He specifically mentions world leaders. Also, tons of speculation in the article about things nobody is sure about yet and then extrapolating from there and proposing countermeasures that are off the scale. Security is important. But it wouldn't be the first time a communications service is hacked and assuming a nation state adversary you can consider every tech company in the world compromised to some degree by infiltrating employees into key positions. Those can play the long game and work at it for years to reach their destination.
I would consider anything you entrust to a keyboard or some internet or wireless medium to be in principle compromisable, an in practice most likely compromised in the sense that people that should not have access to that data probably do.
> Just before the stroke of midnight on September 20, 2016, at the height of last year’s presidential election, the WikiLeaks Twitter account sent a private direct message to Donald Trump Jr., the Republican nominee’s oldest son and campaign surrogate.
> Companies like Facebook and Twitter have so much power because they are so large, and they face no real competition.
I find it hard to take the rest of the article seriously when it's talking about Twitter as a giant monopoly that needs to be broken up...
But also the argument seems fundamentally wrong. Account security is a prime example of a place where economies of scale bring a lot of benefit. I would absolutely trust the security of say Facebook, Google or Microsoft above that of Twitter just due to the larger scale. They can afford to spend more on security, since they have more users, and their users are more valuable. Every dollar spent on security applies to the whole user base. And similarly I'd trust Twitter above a 100 person web startup.
If you start regulating for some kind of a minimum security bar, either you're going to be killing a lot of companies, or you're going to be setting the bar laughably low compared to what these companies already do.
Some of them are, some are not, as an end-user you don't know and it doesn't matter for the argument: That's over 2,000 organizations providing a Twitter-like service.
In addition there's micro.blog, who seem to be doing okay with their paid-for Twitter-like micro blogging service. Though last time I looked in on it, they'd started interfacing with Mastodon as well.
This is very typical of the libertarian streak that underpins HN. I'm always a little turned off by this strange dominate-the-world culture out of SV. I come from a culture that valued open source and interoperable open standards. Where did my people go?
Twitter is clearly and objectively a monopoly or in a duopoly with Facebook/Instagram. At my most charitable, I could include YouTube in the mix. But I'd still say monopoly.
Even though Google and Facebook are much bigger companies, Twitter has clearly cornered the market for online publishing of thoughts and opinions. Only Facebook/Instagram and Reddit come anywhere close, but those platforms are mostly for different types of content.
There's a reason that modern "news" publishes article after article that merely reports on whatever conversation is trending on Twitter. There's a reason that celebs on Reddit provide proof via tweet. There's a reason Trump's YouTube and Facebook accounts are run by staffers.
Could 100 Twitter-like companies all make it? Perhaps not, but we'd be in a better place. Twitter is poison and I'd not shed a tear if it went bankrupt.
How exactly do you propose to split up Twitter? Split the userbase into 100 groups? Who goes in which group? And what happens when people want to switch groups... ultimately coalescing in a single node? Because, you know, network effects.
I don't like Twitter either, so I don't use it. It's a really effective solution!
There's other ways to deal with anti-trust besides breaking the companies apart. Data portability, interoperability, ownership of your own social graph. If these platforms were forced to act more like email, where leaving google for microsoft doesnt mean i can no longer contact my friends, the network effects that give them monopoly-like power diminish.
Imagine how ridiculous email would feel if you need a gmail account to email gmail peeps, a microsoft account to email outlook peeps, and another separate account to communicate with people in every mom and pop community. Imagine not being able to export your address book in an industry standard format. Imagine not being able to use whatever third party client you want to access your own data.
So let's imagine Facebook/Twitter/etc was based on open protocols like SMTP...
* You'd have the same spam and abuse problem that email has.
* You'd have zero control over the information you post to it, just like email. There would be absolutely no way of stopping or even slowing down the Cambridge Analyticas of the world.
"Ownership of your own social graph" is complete and utter nonsense. As soon as you share data with other people through open protocols, they own it. Just like email.
Even email is tending towards centralization, with a few big players that can manage the spam and abuse and still get their messages delivered.
>You'd have the same spam and abuse problem that email has.
Don't you have that already, and they have anti spam measures? How would a facebook post coming from facebook or twitter change what they remove as spam?
What you're basically proposing is a model of spam where only the content of the message is considered. I do not think that would be very effective in practice, in the modern world.
Email spam filtering is already a lot more powerful, since it can consider things such as IP reputation. (IP reputation would be a non-starter for a federated social network, since it would require passing raw IPs along with messages in the federation protocol. And that is just unthinkable from a privacy perspective).
When all entities posting messages on a social network are managed by the same identity provider, and the identity provider can share information about the account with the social network, you get yet another layer of increase in power. You can, for example, tell whether the account is newly created or not. Or whether it was bulk-created along with 10 other accounts posting similar spam. Or a dozen other account reputation signals which let you classify accounts into organic vs. abusive, and use that to inform the classification of messages from those accounts. And again, the only way this happens is if the identity provider and the social network are one and the same. If they were separate companies, it'd be inexcusable for either party to share detailed information with the other.
There's one element of the tragedy of the commons. Honest Bob's Social Media Emporium might not be entirely motivated to mark their users as untrusted, when most of the pain of the spam is felt by the other thousands of providers they federate with.
"Hey, doing SMS verification of new accounts is expensive, but required by the other nodes on the network. How about we don't, but say we did?"
Imagine a solution to email spam that replaced looking at IP address reputation with looking at the sender's claim about their own reputation. Laughable idea, right?
The other problem with your suggestion is that you can't do abuse prevention with a single signal, even if it's not Boolean. I even gave an example in the previous post, with checking whether accounts doing similar abuse were clustered together at account creation time.
Then " Bob's Social Media Emporium" as a whole would get dinged in the trust web. If you cant trust the verifier, you wouldnt trust any of their participants.
I guess nitpicking the details doesnt matter, but none of these problems seem insurmountable.
Oh, man. You dropped the "Honest" out of "Honest Bob". That's harsh, it's like you think he's some kind of a crook :(
Once the biggest node on this network starts not peering with smaller nodes due to them being untrustworthy, what do you think happens? I suspect that the users will move from the smaller nodes to the bigger ones. And then we're right back to where we started. People will be complaining about monopolies and will want the big nodes broken up.
This does seem like a genuine problem, and there are already signs of this happening in the Fediverse. Perhaps it needs a name, so that people can notice when it is happening, and discuss potential solutions to it. The name I propose is "Federator's Dilemma", as it seems like a game theoretic problem.
As for a solution, my intuition is that the first step might be to create a Sybil-proof voting system for determining how popular individual services are. If a service is refused federation by other services which collectively contain 90% of user accounts, then that's a sign that the service doesn't do enough to stop its users from posting objectionable content. Similarly, service A could report to service B how many abuse reports it is getting from its users about people on service B, with a clear rule about when service B would be blocked.
This isn't a perfect system, and I admit that a Sybil-proof global anonymous distributed voting system might be harder than just solving the Federator's Dilemma more directly, but I think it's worth considering, not least because such a voting system would be useful for countless other applications online.
> There would be absolutely no way of stopping or even slowing down the Cambridge Analyticas of the world.
They wouldn't be as much of an issue in the first place, because there isn't a single company with a single collection of data to siphon through a single API with a single entity that has to give you access in order to collect whatever you want. A Cambridge Analytica that has to separately try to get data from O365 and GMail and FastMail and ProtonMail is much less dangerous.
> If these platforms were forced to act more like email
Who decides who's "following" who?
Say I decide to use a competitor. Do I then get to "take" my Twitter followers and can still broadcast to them on Twitter from a different app? Under what conditions can Twitter block your activity? Either they will have to let a lot of spam in or they'll have to ban most non-Twitter activity from coming in.
How do we define interoperability? Do we make Twitter as it is right now a government mandated standard? How do we introduce new features?
I just don't see how you can do all this or how it makes sense at all.
Although email does certain things well it's not without issues. Running your own server is tough. Even many fairly mainstream services have deliverability issues.
Spam is rife. And it's especially a big problem when running your own or using a small provider.
Email is terrible for initiating unsolicited interactions (in some places might even be illegal).
All this is actually worked out in some detail (search keywords federated/indie web). Check out the PubSub model, and the ActivityPub protocol as an example, and Mastodon as a working proof-of-concept.
As a starting point, imagine email & RSS and work forward from there. I'm not saying it's trivial, but it's also not insurmountable.
I did actually do a lot of reading on ActivityPub yesterday and it's exactly the mess I would have imagined it to be.
The standard doesn't define all that much. Arbitrary undocumented JSON fields are perfectly fine and used heavily. Just following the standard you wouldn't get too far, would need to follow Mastodon's implementation to be truly compatible [0].
Many instances have already banned each other, some client apps have outright hard-coded blacklists in. So again would the government forbid that? But then what do you do about unruly instances?
The whole model IMO is pretty wrong in favoring instances over individuals. Twitter is a free-for-all, this model is completely different in optimizing for small groups of like minded people.
Secure private DMs are pretty much impossible in AP.
Rate limiting, spam protections etc are left completely up to the implementer. So would the government define that under an anti-trust scheme?
Now if one considers it to be just some low-level building block for distributed social then okay, maybe it's fine. The idea is basically social-related stuff in JSON over HTTP. Okay. But it doesn't really solve much of anything in practice. It offers a strictly worse experience in name of decentralization. This is exactly why I'd be afraid of the government stepping in and forcing these kinds of decisions on companies.
[0] And then it only gets you compatible with other Mastodon-style instances (and most seem to use the exact same implementation, just different themes). There are other ActivityPub apps that operate under a completely different UX/UI scheme. Which is both nice and weird in that the standard has obviously been written with Twitter-like stuff in mind.
> Imagine how ridiculous email would feel if you need a gmail account to email gmail peeps, a microsoft account to email outlook peeps, and another separate account to communicate with people in every mom and pop community.
Maybe this is the problem you’re hinting at, but I expect it would be very rare for me to ever run into someone I couldn’t email because they’re not using Gmail (especially if we include G Suite).
> I don't like Twitter either, so I don't use it. It's a really effective solution!
Schneier's point is the threat of a malicious actor starting a war by hijacking a politician's Twitter is non-zero. People like you and me opting out of Twitter is not an effective solution to that.
If enough people opt, it is a solution. Like littering: if I throw one cigarette butt out the window, is that really an environmental hazard? No. If a hundred million people each throw 20 out the window a day, then you have a problem.
You and me both. I can't tell if you're jibing, but I do think twice before clicking on links that come from certain places, which I guess is "avoiding harder". :)
Rather than splitting up Twitter, what if we just stopped the constant process of acquiring and dismantling any company which dares to threaten the big tech companies. Vine should still be around.
I mean, reddit and Discord are still this. They both graft on cross-community navigation and account systems for user convenience and increasing user retention.
No, they are not. Reddit (and even more so Discord) does not have the permanence that forums have and far worse tools for formatting posts, so every subreddit degenerates into 101 questions, circlejerking, and meme shit. There's no way to contain that like you can on a forum. Cross-community navigation is an anti-feature and harmful.
You seem to talk about monopolies as if it was a bad thing.
And I get it that you don't like Twitter being a closed platform. Me neither. It's not ideal, but it's still more user friendly than Mastodon (sadly).
I wouldn't shed a tear if Twitter went bankrupt either, but I don't necessarily think it would lead to a better world (Facebook would be a stronger monopoly and that, I think, would make things worse).
Nonsense. I'm as far from libertarian as you're going to get and I really don't see the case for breaking up Twitter. Breaking up Google I can understand, especially given their dominance in both search and advertising but Twitter is by comparison a bit player and all it really does is serve as a relay station. It's as close to a dumb pipe as you're going to get modulo a very small amount of content monitoring. And why would a Twitter hack reflect on Facebook to begin with? It's not as though FB owns Twitter.
> especially given their dominance in both search and advertising
Google's Search mechanism is merely a trojan horse where their real cash-cow is the advertising business. They use Search to assuage people into thinking they are an ethical company, when we all know by now, they rely on surveillance capitalism and creating large elaborate dossiers on the whole population.
Twitter's power comes fro being nearly integrated into main stream news. the danger therein has been seen with the platform used to shame those who put forth the wrong opinion, spin a story in a manner not acceptable, or associate with someone who has done the same.
how this came about is hard to place but I would not doubt the executives at Twitter cultivated their position along with very adept targeting of celebrities.
How do you split up something which is embedded into the media, specifically the news?
Correct, it is more a thought monopoly than one of numbers. Its a lifeline between everyone who has a megaphone. I'm not sure one platform that all journalists choose to prioritize falls under traditional antitrust concerns, based only on that fact, nor does that fact alone really strengthen other antitrust concerns.
You seem to be making a few separate claims as if they are the same.
> Twitter's power comes fro being nearly integrated into main stream news.
You are using "integrated" (a word which has a specific meaning and is related to monopolies) in a way that doesn't apply here. News makers tend to use Twitter because it's a rapid-fire way for them to see what others in their cohort are talking about. They did the same thing before Twitter, but it was on slower news cycles (daily newspapers, evening TV news, etc).
> the danger therein has been seen with the platform used to shame those who put forth the wrong opinion
I'm completely fine with shaming. We need more of it. It's always been a part of how societies regulate the outliers (including species other than humans). Since 2016 we've seen what happens when a person exhibits no shame whatsoever in a society that had been established with lots of norms rather than laws to steer behavior.
I suspect you are talking about the actions that go beyond shaming (boycotts, calling for people to be fired, book publishers dropping books, forums dropping speeches, etc). I agree we shouldn't burn heretics or witches. But that shouldn't prevent us from applying some modicum of social penalty if the speech or actions warrant it.
> how this came about is hard to place
News makers already had incentives to watch each other's work. They "keep their finger on the pulse" of news. Twitter made this possible.
News makers have always tried to get a story to market first -- that's the incentive that capitalism provides.
I was contracting at a major regional newspaper when Michael Jackson died. For 4 hours, all news sources in the world were quoting a TMZ tweet because that was the only source. The other news outlets were now reporting a derivative of news -- that "TMZ has tweeted that X happened". For me, that's when Twitter became a significant cog in the news ecosystem.
We've also seen independent reporters in countries like Syria and Yemen get carried by international news outlets because there was no alternative. News is changing because the old way was inefficient and insufficient in some ways. Twitter exists. It's not the best app, but it's an app that is large enough at the right time.
> How do you split up...
And should we? And what are the consequences if we do?
This comment is rife with hyperbole to the point I can't take it seriously.
> Twitter has clearly cornered the market for online publishing of thoughts and opinions.
What? Last I heard, Twitter only had about 22% of the USA active on the site[1] compared to 69% using Facebook.
Also, the term "cornering the market" was used when there was a scarcity of a good. I would argue Twitter and FB are very good at dominating time and attention away from other online platforms, but that doesn't make them monopolies or an oligopoly.
Have newspapers ceased to publish OpEds? Has Medium.com been M&Aed by Twitter? Have individual blogs been outlawed? Have the scrappy startups (Gab, Parler) somehow been prevented from competing by some vertical or horizontal integration that Twitter/FB/Google have? You are doing significant mental gymnastics to limit the scope of what you want to be "the market" when you are making this monopoly case.
I don't much like who I am when I'm on Twitter or Facebook so I try to minimize my time on both. But I don't pretend like there are no alternatives or that those companies have any significant control over the "posting of ideas and opinions" market. They have gravity, but that changes quickly as their users ore finicky -- Friendster and MySpace and my former employer (smaller social media company) can tell you that.
The reason MSFT, GOOG, etc., have better security is because they have paying customers who have data to protect. So it behooves them to be proactive about security and to take it seriously.
The data there is quite different. The dependence is different. It’s one thing to have your ad account compromised, it’s a different thing to have your enterprise information compromised with the data of all your users and customers.
As someone who has run two startups, their security can be completely bonkers. Not saying that all startups are like this but we had a database completely open to employees and would frequent watch them in real time for customer insights.
Great to see Schneier with a totally level-headed response in comparison to Krebs, who wrote a 5 page apparent doxxing of someone he maybe suspected could potentially have been the hacker.
We have a standard (TLS) for general HTTP secure communications over the internet. We should also have standards for the transport and storage of user-to-user and user-to-public messages.
Yes, the level of class difference is substantial. Doesn't make this particular argument much stronger though. It also shows Schneier put in some actual thought before firing this off.
Core argument is for "building codes" for software that is effectively mission critical infrastructure. Data and identify security--and privacy--concerns may drive a fair amount of regulation in the next five to ten years. Here is Schneier's core thesis:
"There are many security technologies companies like Twitter can implement to better protect themselves and their users; that's not the issue. The problem is economic, and fixing it requires doing two things. One is regulating these companies, and requiring them to spend more money on security. The second is reducing their monopoly power.
The security regulations for banks are complex and detailed. If a low-level banking employee were caught messing around with people's accounts, or if she mistakenly gave her log-in credentials to someone else, the bank would be severely fined. Depending on the details of the incident, senior banking executives could be held personally liable. The threat of these actions helps keep our money safe. Yes, it costs banks money; sometimes it severely cuts into their profits. But the banks have no choice.
The opposite is true for these tech giants. They get to decide what level of security you have on your accounts, and you have no say in the matter. If you are offered security and privacy options, it's because they decided you can have them. There is no regulation. There is no accountability. There isn't even any transparency. Do you know how secure your data is on Facebook, or in Apple's iCloud, or anywhere? You don't. No one except those companies do. Yet they're crucial to the country's national security. And they're the rare consumer product or service allowed to operate without significant government oversight."
“Those messages -- between world leaders, industry CEOs, reporters and their sources, heath organizations -- are much more valuable than bitcoin.“
If they had DN access, then those hackers were like a bumbling bank robbery gang who tunneled in during the medieval of night and ran off with all the pennies, leaving the paper money and safety deposit boxes unmolested.
Why would anyone message another on twitter with anything important though? Even if they really needed that contact info wouldn't they just use private messages to ask "what's your phone number"?
This strikes me as particularly salient as to the point on privacy and security:
"The opposite is true for these tech giants. They get to decide what level of security you have on your accounts, and you have no say in the matter. If you are offered security and privacy options, it's because they decided you can have them. There is no regulation. There is no accountability. There isn't even any transparency. Do you know how secure your data is on Facebook, or in Apple's iCloud, or anywhere? You don't. No one except those companies do. Yet they're crucial to the country's national security. And they're the rare consumer product or service allowed to operate without significant government oversight."
Perhaps this hack will bring the security issue to the forefront of our U.S. legislators.
I really feel like everyone is getting one of the broad points in this discussion wrong. If Twitter is a national security risk because people can hack it to speak in the official voice of prominent leaders, or discover state secrets through direct messages, that is nobody's fault but the government's, for relying on a platform they have no control over for official business.
Can you imagine the military complaining that the enemy was able to give false orders or discover troop movements through messages on a privately owned communications network completely outside their control? No, because it would be absurd for the military to rely on such a network. It is no less absurd that the civilian government (which nominally has more power than the military) is doing so.
It was a scandal when Hillary Clinton relied on a private email server. It is a far larger scandal that so many leaders, and especially the President, are now relying on a private company for their official communications.
Obviously government employees shouldn't be using Twitter DMs for unofficial business, but they're more or less required to use Twitter for communications with the public and fundraising. If they don't, they hand way too much of an edge to their competitors. The issue is that we don't want Donald Trump to mysteriously tweet "We're nuking Toronto this afternoon! #MAGA" and have a national security episode trying to figure out if it's a hacker or if he just saw something on Fox News that irked him.
They would not be "required" to use Twitter to keep up with their competitors, if they were all required not to use it for official communications. I'm not saying that politicians should choose to stop using Twitter for official communications, I'm saying Congress should pass a law requiring they not. I think there are already laws on the books around appropriate changes for official communications that could be augmented for this purpose.
> If Twitter is a national security risk because people can hack it to speak in the official voice of prominent leaders, or discover state secrets through direct messages, that is nobody's fault but the government's, for relying on a platform they have no control over for official business.
I don't see the government relying on it. I see public officials using it as a platform. No coordination is being done (unless it's redundancy), just communication with constituents.
> It was a scandal when Hillary Clinton relied on a private email server.
One problem with using a private email server was because it circumvented FOIA requests. Twitter is open, a private email server is not. We still don't know what 33k of the subpoenaed emails were about that her personal IT guy deleted, other than the ones found on Huma Abedin's laptop.
The other problem of course is having a personal IT staff run your email server with classified secrets (yes there were classified emails). It's not quite the same as having Twitter or the DoD run your security. I mean, the guy (stonetear) was on Reddit asking how to delete emails, I doubt he knew how to protect against state actors.
Ok, then a sizable portion of Schneier's article here is pointless. If it's not a national security risk, then this hack, while a big deal, is not as big a deal as he's saying.
Personally, I think it is much less of a risk than some people seem to be arguing, but much more of a risk than I'd like it to be. I do think someone could cause major real-world problems with national security ramifications by tweeting something from the President's account, and I don't think that should be possible.
> I don't see the government relying on it. I see public officials using it as a platform. No coordination is being done (unless it's redundancy), just communication with constituents.
The president regularly announces decisions on Twitter that he has not communicated through any other medium. Here's two major examples:
In what way is Twitter "open"? Can I FOIA a government official's DM's? I don't see that as likely.
From my standpoint, Clinton's private server is equivalent to Twitter (albeit likely less well-maintained from a security perspective).
To my mind, it's wholly unacceptable for the US government to maintain secret communication platforms outside the reach of FOIA. Working to keep communications off-the-record and out of the public's hands is a betrayal of the public trust.
If a Tweet is posted, journalists can see it and write articles about it. Of course this doesn't apply to DMs, they are not open. I think anonbcpolitics was ignoring DMs.
I can FOIA my government's one-to-one email communication. If I can't do that w/ Twitter they shouldn't be using Twitter.
The local government I work for uses some god-awful subscription software to "archive" all their various social media interaction. I'd rather just see the government not use third-party-hosted communications systems but, grudgingly, I'll take thr "archived" social media data over nothing. The data needs to be accessible to the public, ultimately.
Yes, because there's no evidence of anyone using DMs to govern.
We don't know if a politician uses Signal, Twitter/IG DM, or other 1:1 communication apps, we have to handle those cases when we catch them, like Hillary was caught with her private email server. If she was actually punished it may have deterred people from circumventing FOIA.
I would be directly opposed to such communication the same way I'm opposed to a private email server being used. Communicating in public tweets is entirely different though.
In my jurisdiction, at least, the intent "to govern" doesn't make much of a difference in whether an item is a public record or not. My public records training would cause me to assume that Twitter DMs created or received by the government entity I work for, irrespective of their intent, are public records.
It would be nice if elected leaders at all levels of government were held to the law w/ respect to public records. I was absolutely outraged at the lack of law enforcement response for Clinton's private email server, just as I was outraged at the lack of response on the private email server that George W. Bush's administration allegedly maintained.
You focused on the wrong part, I could have left out "to govern". My point was there's no evidence of anyone using DMs, we're talking about public tweets. And there's no use talking about private communications because the scope expands from Twitter to the individual's actions (sneaking around using Signal or similar, etc.).
I work in IT in local government. Even with the public records and ethics training our employees receive we still encounter plenty of times when we must advise other offices re: the public records-related concerns associated with their employees using personal phones, email, and third-party hosted services in the course of their job duties (let alone "sneaking").
I would assume that, at every level of government, significant numbers of public records are being lost to free third-party hosted services.
But your military example literally happened with edmondo where people jogging around secret military bases were found because that system was breached
Breaking up monopolies like Twitter may not work. They must be subjected to heavy regulation. They must not censor/block/shadowban any account or tweet. They must open their entire operation to APIs at reasonable costs. They must allow interoperability with any other Twitter clone, tweets from everywhere should be visible across all Twitters.
>It didn't matter whether individual accounts had a complicated and hard-to-remember password, or two-factor authentication. It didn't matter whether the accounts were normally accessed via a Mac or a PC. There was literally nothing any user could do to protect against it.
Are we sure it didn't matter? 130 accounts were targeted, but attackers only got into 45 accounts. Maybe there was a security setting that stopped the attackers from getting into the other 85.
>Were there 100 different Twitter-like companies, and enough compatibility so that all their feeds could merge into one interface, this attack wouldn't have been such a big deal.
That has its own security downsides. Now attackers don't need to find vulnerabilities in 1 specific company, they can search across 100 different companies. And each one has much less revenue so a much smaller security team.
92 comments
[ 2.7 ms ] story [ 158 ms ] threadI would consider anything you entrust to a keyboard or some internet or wireless medium to be in principle compromisable, an in practice most likely compromised in the sense that people that should not have access to that data probably do.
I dont know many journo's but the ones i do know are Signal users.
From https://www.theatlantic.com/politics/archive/2017/11/the-sec...
Not directly a world leader, and even Trump Sr. was still the nominee, but not far removed from the scenario you describe.
https://www.businessinsider.com/jared-kushner-reportedly-use...
Its backups aren't encrypted though.
I find it hard to take the rest of the article seriously when it's talking about Twitter as a giant monopoly that needs to be broken up...
But also the argument seems fundamentally wrong. Account security is a prime example of a place where economies of scale bring a lot of benefit. I would absolutely trust the security of say Facebook, Google or Microsoft above that of Twitter just due to the larger scale. They can afford to spend more on security, since they have more users, and their users are more valuable. Every dollar spent on security applies to the whole user base. And similarly I'd trust Twitter above a 100 person web startup.
If you start regulating for some kind of a minimum security bar, either you're going to be killing a lot of companies, or you're going to be setting the bar laughably low compared to what these companies already do.
> Were there 100 different Twitter-like companies
... they would all be bankrupt.
>... they would all be bankrupt.
Huh? There's over 2,000 Mastodon servers doing just fine
Twitter is clearly and objectively a monopoly or in a duopoly with Facebook/Instagram. At my most charitable, I could include YouTube in the mix. But I'd still say monopoly.
Even though Google and Facebook are much bigger companies, Twitter has clearly cornered the market for online publishing of thoughts and opinions. Only Facebook/Instagram and Reddit come anywhere close, but those platforms are mostly for different types of content.
There's a reason that modern "news" publishes article after article that merely reports on whatever conversation is trending on Twitter. There's a reason that celebs on Reddit provide proof via tweet. There's a reason Trump's YouTube and Facebook accounts are run by staffers.
Could 100 Twitter-like companies all make it? Perhaps not, but we'd be in a better place. Twitter is poison and I'd not shed a tear if it went bankrupt.
I don't like Twitter either, so I don't use it. It's a really effective solution!
The real answer is to mandate interoperability and equal treatment of competitor content. Then competition could grow on its own.
Personally I would just regulate it into oblivion.
There's no physical locality to Twitter. You can't put all the California users in one system and all the Washington users in another.
Imagine how ridiculous email would feel if you need a gmail account to email gmail peeps, a microsoft account to email outlook peeps, and another separate account to communicate with people in every mom and pop community. Imagine not being able to export your address book in an industry standard format. Imagine not being able to use whatever third party client you want to access your own data.
* You'd have the same spam and abuse problem that email has.
* You'd have zero control over the information you post to it, just like email. There would be absolutely no way of stopping or even slowing down the Cambridge Analyticas of the world.
"Ownership of your own social graph" is complete and utter nonsense. As soon as you share data with other people through open protocols, they own it. Just like email.
Even email is tending towards centralization, with a few big players that can manage the spam and abuse and still get their messages delivered.
Don't you have that already, and they have anti spam measures? How would a facebook post coming from facebook or twitter change what they remove as spam?
Email spam filtering is already a lot more powerful, since it can consider things such as IP reputation. (IP reputation would be a non-starter for a federated social network, since it would require passing raw IPs along with messages in the federation protocol. And that is just unthinkable from a privacy perspective).
When all entities posting messages on a social network are managed by the same identity provider, and the identity provider can share information about the account with the social network, you get yet another layer of increase in power. You can, for example, tell whether the account is newly created or not. Or whether it was bulk-created along with 10 other accounts posting similar spam. Or a dozen other account reputation signals which let you classify accounts into organic vs. abusive, and use that to inform the classification of messages from those accounts. And again, the only way this happens is if the identity provider and the social network are one and the same. If they were separate companies, it'd be inexcusable for either party to share detailed information with the other.
"Hey, doing SMS verification of new accounts is expensive, but required by the other nodes on the network. How about we don't, but say we did?"
Imagine a solution to email spam that replaced looking at IP address reputation with looking at the sender's claim about their own reputation. Laughable idea, right?
The other problem with your suggestion is that you can't do abuse prevention with a single signal, even if it's not Boolean. I even gave an example in the previous post, with checking whether accounts doing similar abuse were clustered together at account creation time.
I guess nitpicking the details doesnt matter, but none of these problems seem insurmountable.
Once the biggest node on this network starts not peering with smaller nodes due to them being untrustworthy, what do you think happens? I suspect that the users will move from the smaller nodes to the bigger ones. And then we're right back to where we started. People will be complaining about monopolies and will want the big nodes broken up.
As for a solution, my intuition is that the first step might be to create a Sybil-proof voting system for determining how popular individual services are. If a service is refused federation by other services which collectively contain 90% of user accounts, then that's a sign that the service doesn't do enough to stop its users from posting objectionable content. Similarly, service A could report to service B how many abuse reports it is getting from its users about people on service B, with a clear rule about when service B would be blocked.
This isn't a perfect system, and I admit that a Sybil-proof global anonymous distributed voting system might be harder than just solving the Federator's Dilemma more directly, but I think it's worth considering, not least because such a voting system would be useful for countless other applications online.
They wouldn't be as much of an issue in the first place, because there isn't a single company with a single collection of data to siphon through a single API with a single entity that has to give you access in order to collect whatever you want. A Cambridge Analytica that has to separately try to get data from O365 and GMail and FastMail and ProtonMail is much less dangerous.
What would that mean?
> If these platforms were forced to act more like email
Who decides who's "following" who?
Say I decide to use a competitor. Do I then get to "take" my Twitter followers and can still broadcast to them on Twitter from a different app? Under what conditions can Twitter block your activity? Either they will have to let a lot of spam in or they'll have to ban most non-Twitter activity from coming in.
How do we define interoperability? Do we make Twitter as it is right now a government mandated standard? How do we introduce new features?
I just don't see how you can do all this or how it makes sense at all.
Although email does certain things well it's not without issues. Running your own server is tough. Even many fairly mainstream services have deliverability issues. Spam is rife. And it's especially a big problem when running your own or using a small provider. Email is terrible for initiating unsolicited interactions (in some places might even be illegal).
As a starting point, imagine email & RSS and work forward from there. I'm not saying it's trivial, but it's also not insurmountable.
The standard doesn't define all that much. Arbitrary undocumented JSON fields are perfectly fine and used heavily. Just following the standard you wouldn't get too far, would need to follow Mastodon's implementation to be truly compatible [0].
Many instances have already banned each other, some client apps have outright hard-coded blacklists in. So again would the government forbid that? But then what do you do about unruly instances?
The whole model IMO is pretty wrong in favoring instances over individuals. Twitter is a free-for-all, this model is completely different in optimizing for small groups of like minded people.
Secure private DMs are pretty much impossible in AP.
Rate limiting, spam protections etc are left completely up to the implementer. So would the government define that under an anti-trust scheme?
Now if one considers it to be just some low-level building block for distributed social then okay, maybe it's fine. The idea is basically social-related stuff in JSON over HTTP. Okay. But it doesn't really solve much of anything in practice. It offers a strictly worse experience in name of decentralization. This is exactly why I'd be afraid of the government stepping in and forcing these kinds of decisions on companies.
[0] And then it only gets you compatible with other Mastodon-style instances (and most seem to use the exact same implementation, just different themes). There are other ActivityPub apps that operate under a completely different UX/UI scheme. Which is both nice and weird in that the standard has obviously been written with Twitter-like stuff in mind.
Maybe this is the problem you’re hinting at, but I expect it would be very rare for me to ever run into someone I couldn’t email because they’re not using Gmail (especially if we include G Suite).
Schneier's point is the threat of a malicious actor starting a war by hijacking a politician's Twitter is non-zero. People like you and me opting out of Twitter is not an effective solution to that.
And I get it that you don't like Twitter being a closed platform. Me neither. It's not ideal, but it's still more user friendly than Mastodon (sadly).
I wouldn't shed a tear if Twitter went bankrupt either, but I don't necessarily think it would lead to a better world (Facebook would be a stronger monopoly and that, I think, would make things worse).
guilty as charged
What makes monopolistic companies inherently always bad?
A monopoly is a entity that holds exclusivity to a good or a service.
What is the word for it then? Highly-dominant player?
Edit: looks like I'm not alone to have this definition for a monopoly[2].
[1] https://gs.statcounter.com/search-engine-market-share
[2] https://news.ycombinator.com/item?id=23900128
[1] https://www.merriam-webster.com/dictionary/monopoly
Google's Search mechanism is merely a trojan horse where their real cash-cow is the advertising business. They use Search to assuage people into thinking they are an ethical company, when we all know by now, they rely on surveillance capitalism and creating large elaborate dossiers on the whole population.
how this came about is hard to place but I would not doubt the executives at Twitter cultivated their position along with very adept targeting of celebrities.
How do you split up something which is embedded into the media, specifically the news?
https://www.cnbc.com/2020/07/06/twitters-influence-beyond-us...
https://www.cjr.org/the_media_today/journalists-on-twitter-s...
> Twitter's power comes fro being nearly integrated into main stream news.
You are using "integrated" (a word which has a specific meaning and is related to monopolies) in a way that doesn't apply here. News makers tend to use Twitter because it's a rapid-fire way for them to see what others in their cohort are talking about. They did the same thing before Twitter, but it was on slower news cycles (daily newspapers, evening TV news, etc).
> the danger therein has been seen with the platform used to shame those who put forth the wrong opinion
I'm completely fine with shaming. We need more of it. It's always been a part of how societies regulate the outliers (including species other than humans). Since 2016 we've seen what happens when a person exhibits no shame whatsoever in a society that had been established with lots of norms rather than laws to steer behavior.
I suspect you are talking about the actions that go beyond shaming (boycotts, calling for people to be fired, book publishers dropping books, forums dropping speeches, etc). I agree we shouldn't burn heretics or witches. But that shouldn't prevent us from applying some modicum of social penalty if the speech or actions warrant it.
> how this came about is hard to place
News makers already had incentives to watch each other's work. They "keep their finger on the pulse" of news. Twitter made this possible.
News makers have always tried to get a story to market first -- that's the incentive that capitalism provides.
I was contracting at a major regional newspaper when Michael Jackson died. For 4 hours, all news sources in the world were quoting a TMZ tweet because that was the only source. The other news outlets were now reporting a derivative of news -- that "TMZ has tweeted that X happened". For me, that's when Twitter became a significant cog in the news ecosystem.
We've also seen independent reporters in countries like Syria and Yemen get carried by international news outlets because there was no alternative. News is changing because the old way was inefficient and insufficient in some ways. Twitter exists. It's not the best app, but it's an app that is large enough at the right time.
> How do you split up...
And should we? And what are the consequences if we do?
> Twitter has clearly cornered the market for online publishing of thoughts and opinions.
What? Last I heard, Twitter only had about 22% of the USA active on the site[1] compared to 69% using Facebook.
Also, the term "cornering the market" was used when there was a scarcity of a good. I would argue Twitter and FB are very good at dominating time and attention away from other online platforms, but that doesn't make them monopolies or an oligopoly.
Have newspapers ceased to publish OpEds? Has Medium.com been M&Aed by Twitter? Have individual blogs been outlawed? Have the scrappy startups (Gab, Parler) somehow been prevented from competing by some vertical or horizontal integration that Twitter/FB/Google have? You are doing significant mental gymnastics to limit the scope of what you want to be "the market" when you are making this monopoly case.
I don't much like who I am when I'm on Twitter or Facebook so I try to minimize my time on both. But I don't pretend like there are no alternatives or that those companies have any significant control over the "posting of ideas and opinions" market. They have gravity, but that changes quickly as their users ore finicky -- Friendster and MySpace and my former employer (smaller social media company) can tell you that.
[1] https://www.pewresearch.org/fact-tank/2019/08/02/10-facts-ab...
We have a standard (TLS) for general HTTP secure communications over the internet. We should also have standards for the transport and storage of user-to-user and user-to-public messages.
"There are many security technologies companies like Twitter can implement to better protect themselves and their users; that's not the issue. The problem is economic, and fixing it requires doing two things. One is regulating these companies, and requiring them to spend more money on security. The second is reducing their monopoly power.
The security regulations for banks are complex and detailed. If a low-level banking employee were caught messing around with people's accounts, or if she mistakenly gave her log-in credentials to someone else, the bank would be severely fined. Depending on the details of the incident, senior banking executives could be held personally liable. The threat of these actions helps keep our money safe. Yes, it costs banks money; sometimes it severely cuts into their profits. But the banks have no choice.
The opposite is true for these tech giants. They get to decide what level of security you have on your accounts, and you have no say in the matter. If you are offered security and privacy options, it's because they decided you can have them. There is no regulation. There is no accountability. There isn't even any transparency. Do you know how secure your data is on Facebook, or in Apple's iCloud, or anywhere? You don't. No one except those companies do. Yet they're crucial to the country's national security. And they're the rare consumer product or service allowed to operate without significant government oversight."
If they had DN access, then those hackers were like a bumbling bank robbery gang who tunneled in during the medieval of night and ran off with all the pennies, leaving the paper money and safety deposit boxes unmolested.
"The opposite is true for these tech giants. They get to decide what level of security you have on your accounts, and you have no say in the matter. If you are offered security and privacy options, it's because they decided you can have them. There is no regulation. There is no accountability. There isn't even any transparency. Do you know how secure your data is on Facebook, or in Apple's iCloud, or anywhere? You don't. No one except those companies do. Yet they're crucial to the country's national security. And they're the rare consumer product or service allowed to operate without significant government oversight."
Perhaps this hack will bring the security issue to the forefront of our U.S. legislators.
Can you imagine the military complaining that the enemy was able to give false orders or discover troop movements through messages on a privately owned communications network completely outside their control? No, because it would be absurd for the military to rely on such a network. It is no less absurd that the civilian government (which nominally has more power than the military) is doing so.
It was a scandal when Hillary Clinton relied on a private email server. It is a far larger scandal that so many leaders, and especially the President, are now relying on a private company for their official communications.
I don't see the government relying on it. I see public officials using it as a platform. No coordination is being done (unless it's redundancy), just communication with constituents.
> It was a scandal when Hillary Clinton relied on a private email server.
One problem with using a private email server was because it circumvented FOIA requests. Twitter is open, a private email server is not. We still don't know what 33k of the subpoenaed emails were about that her personal IT guy deleted, other than the ones found on Huma Abedin's laptop.
The other problem of course is having a personal IT staff run your email server with classified secrets (yes there were classified emails). It's not quite the same as having Twitter or the DoD run your security. I mean, the guy (stonetear) was on Reddit asking how to delete emails, I doubt he knew how to protect against state actors.
Ok, then a sizable portion of Schneier's article here is pointless. If it's not a national security risk, then this hack, while a big deal, is not as big a deal as he's saying.
Personally, I think it is much less of a risk than some people seem to be arguing, but much more of a risk than I'd like it to be. I do think someone could cause major real-world problems with national security ramifications by tweeting something from the President's account, and I don't think that should be possible.
The president regularly announces decisions on Twitter that he has not communicated through any other medium. Here's two major examples:
https://www.theverge.com/2018/3/13/17113950/trump-state-depa...
https://www.theatlantic.com/politics/archive/2019/01/donald-...
In what way is Twitter "open"? Can I FOIA a government official's DM's? I don't see that as likely.
From my standpoint, Clinton's private server is equivalent to Twitter (albeit likely less well-maintained from a security perspective).
To my mind, it's wholly unacceptable for the US government to maintain secret communication platforms outside the reach of FOIA. Working to keep communications off-the-record and out of the public's hands is a betrayal of the public trust.
If a Tweet is posted, journalists can see it and write articles about it. Of course this doesn't apply to DMs, they are not open. I think anonbcpolitics was ignoring DMs.
The local government I work for uses some god-awful subscription software to "archive" all their various social media interaction. I'd rather just see the government not use third-party-hosted communications systems but, grudgingly, I'll take thr "archived" social media data over nothing. The data needs to be accessible to the public, ultimately.
Yes, because there's no evidence of anyone using DMs to govern.
We don't know if a politician uses Signal, Twitter/IG DM, or other 1:1 communication apps, we have to handle those cases when we catch them, like Hillary was caught with her private email server. If she was actually punished it may have deterred people from circumventing FOIA.
I would be directly opposed to such communication the same way I'm opposed to a private email server being used. Communicating in public tweets is entirely different though.
It would be nice if elected leaders at all levels of government were held to the law w/ respect to public records. I was absolutely outraged at the lack of law enforcement response for Clinton's private email server, just as I was outraged at the lack of response on the private email server that George W. Bush's administration allegedly maintained.
I would assume that, at every level of government, significant numbers of public records are being lost to free third-party hosted services.
Follow all this, or pay $1M/day compounding fine.
Are we sure it didn't matter? 130 accounts were targeted, but attackers only got into 45 accounts. Maybe there was a security setting that stopped the attackers from getting into the other 85.
That has its own security downsides. Now attackers don't need to find vulnerabilities in 1 specific company, they can search across 100 different companies. And each one has much less revenue so a much smaller security team.