autonomous, defines himself by an “objective” nature transforming activity — labor — and by the destruction of useful values for his profit: needs, satisfactions. (Baudrillard, 1972)

An important conclusion is that growth is the result of an historical and contingent process. A symptom of modern societies and individualization. An invisible downside of the “liberty, equality, fraternity” motto (or “let it be” if you’re more rock & roll).

The defense of life itself, regardless of the meaning of life

We’re coming to the core of Romano’s critique. He makes the (somewhat surprising) claim that growth and degrowth are two sides of the same pattern. We’ll see that’s a consequential statement.

It makes degrowth alternatives a mere variation of the social imaginary of utilitarianism, and one that is way less enjoyable that our current standard of living. Who is ready to bet that people, the same that express an understandable need to change our model, will freely choose not to fly to paradisiacal locations for their next vacation after the containment is over? It’s too good to pass (myself included, as I’m no monk).

The degrowth narrative is centered around the fact that growth is a threat to life. To survival. The preservation of living beings (from humans to whales, but still mostly centered on humans) appears such an obvious goal that it is not questioned. The covid-19 crisis exemplifies the strength of that idea, beyond what anyone would have thought even a month ago. Who would have imagined a massive economic shutdown, at planet scale? It’s not an obvious move. The IMF, the FED, the ECB are not exactly known for their anti-globalization or environmental activism. The fact that even Trump, despite his initial (and now recurring) wavering, accepts the containment should make historic headlines.

The defense of life for life’s sake, regardless of and before any other issue, is launched as a value in itself, an indisputable moral imperative, that does not need justification whatsoever. And by doing so, we fall into the trap of anti-abortion extremists (who prefer to call themselves pro-life). This defense comes deep from the neutralitarian root of utilitarian philosophy. Modernity demands that political power (and even more so for populists) never interfere with the existential individual project:

Our era no longer supports failure, neither offense, nor obstacles. From Enlightenment, who thought that happiness on earth was possible, we went to the imperative of being happy. The coronavirus is a stroke of fate experienced as an offense. (Bruckner)

This better explains our current decision making process. Politics cannot but have a function of mere guarantee for preservation (life for life’s sake) or better, for cultivation (growth for growth’s sake) of the organic life of citizens. Yet, a country is really democratic only if it debates sense and if it allows for a collective idea of what a “good society” is. It is not democratic if all that it does is bend to the only goal of preserving one’s own existence.

Why survive? The theory of “dépense” (Bataille)

And so Romano asks: why survive? His answer is grounded in Georges Bataille’s theory of dépense. I won’t explain it in detail here, because it’s really different to classical economic and environmental thinking and would require a proper analysis. Romano warns us: we shouldn’t stop at the existentialist controversies that surround Bataille, because his thinking is properly revolutionary (in the galilean sense). It is counter-intuitive to the common sense.

For Bataille, the issue is not that we don’t have enough resources. It’s that we have too much (the sun provides unbelievable amounts of energy). We don’t know how to spend the surplus (at least we don’t know how to do it well). This is an attempt to link the general economy to energy dissipation, while neoclassical thinking makes as if thermodynamics did not exist.

Ancient societies spent that surplus in sacrifices or in glory, in religious asceticism or festivities, in war or in peace. If we fail in how we use it, we are unable to create the meaning of our life. We are merely a biological machine whose movement has no destination.

Economic theory needs a reboot

Romano spends the rest of the book explaining how to rethink degrowth in the light of dépense, argumenting for a verticalization of society to counter radical individualization. I will leave that to the interested reader. This opens up groundbreaking economic re-theorizing.

What to do next? (ClimAct Up)

We’re pouring money in vain, because it lacks meaning

One way is to simply observe a type of verticalisation (or socialisation, that could be debated) of the economy. It is happening now, due to covid-19. But I would argue that once again, we do it for the wrong reasons. We are simply coping with our usual bias: individualization and life for life’s sake.

The strategy works only as an artificial breathing device in order to keep the now-exhausted model of society alive.

So we should collectively aim for a higher, more meaningful goal. In that respect, Mark Alizart provides an interesting essay, the climate coup (“Le coup d’état climatique”, in French) that complements Romano’s ideas. His central thesis is that “carbofascists” are destroying the planet on purpose, for their own interest. While there’s no proof of what he describes (one could argue that they’re just stupidly blind to the facts and prefer the selfish joys of leaving the environmental burden to future generations), the rest of the book is more interesting, and calls for collective combat. What he calls a green army, with much more ambition and sense of urgency than today’s limited mitigation strategies.

If we had fought the hole in the ozone layer by inviting people to stop using fridges, we would all be dead by now. (Philips)

The fight against climate change needs a Clausewitz, not a Bossuet

Alizart calls for a strategy similar to what ActUp did to fight AIDS — well pictured in the amazing film “120 battements par minute” — , in a pretty convincing way (modulo some details). Any real change requires:

1. A common front to unite people (and that’s why he thinks it’s important to name enemies, but Romano’s ideas could serve just as well).

2. Technology, to trigger a balance of power (akin to what Marxists did in their time, albeit at great damage for the environment). As controversial as it may sound, even contemplating the prospects of geo-engineering!! (a very dangerous all-in option, and all weighted nuclear fusion seems a much better alternative), his point is more argumentative: ecologists (as marxists in their time) don’t need to be convinced that these technologies will solve the problem, but science serves as a medium for a directed state of emergency. This is the apollo mission of our time.

3. Hope, because why would we put so much effort to get a soft apocalypse variant? Any alternative that gives less enjoyable prospects than our current state of affairs is doomed to fail.

Since USRR was no haven, there remains the central question of how this fight can be made compatible with democracy, and even how it can become its very cornerstone. A great challenge that should focus our attention.

If we really want change for whatever comes next, we need to completely reframe our economic thinking, for a more credible path to fight climate change and pandemics. Politicians (in the noble sense of the term) need to regain their predominance, finding concrete alternatives where normal politization has failed. We’re already committed to spending trillions of dollars and euros over covid-19, we might as well start acting like the scale of the climate issue we’re facing needs to be taken seriously. Even if that seems crazy to our classical self.

Sources :

Onofrio Romano, Towards a society of degrowth, 2019, Routledge

Mark Alizart, Le coup d’état climatique, 2020, Presses Universitaires de France

How can we mitigate the damages from the next pandemic?

This is a risk question, one that is typically studied by the likes of WHO and re-insurers. It requires the estimation of future probability and the likelihood that it will spread up to a point where it will damage the emergency response. A risk assessment results in recommendations to mitigate these potential impacts (whether they are followed is another story, because resource allocation is hard in the face of rare and extreme events).

The main use of risk, as an assessment, is therefore to help rank policies either in time or resource cost. It’s important to understand that there is no standard measure of any of probability or likelihood, so it’s only possible to compare your own estimates, not with others, except in very specific cases (the most prominent of which are financial markets, designed around the concept of “risk neutral measures”). This view goes against popular but meaningless popular wisdom, that risk is “the effect of uncertainty on objectives” (which is NIST definition of cyber risk). It’s not uncertainty that affects objectives but incidents whose occurrences are uncertain.

What do we do when we have a pandemic?

This is a resilience question, one that is typically dealt with by emergency responders (but we are now all facing it). The answer focuses attention on understanding how pandemics are sensed, anticipated, responded to, and learned from. The objective is to enhance these actions during disasters, knowing that you act in a complex and conflicted world (for instance having to deal both with sanitary and economic impacts), well beyond your comfort zone. It may seem counter intuitive, but real experts, despite being the most prepared, don’t say: “recent events have proven that I was right all along”, instead they actively build/sense/respond/learn to make sense of what is really going on and deal with the situation.

Source : http://andrewzolli.com/the-verbs-of-resilience/

Pr. David Woods, a famous scholar in the field, has made a great summary of what that means for covid19, in 10 points, which I reproduce here to illustrate (in a form I edited to keep it concise, but you can read the full papers).

What Matters When We are in the Middle of Evolving Covid-19 Pandemic? (David Woods)

1. The pandemic consists of a rolling series of outbreaks across the world which provides opportunities to anticipate, learn, adapt, and build capabilities for areas later in the series. Learning, adapting and acting effectively leads to reduction in excessive deaths. All have roles to play to accomplish this.

2. Keeping pace at scale: its all about matching two rates: challenge (get transmission rate below 1) and response (capacity to deal with hospitalization)

3. When mismatched, outcomes are worse — excessive deaths = ratio of fatalities experienced in a given jurisdiction relative to the best performing jurisdictions. Doing well at matching the two rates reduces excessive deaths. How much? This is hard to know when you are in the middle of the crisis. My estimates are 4x to over 10x. This drive the moral issues (#9).

4. Anticipation paradox: effective counter measures require action in advance of the direct experience of tangible harm, but the ability to engage/mobilize/generate the response mechanisms can be limited without tangible harm.

5. Approaching overload: anticipating how medical systems can be overwhelmed and act to generate and mobilize new forms of deployable capabilities. Failure to do so increases excessive deaths ratios.

6. New forms of coordination at new scales are required to respond effectively.

7. The global scale of the Covid-19 challenges have shocked the as-is system. The scale of the challenge reveals how the obsessive pursuit of optimality has undermined sources of resilient performance resulting in severely brittle societies.

8. Solidarity. Every one is on the scene of the crisis and therefore at risk. Every one is an actor in the evolving outbreaks. Every ones’ actions affect the ability to minimize excessive deaths. Promoting social solidarity to pull together is part of responding to the challenge over time event, though the significant time delays in the disease processes make this difficult. Efforts to synergize social solidarity goes well beyond epidemiological simulations that project the scale of infections, overload, and fatalities.

9. Can you do some thing to make difference? Where making a difference means reducing excessive deaths and supporting the people near or on the front lines who care for the sickest victims. If you can, then there is moral imperative to act to make that difference.

10. What allows societies to move or bounce forward as the pandemic resolves? We [Tom Seager, Dave Alderson and David Woods] are proposing four criteria for societies to relax restrictions (each of these need to operate at very large scale).

Criteria 1: do you have the testing infrastructure to test/track/isolate as new cases emerge that could become new hotspots?

Criteria 2: do you have he ability to ramp up care capacity to provide treatments for all who become seriously ill, while still providing care for others?

Criteria 3: can you provide safe and effective treatments to promote recovery for patients seriously ill from Covid-19?

Criteria 4: have you created the ability to build immunity and assess immunity in the population through antibody testing and vaccines?

We could not even imagine that reasonable people would start asking internet & telecom operators to possibly track each and every person in Europe using his or her mobile location data in real time, and to create a diagram representing all physical interactions between people. — Wojciech Wiewiórowski

Privacy is a fundamental but not absolute right. Interferences may be justified when (and only when) prescribed by law, necessary to achieve a legitimate aim, and proportionate to that aim. In the current situation the legitimate aim is to limit the spread of a contagious disease, until we get a cure.

The proportionate requirement is more complex, especially in emergency situations during which we don’t have time for careful design and evaluation. I would argue that the legitimate aim can just as well be achieved through other means (in short, humanity didn’t wait for iPhone and Android to fight pandemics, and pedagogy is a safer bet than technology controled behaviour). Most backtracking applications, even if they claim anonymization, cannot technically ensure it is completely safe (of course it depends on the types of data and the methods used). Re-identification is usually possible (see as examples, those two articles in nature and arxiv).

The rest of the article is geared more specifically towards the specific data use made by Big Techs. Before the current pandemic crisis, 2 important books were published in 2019, that anyone should know and which complement each other:

• The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, by Shoshana Zuboff

• Between Truth and Power: The Legal Constructions of Informational Capitalism, by Julie E. Cohen

In case you don’t read till the end, data is not oil but a product of social creation. As a citizen, you should care, as your current choices will shape the future.

The first book, based mostly on the analysis of Google and Facebook, provides some insightful descriptions of what the author, a professor in sociology at Harvard, calls “surveillance capitalism” and how that constitutes a threat to democracy. The meteoric rise of Google in the aftermath of 9/11 is well explained: from one amongst many search engines that existed in the early internet, the breakthrough came from the adwords business model.

Google’s unique auction methods and capabilities earned a great deal of attention, which distracted observers from reflecting on exactly what was beeing auctioned: derivatives of behavioral surplus [and Zuboff spends a great deal of effort explaining how this is different from the traditional argument “If You’re Not Paying For It, You Become The Product”]

Probably everyone knows about 1984 and Big Brother. Zuboff reminds us of another pre-apocalyptic novel, Walden Two, written by an Harvard scholar named Skinner in 1948, as an illustration of what behaviorism could achieve: automize us. Only this has come true, she argues. Thanks to the vast troves of geolocalized data about their users, games such as Pokemon Go actually change our behavior, without us even noticing (the arte mini-serie “Dopamine” was also very good on the subject). According to Zuboff, technologies and apps provided by GAFAs are diffusing a sort of muted and sanytized tyrany.

A good and lengthy critic of the book has been provided by Evgeny Morozov. A relevant issue is that the alternative theories are not discussed and her proposed solutions fall short of the challenge.

But what is really disturbing is when esteemed intellectuals don’t put their money where their mouth is. Like in a recent interview to the Italian newspaper La Repubblica:

Source : https://rep.repubblica.it/pwa/intervista/2020/04/09/news/shoshana_zuboff_altro_che_privacy_le_app_per_il_controllo_della_pandemia_devono_essere_obbligatorie_come_ivaccini-253587046/

Of all people, Zuboff setting aside privacy issues and advocating for mandatory pandemic tracking (whatever you as a reader think of it), is really dissonant. The defense can’t be conditional on the type of distopia. Whether the risk is big tech or big brother, the discourse should not change:

I need privacy. Not because my actions are questionable, but because your judgment and intentions are.

Whatever the limitations, the analysis of how our self may get lost in the process is worth a read. Zuboff tends to present Google as a nearly omnipotent entity that will prevail no matter what, which is not true. Google is well known for many failures, as illustrated the failed products cemetery. The Google we know today could be better, yet it is no evil.

But Google is damn powerful in its capability to drive change not only technology but also law and society, and sets the tone for the rest of the industry. Likewise, data hunger has become a widespread business strategy.

Cohen’s book explains better the power effects at play:

The bigger problem with Zuboff’s account is that her fixation on threats to our autonomy screens out broader and arguably more important problems of private power in the information age — for example, the ways in which network effects feed platform power, informationalism generates winner-take-all dynamics, and digital technology has impacted labor — Amy Kapczynski

Zuboff also claims that surveillance capitalism is built on “lawlessness”, due to legal conditions that users of the platforms cannot comprehend or even read. Of course, law experts such as Julie E. Cohen provide much more insights to the matter. Amy Kapczynski gives a more thorough analysis in the Yale Law Journal, and since I won’t do any better the best is to just point to it. I believe it is of particular importance to the European reader, less familiar with the institutional settlements largely driven by the US legal system (where the largest software companies are headquartered).

The path towards regulating Big Tech

As Big Tech keeps using their current demand and social glow to lobby against regulation, for better or worse, building an intellectual framework to better grasp the challenges is a critical requirement. Ideally leading to actionable insight, as done in the proposal of Sebastien Soriano, the head of French regulatory agency ARCEP.

The European Commission is considering imposing legal obligations on gatekeepers of digital platforms to remedy or prevent “commercial imbalances”. This includes Digital IDs — as customers using a single ID to login to a range of unrelated 3rd-party services could be locked in. “Restrictions or separations of digital ID services from platforms’ commercial operations may be necessary”. That would be a game changer.

There are now movements that support that change at scale. The society centered design manifesto is worth a read (and a sign). Ethan Zuckerman, an academic researcher at UMass, has also recently announced his focus on making proposals for public digital infrastructures, which is a subject I have discussed from an opensource viewpoint in another blogpost.

A short primer on consensus history

Why would we need Proof of Stake consensus algorithm, instead of Proof of Work? In short, the answer is two-fold : scalability and resource-efficiency.

For a more elaborate answer, let’s start with a quick look backward on distributed computing. Consensus is one of the most important goals to be achieved when many distributed computers share the same task and resources.

What’s a distributed system? You know you have one when the crash of a computer you’ve never heard of stops you from getting any work done — Leslie Lamport

Why is it so hard to achieve an efficient distributed system?

• absence of shared clock: it is impossible to synchronize the clocks of different computers precisely due to uncertainty in communication delays between them. Things like timestamping a digital document are therefor quite complex behing the scenes.

• absence of shared memory: one has to solve a problem in terms of processes that individually have only a partial knowledge of the parameters associated with the problem. Each of the processes cooperating cannot have instantatenous knowledge of the current state of the other processes.

• absence of accurate failure detection: it is impossible to distinguish between a slow processor and a failed processor.

Step 1 : classical consensus (for permissioned networks)

The challenges are well-known in the computing litterature. Major authors Leslie Lamport and Barbara Liskov received a Turing award due to their work on the subject. I would recommend the book from Vijay K. Garg, Elements of Distributed Computing, as a primer of the subject. Classical consensus algorithms offer quick finality and a set of guarantees for transactions that typically work well for a permissionned environment, where you know all the participants (typically for the range 10–1000).

Step 2 : Satoshi (for public/open networks)

Then came the famous (yet still unknown) Satoshi in 2008 with the bitcoin:

We have proposed a system for electronic transactions without relying on trust — Satoshi

The protocol can scale to large number of nodes and unknown participants (a public network), using the so-called proof of work (PoW). This algorithm is using the mining power of computers to solve complex mathematical puzzles, in order to establish a difficult to forge timestamping scheme.

Remember that as part of a public blockchain, anyone is free to create their own node. Thus, each of these nodes is anonymous and must be considered as “untrusted” and not secure. The consensus mechanism must mitigate the possibility of DDoS (denial of service) or Sybil attack.

A Sybil attack consists in bypassing the reputation system of a peer-to-peer network by creating a large number of identities and using them to have a disproportionate influence.

To solve this issue, the idea is to make a replicated database with easy validity checks but difficult writes that require a sufficiently hard computing task (called mining) to be solved. Transactions get appended in blocks, chained together (the so-called blockchain). And so on, forever…

Later on, should an attacker wish to forge this history of transaction, it would have to redo the complete succession of expansive computing tasks, which is therefore prohibitive.

In practice, bitcoin has been designed as a crypto-currency, without requiring any permissioning of participants. Now you even have services like Cryptopay, Bitwala or Wirex to make payments in fiat or crypto. Nice job! Ethereum subsequently realized the value of the underlying technology and applied the same consensus algorithm and blockchain datastructure, as a kind of supercomputing device (providing the so-called smart contracts).

Beyond bitcoins, there are many benefits in having public blockchains. For instance, if you are making an open identity provider such as LifeId, it’s better to rely on an infrastructure that is not subject to any organisation’s goodwill. Snowden is probably the best explainer on this.

However these benefits came with hidden costs, in particular:

• Bitcoin is slow, users have to wait about several minutes before they get confirmation that their transaction is stored on the chain.

• Throughput is also very limited. Bitcoin can process about 7 transactions per second which is not much compared to VISA for instance.

• The mining consumes an enormous amount of energy (currently 42TWh/y ~a few nuclear plants, according to https://digiconomist.net/bitcoin-energy-consumption), corresponding to 450KWh for each transaction (~approx equivalent to 1.5 years of what your fridge consumes…).

• The size of the blockchain only grows, requiring more storage. Currently it takes around 120G.

• The decentralized ethos is challenged by reality, since mining power is centralized in a few facilities.

• There’s also the challenge of transaction privacy, partially solved with the likes of Monero and Zcash.

People have been working on improvements to the protocol to solve some of those issues:

• second layer payment channels such as https://lightning.network increase the throughput, allowing for cheaper and faster micropayments.

• chainweb is implementing a new architecture for interconnected PoW networks that would be able to scale to 1000s of transactions per second. Likewise, sharding networks is a usual suspect in many other projects to improve scalability.

• some solutions for useful mining have been devised, such as filecoin or this interesting research paper to reduce the size of the chain.

Yet, despite all the benefits, it all seems like fixes on a broken wheel, somehow. At least from an energy perspective.

POS to the rescue?

Alleluia, Proof of Stake (POS). The idea is to replace mining by an alternative, that scales more easily, provides quick finality and doesn’t need to mine and spend so much energy. Instead, let’s ask some validators to vote.

Source: https://blockgeeks.com/guides/blockchain-consensus/

There are many teams currently experimenting variants of this scheme (the list is not exhaustive and neither do I intend to compare them here, but it’s just to give an idea on this very active space):

• Ethereum 2.0 and RChain – Casper proof of stake (POS)

• Zilliqa – hybrid POW/POS

• Thunder – POS with POW fallback

• Cosmos – based on Tendermint’s delegated proof of stake (DPOS)

• Polkadot – provides a framework called substrate to build blockchains, including POS variants (tendermint like or proof of authority)

• Tezos – liquid proof of stake (a variant of DPOS)

• EOS – a DPOS variant

• Dfinity – threshold relay + probabilistic slot consensus

• Algorand – byzantine agreement with leader election

Their common feature is to require some actors to stake funds in order to validate transactions.

So problem solved? Not quite I believe.

One issue is more philosophical. How can staking, which means giving power to the rich (or as per Tezos’ quote of Proudhon, “Laissez faire les propriétaires”), be compatible with decentralized networks? I will probably come back to this in a future post, but it seems rather antinomic with the very goals of having a blockchain in the first place.

But there is a much stronger practical argument. One interesting insight comes from the ChainWeb whitepaper (it’s interesting to remember that the team has a past at the SEC):

A potentially graver problem with PoS is the risk to the continued legal functioning of cryptocurrencies as predicated on the probabilistic censorship-resistance of the original PoW design, a feature that PoS designs fundamentally sacrifice by requiring distinct actors to stake funds in order to validate transactions. The exemption of money-transmitter (MTA) regulation to PoW miners (at least in the United States) stems directly from the probabilistic nature of confirmation and the lack of distinct rights for a given miner in the system: no single miner can be seen as confirming any transaction, since blocks must accumulate toward some indefinite confirmation depth, and no unique miner has the ability to influence the acceptance of a given transaction over any other. MTA regulations will easily apply to any staking design that designates distinct parties who participate in the deterministic confirmation of a given transaction. A possible solution creates a PoS safe harbor like those found elsewhere [like DCMA safe habors] but would damage the egalitarian blockchain ethos by requiring a central authority to ”erase” transactions. We maintain that staking designs put validators at risk of being subject to money transmitter regulation and enforcement as their unique identity and funds are essential to the effectuation of transfers in the system.

I believe that’s a fair statement, and limitations would most probably apply elsewhere in the world too. We should remember that, beyond technological issues, there are also an external environment in which projects live, both for network governance and for business models. Regulation is a known issue for blockchain networks.

So unless those networks such as Ethereum are ready for deep regulator’s scrutiny, POS might be more complex to deploy than initially thought.

Back to step 2? There may be an alternative.

As we’ve seen, consensus algorithms are a very active research topic. But I do think there’s a real and recent breakthrough.

Step 3: Avalanche (for public/open networks)

Avalanche is a new algorithm that might just change the status quo. According to the paper from Team Rocket published in may 2018, it provides:

• Low latency: tests in the paper where carried out with a 2 seconds quick finality.

• Higher throughput: 1000–10,000 transactions per second depending on the adversarial scenario.

• More sustainable than POW: it doesn’t require miners.

• With an equalitarian role: more importantly, all participants are equal. There is no need for a leader or miners.

As per FlatOutCrypto’s review on the avalanche consensus algorithm:

“The adversary model in this paper is incredibly strong. The adversary gets to see everyone that I communicated with, what they told me, and then gets to adjust his response accordingly. Real adversaries will not be this strong. The statement that an adversary cannot interfere with communications allows the protocol to avoid having to make standard cryptographic assumptions for the consensus protocol. There’s no PKI. No reliance on crypto. This protocol is quantum-safe from the start.” (citing Gün Sirer)

So there are probably remaining issues or potential improvements and a more formal academic review would be welcome, but it is very promising. At least, that’s where I start.

I hope you’ll agree, even if consensus is notoriously hard to reach ;-)

Sources

Before blockchain

S. Haber, W. S. Stornetta, How to time-stamp a digital document, Journal of Cryptology, January 1991, Vol. 3, Issue 2, pp 99–111, https://www.anf.es/pdf/Haber_Stornetta.pdf

Masashi Une, The security evaluation of time stamping schemes : the present situation and studies, IMES, Bank of Japan, 2001, http://www.imes.boj.or.jp/english/publication/edps/fedps2001_index.html

V.K. Garg, Elements of Distributed Computing, Wiley, 2002

Since blockchain

Satoshi, https://bitcoin.org/bitcoin.pdf

W. Martino, M. Quaintance, S. Popejoy, Chainweb: A Proof-of-Work Parallel-Chain Architecture for Massive Throughput, Draft v15, accessedon 20/12/2018, http://kadena.io/docs/chainweb-v15.pdf

Team Rocket, Snowflake to Avalanche: A Novel Metastable Consensus Protocol Family for Cryptocurrencies, 2018, https://ipfs.io/ipfs/QmUy4jh5mGNZvLkjies1RWM4YuvJh5o2FYopNPVYwrRVGV

Disclaimer: the post is a personal view and cannot be taken as investment advice in any projects.

Project management sucks. Period.

We spend so much time trying to fix broken things that we often even forget what we’re trying to achieve.

Let me tell you some personal stories. I’m an entrepreneur. I have been working on large scale IT projects for the biggest companies you probably can think of, for typical deal sizes of a few million euros. Oh boy, we spent so much time trying to figure out what to do using a mix of traditional V cycle (the big companies stuff, whatever they say about agility) and more agile methodologies (our stuff as a startup, right?).

More often than not, the large corporate customer always includes many people in the loop: IT, security, business, legal, procurement, etc. Each of them has a specific mission and goal. They genuinely think their job is to de-risk the project. But in doing so, each layer adds more complexity and breaks your agile manifesto.

In the end that makes IT projects go south much more often than they should. It means we all go by the lengthy and old-school deliverable process and the customer always add more exotic requirements and lowers the price. People work hard, spend time in meetings, write documents, review documents, review tasks and backlogs, test and complain, escalate issues in more meetings, ask for new project plans to adjust for delays, the customer does not provide the information needed, people complain about the last contingency plan, your sponsor gets bored, you get bored, your investors get bored. You just realized lost several months of your life trying to reconcile demands that are mostly incompatible, when they even make sense. Most often, it also delays your sales. You make the most of your brilliant team to fix all of those issues, one after the other. But, day after day, it has become the opposite of agile, and that’s what I call delivering in pain.

Some of you might think that’s just because we did not use agile methods correctly. After all, project management done right should avoid all that. I don’t think so, I think it’s a more fundamental issue. This is happening pretty much everywhere where B2B is involved. Unfortunatly, this happens even when the C-suite is well aware of the problem. The corporate superstructure wins on any goodwill, because organisations are not used or able to understand/trust each other.

But does it have to be that way?

Meaninful work is key to meaningful results.

Stop fixing problems that shouldn’t exist. One solution is programmer’s anarchy. The concept has been popularized by Fred George.

To bring a more critical view, I would personally prefer to use another term. “Anarchy” is often connoted negatively in our everyday’s language. How would you call it? (please leave a comment).

Basically, the main concept is about removing unecessary layers and tasks. Even remove managers. Yes, you heard me right.

Decentralize and autonomize. A startup company should therefore be able to operate without the founders. We don’t need managerial superheroes, we need efficient teams. But how can that even work?

As Steve Jobs used to say:

It doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.

And I would add another famous sentence to the equation.

Trust, but verify.

Don’t worry, I’m not talking about blockchaining your company. We can achieve that through many tools that already exist. But the important think to that people do meaningful work for themselves and in relation to their internal and external peers. You might for instance think of open sourcing as one great enabler.

From the startup perspective, this makes good sense:

• At the operational level, let people decide and deliver on their own terms. People usually know what they should and shouldn’t do, better than you do. With great power comes great responsability; they need to commit themselves on it. If and when they don’t have the knowledge/skills/discipline, it’s your job as an entrepreneur to help them and act as an enabler.

• To align with the customer, we should be story and even UX centric (instead of task centric). Ever heard about Amazon banning bullet points and replacing by memos? So, likewise, why do we spend so much time monitoring task by task?

• As a leader, define/elevate the vision and find the ways to make that happen. Do what you say, say what you do. Say what you don’t/won’t do. Transparency is essential. It’s much easier for other people to trust you if you’re genuine about what you do. And it’s also the best way to keep your margins high. Don’t over sell. And after you’ve delivered what you promised, always provide some unexpected extra.

• We don’t have so many resources that we can spend our life on inefficient coordination. Make time for what’s important and don’t get bothered solely by the priorities of others. Everything you do should be modular. So that you can maintain, improve it or even throw it away. Avoid technical debt.

• Banish micro management. The good news is that your current managers will do meaningful work as well. Again. If you need information/reporting, that’s fine as long as it’s automated. Your programmers will be happier, not having project managers telling them what to do.

• It helps you recruit and keep the best people. Not just programmers and UX, but also marketing and sales. Incentives are much more aligned.

But what’s in it for your customers? I’ll get back to that in future posts, but they basically get and perceive more value when your focus on delivering what you’re good at, and that only. It’s fundamental to (really) listen to your customers and understand their constraints, but not to abide by their agenda or respect their corporate condendrum. We need to reinvent how we, as startups, work B2B.

So let’s scale, focus on the big picture and deliver real and meaningful results.

How’d you like this article? If you liked it or learned something, please leave a clap!

Additional resources

Implementing programmer’s anarchy : a video.

How is programmer’s anarchy different from agile? A post.

An example of recruitement strategy: parity.

Make time : I suggest 2 interesting reads.

• If you’ve won a war and become a president, it’s probably because you deliver. So read about Eisenhower’s matrix.

• The make time book is also a good complementary resource.

In case you want a more academic litterature on the subject, drop me a comment.