Monday, December 04, 2017

Two ways ISPs can do content-based filtering of encrypted traffic

Vaguely a propos of the revived net neutrality debate, a while back I saw someone on Twitter claim that it is technically not possible for ISPs to do content-based (as opposed to destination-based) filtering of SSL traffic. This statement seems initially plausible, but is false. I can think of two technical mechanisms to do content-based filtering.

First, it is possible to identify encrypted content via traffic analysis. ISPs could compile a database of traffic signatures which they wish to throttle (e.g., for videos that are available from their own video streaming services) and throttle any traffic matching that signature.

Second, ISPs can require that users add a trusted SSL root cert owned by the ISP, thus allowing the ISP to man-in-the-middle all SSL traffic. Obviously, content-based filtering then becomes trivial.

You might object that this second measure would be unacceptably onerous, and would be rejected by the market. In the near future, a middle-class American family of four may own ten or twenty Internet-connected devices, running a half-dozen operating systems, and demanding that users install a root cert on all of them would cause unbelievable inconvenience and outcry. This might be true, but without even trying very hard I can think of numerous ways that ISPs could try to acclimate users to this bitter pill:

  • Of course, the software package would be named something relatively innocuous, like "Comcast Internet Security Accelerator" or some such nonsense.
  • The MITM cert might only be required for devices that wish to access the "fast lane" — in other words, the ISP would simply throttle any SSL connection that it does not MITM. All the household's devices would be functional even if you didn't jump through this hoop, but the ones that need the fastest connections — say, the PC that streams HD VR video — would require the MITM cert installation.
  • The ISP could distribute web browsers and other apps that embed the trusted cert — for example, Comcast could provide a custom build of Chromium — and require their use for the "fast lane". Again, you wouldn't need this app for casual web browsing, only for sites that are sensitive to speed.
  • ISPs could strike distribution deals with mobile carriers to install root certs on phones. The most obnoxious way to do this would be to ship the phone's ROM with the MITM cert baked in; this would probably cause massive outcry, akin to the eDellRoot debacle. A sneakier way to do it would be to ship a carrier-branded app that has the ability to update the trusted cert store (by itself this is arguably innocuous), along with an ISP-branded app that (a) nags the user for consent when it detects that the phone is on the ISP's network, something like "Welcome to Comcast! Do you want to enable Comcast Fast Lane[TM]?", and (b) when the user "consents", installs the MITM root cert by delegating to the carrier's app.
  • ISPs could embed a web browser connected to a virtualized display in the set-top box. The set-top box, of course, would already trust the MITM cert. Then, instead of browsing directly to or whatever, you would first browse to http://xfinity.local/, which would present you with a web app that is itself a browser running via remote desktop protocol. Then you would type into the address bar of this web browser. The ISP could even "helpfully" set up its DNS to perform this redirection automatically (if you type without the https).

These are just the ideas that occur to me in about twenty minutes of thinking. If these seem farfetched to you, there may be other ways to boil this frog. Companies can be rather creative when there are billions of dollars of rents to be extracted. The result does not have to be low-cost or seamless for the user; local broadband ISPs in the United States are subject to practically no competition and whatever they implement just has to be marginally less painful than waiting for your content to download over the cellular network.

Friday, September 29, 2017

Tentpole sponsors: an idea for improving paid service virality

Ad-supported communication platforms like Facebook have many structural advantages over hypothetical competitors that charge users money directly. One advantage is that a purely ad-supported service can spread virally, from user to user, at a vastly greater rate than a service that demands direct monetary payment.

For most users, the unpredictable, frequently unmeasurable harms of losing privacy and control over their social identity are less tangible than the direct time and money cost of signing up for a paid software subscription [0]. Thus free services which strip-mine your privacy and lock you into their prison spread like wildfire, while paid services that respect their users barely get off the ground. It seems that every large social networking service on the Internet has been hammered on the anvil of this seemingly inescapable logic and beaten into a Facebook-like shape.

However, user preferences vary. One can conjecture that within any social network subgraph of size N (for some N), there exists at least one user who cares an unusual amount about privacy and control. This user might be willing to subsidize a large subset of their local subgraph. Let R be the ratio of the local neighborhood of size N that such a user is willing to subsidize.

If N and R have the right values, a possible hack for the virality problem is to charge money to these special users — call them "tentpole users" — and allow them to sponsor the addition and ongoing use of the users around them. Most users will not be tentpoles; but given enough poles, positioned appropriately, the tent may be lifted over the entire addressable user population.

In the most basic form, you can imagine that a paid subscription gives every user a certain number of tokens, which they can use to sponsor accounts for their friends and family. When a new user is invited, some tokens would be allocated to them — one to support that user, and optionally some extra tokens gifted so that they could invite more users in turn. A non-sponsor user who wants additional invitations beyond their starter set would purchase more, thereby becoming a sponsor, or ask their network for some spare tokens. Sponsorship would be fungible — that is, users would be able to change their sponsor at any time — but every user would be either a sponsor or a beneficiary or both.

In principle, with proper tuning, most users could be beneficiaries, and pay nothing. A service engineered this way would be closer in virality to an ad-supported one. (It's still not quite as viral; for one thing, there is still some real friction at the edge of the "sponsorship radius", the distance from a sponsor at which users run out of tokens for further invitations. This needs further thought.)

Another model would allow all users to join free of charge, but grant additional privileges to sponsored users. This works, economically, as long as the aggregate cost of free-riding users is less than the total revenue from sponsors. This "tentpole freemium" model resembles an ordinary freemium model (where only the sponsors themselves pay [1]); arguably it is simply a freemium model where one of the premium benefits is improved amenities for one's contacts.

When I mentioned these ideas to a colleague a few months ago, he immediately pointed out that tentpoling leads to a situation where sponsored users are socially indebted to their sponsors. This has at least two effects. First, debt potentially causes social awkwardness, and this risk must be navigated (c.f. V. A. Zelizer). Second, users may feel a sense of precarity because sponsorship could end (for example, if their sponsor cancels their subscription), and thus would be reluctant to adopt the platform. These are definitely challenges, but it may be possible to overcome them.

Social awkwardness may be amenable to psychological hacks which obfuscate the transactionality of the interaction. To invent a silly example, one can imagine a social network where your profile picture can be decorated with a virtual hat, which degrades over time. You can only remain on the service if your profile has a hat; sponsors receive a certain number of hat credits, which they can use to purchase various hats and gift them to their peers. Lastly, any user can trade or gift a hat that they possess. The combination of these mechanics makes the act of "wearing" a hat expressive, not merely pecuniary; wearing a hat that one of your friends obtained and gave to you can be construed as a fun social act which strengthens your friendship, rather than a purely financial necessity. By adjusting the number of hat credits that sponsors get, you can create enough liquidity in the system that most active users have multiple hats. Therefore, it is possible to beg your friends for a particular hat without disclosing that you just don't feel like buying any hats — for example, a user who doesn't want to pay for the service might ask "Hey, anybody got a spare blue knit cap? My last one is expiring next week." A certain degree of strategic ambiguity is preserved.

This example is crude and probably too nakedly gamified to work, but I hope it illustrates that there is a gigantic space of possibilities for designing the social character of sponsorship. Somewhere in that space, I conjecture that there is a point where people are comfortable with sponsor-beneficiary relations in a social network.

Precarity may also be amenable to engineering solutions. For example, one could allow and encourage users to be sponsored by multiple people, and then grant enough tokens to sponsors that their "radius of influence" would, in practice, always overlap with other sponsors'. Then, in steady state, most users would feel secure, because they would be sponsored by more than one person. And in a tentpole freemium model, users would always continue to have access to their identity even when sponsorships expire, reducing the downside even if one were to lose all of one's sponsors.

Have there been examples of tentpole sponsorship as a business model in the wild? I have trouble thinking of them.

Anecdotally, one sometimes hears of people buying paid Slack workspaces to socialize or organize activities that are not part of their day job. I assume that there are usually free riders in this arrangement. So, Slack may have stumbled on this model without intending to (obviously, Slack's primary revenue stream is charging businesses for employee accounts, which is socially a very different scenario, although arguably isomorphic to tentpole sponsorship in some ways).

Alternatively, one could argue that whenever a highly technical user sets up a custom email domain for their family, rather than just signing everyone up for Gmail, they are tentpoling the base protocols of the Internet. The difference, I guess, is that sponsorship is not fungible: if you set up a domain for your family, your child cannot change their sponsor later in life without migrating to another domain, which incurs various transition costs.

The last example I can think of is in gaming. In some multiplayer games like Lineage, players can organize into clans, and clans can purchase in-game collective goods. I've never played Lineage, but I assume that players within a clan differ in their level of contribution, and thus the most committed players are effectively sponsoring the rest.

Overall, however, I think the idea of tentpole sponsorship has seen little use, and this seems like a space that is ripe for experimentation.

Having read this, your reaction might be (probably should be!), "Talk is cheap. Ideas are cheap. What are you gonna do about it?"

Alas, I have to admit that the answer is very little.

To really pursue this idea would be multi-year effort, and there are all kinds of reasons that this does not seem like the thing that I want to spend the next few years building. (For one thing, a half-hermit misanthrope like me is probably one of the worst people in the world to try building a social network.) So, instead, I'm throwing this post out there in a sort of cry to the universe, both to get it out of my head, and also in the vague hope that it infinitesimally increases the probability that somebody will figure out how to make it work.

This may be the dumbest theory of change that's ever been written down, but it's about what I can muster at this point in my life. On the other hand, if you back up and squint, in 2009 I predicted (sort of) both the business model of Patreon and Jeff Bezos's purchase of the Washington Post, so maybe the universe will again cough up something resembling my half-baked ideas.

Bonus thought: once you have the idea of tentpoling in your mental toolkit, you will begin to see echoes of it in many places. For example, nearly every software package is sometimes hard to use. But some users have the inclination and capability to become expert in that software, and then spend effort helping others cope with it. These helpful experts are technical (rather than financial) tentpoles, paying the cost of onboarding and support for users in some radius around them. Every geek who serves as tech support for their parents' devices is holding up the tent of Microsoft or Apple or Google or whatever over their family.

In fact, many instances of free riding can be thought of as tentpoling on some level. I suppose the difference between the concept of tentpoling and free-riding in general is that tentpoling is voluntary and has a significant dimension of locality in the social graph.

[0] Arguably, there is also a market in lemons for software services that offer users privacy and control. This is a separate issue and much too big to tackle in this post.

[1] On a vaguely related note, observe that Maciej Ceglowski has repeatedly suggested that Twitter should adopt an ordinary-freemium model where users just pay money for additional features. It is an interesting thought puzzle to contemplate why Twitter has never even experimented with doing this. There seems to be a real organizational dynamic in business that once a company settles on an advertising-supported revenue model, this sucks up all the oxygen necessary for alternate revenue models to breathe, and I do not entirely understand why. Consider how long it took for YouTube to offer YouTube Red; although this is also a case which proves that it is not impossible for the alternative model to break through.

Monday, September 25, 2017

What's the point of Facebook alternatives?

It is clear at this point that Facebook has a monopoly on online human-to-human interaction that no private forces, market or otherwise, will break in the foreseeable future. The network effects from a billion users are unsurmountably large. If we take Metcalfe's Law literally, even a social network that accumulates a hundred million users will be a hundred times less powerful than Facebook.[0] In fact, you're probably confused by the title of this post: What Facebook alternatives?

Facebook is furthermore unlike the other American technology giants in that it alone locks up all its users' interactions inside its walled garden. Apple, Alphabet, Amazon, and Microsoft are, to greater or lesser degree, porous at the edges — you can use an iPhone to chat with people who don't have iPhones; you can use Gmail to email people who don't have Gmail; buying things from Amazon doesn't prevent you from buying other stuff elsewhere; even Microsoft has realized belatedly that it is not the center of the universe & its products have started playing nice with others. But Facebook locks up your posts, locks up your photos, locks up your entire social identity inside its prison. There simply is no way to interact with Facebook users except by creating a Facebook account yourself and creating content that further entrenches Facebook's monopoly.

The gradual decay of open Internet protocols as human interaction disappears down the black hole of Facebook's ever-expanding digestive tract has been one of the great disappointments of my lifetime. In the end, AOL seems to have beaten the Internet after all.

I have opted for only de minimis engagement with Facebook, and more or less refuse to communicate via its platform. This has probably attenuated some of my relationships with people in a regrettable way (if you're somehow reading this and you wish this hadn't happened between us, send me email! it still works!) but the actions of conscientious objectors like me have not made the tiniest scratch on Facebook's dominance.

It is only a matter of time before governments realize that this entity must be regulated, whether under antitrust law or otherwise. The question is what will happen then.

In my opinion, it is clear what the ideal outcome would be: forcing Facebook to adopt open APIs that give users transparency, portability, and interoperability. Users should be able to see the data that Facebook has stored about them. Users should be able to export that data in toto to competing platforms. And users should be able to interoperate between Facebook and other social networks — a future version of Diaspora*, for example, should be able to see and interact with Facebook content generated by that Diaspora* user's social network, and vice versa; interactions between users across platforms should be reflected accurately on both sides. A user would thus be able to leave Facebook without severing their ties to the users they have left behind.

In a world where these APIs existed, users would have a way to reject Facebook's toxic business model and questionable privacy practices without exiling themselves from their social life. In Hirschmanian terms, users would have the option of exit, not just voice, as a way of signaling dissatisfaction. Facebook would probably even get healthier, as a product, as a result of the opportunity for meaningful competition.

This outcome is exceptionally unlikely. Government regulation of Facebook, although likely inevitable, is also likely to be ham-fisted and ineffective, simply because governments are terrible at understanding technology and rarely have the political will to impose effective solutions even if they knew of them. The last time the U.S. government, for example, used antitrust law against a technology monopolist, it basically bogged down the company in red tape for a decade but did little to meaningfully give its competitors an opening in the allegedly monopolized market. Windows is still by far the most widely used desktop operating system and the web browser that finally dethroned Internet Explorer on Windows did so through incredibly aggressive Internet marketing, not by using the remedies forced on Microsoft by antitrust law.

However, there is one thing that technologists might be able to do to make the desirable outcome marginally more likely, and that is to develop the protocols, and plausible implementations thereof, that would allow effective federated social networking to be mandated by government decree. Diaspora* may have made a significant dent in a subset of the technical problems, but there are significant open challenges inherent to federated social networking that I suspect have not been solved.

Critics of Diaspora*, Mastodon, etc. thus misstep when they observe that organic growth of these platforms is limited. The ultimate destiny of a successful federated social networking protocol, if one ever arises, will be to stock the toolkit of a future regulator, not to overtake Facebook via organic growth.

There is enormous inertia—a tyranny of the status quo—in private and especially governmental arrangements. Only a crisis—actual or perceived—produces real change. When that crisis occurs, the actions that are taken depend on the ideas that are lying around. That, I believe, is our basic function: to develop alternatives to existing policies, to keep them alive and available until the politically impossible becomes politically inevitable.

Milton Friedman, Capitalism and Freedom

[0] 100M is, to an order-of-magnitude approximation, the size of Snapchat's active user population. Observers who think Snapchat is a credible challenger to Facebook are off by a factor of a hundred, not a factor of ten.

Wednesday, August 02, 2017

How important is decidability in programming tools?

Hoisted from the drafts folder because the discovery that TypeScript's system is Turing-complete is making the rounds.

It's a common assumption in the programming language community that practical type systems should be decidable. Or, at least, it used to be: in the early 2000s, I had a grad school colleague who spent a lot of time trying to invent restrictions that made the type system of Cecil decidable, and people seemed to feel that his formalization of Cecil would be unreasonable if he could not solve this problem.

Over a decade later, it's well-known that Java with generics and wildcards was undecidable for years before people even realized it. Furthermore, devising restrictions to the type system that achieve decidability seems to be an open research problem.

Did hundreds of thousands of Java programmers experience an existential crisis when Java with generics was found to be undecidable? Are they waiting with bated breath for researchers to solve this urgent problem? I'm pretty sure 99.99% of them don't know that the problem exists and won't notice if it's ever fixed.

Meanwhile, the PL research community has mostly gotten bored of object-oriented languages and type systems thereof, and moved on to other things. And the functional programming community (or some fraction thereof) has embraced Scala, whose type system is also undecidable.

Conversely, it is well-known that in ML, it is possible to write a program by hand on a single sheet of paper that will take longer than the lifetime of the universe to typecheck, because Hindley-Milner is superexponential in the worst case.

What is the practical difference between a typechecker that can hang until the universe is a cold, featureless void of uniformly distributed entropy and a typechecker that can hang forever? In both cases, you would hit Ctrl-C after a decent interval and rewrite your program. Would it make much difference if ML's type system were undecidable? Probably not.

I remember standing up at an ECOOP talk one year and asking a question along those lines. The researchers had made a big deal about the importance of decidability for the problem they were solving, and I asked why it was so important. The presenters seemed to think the question was ridiculous and I'm pretty sure everyone else in the room thought so too. I probably didn't word my question well — I wasn't a good researcher and I'm not proud of my time in academia — but I still think I was basically right that one time.

The important thing is that tools have tractable runtimes for the programs that people want to write. Unfortunately, "tractable runtime for reasonable programs" is much harder to demonstrate using the formal and empirical tools that exist today than "decidable for all syntactically valid programs". And the gap in available intellectual tools has led a research community to handcuff itself needlessly in hunting for useful results.

Sunday, May 07, 2017

On the efficacy of online flamewars

Excavated from the drafts folder for no particular reason.

Isn't it great how, since the Brendan Eich affair, all his online defenders have become active labor rights organizers, fighting for workplace political freedom for all? Galvanized by the realization that not only CEOs but all workers deserve robust protections for their political beliefs, Eich's erstwhile defenders channeled all their passion into effective political action. Which is why Congress will vote this week on a bill with three key provisions: first, it outlaws any form of workplace discrimination based on political speech or activity conducted outside the office; second, it handsomely funds an investigative division of the FBI tasked specifically with working with the NLRB to track down and prosecute violators; third, by analogy with the Foreign Corrupt Practices Act and the 2003 Protect Act (which grants American prosecutors broad latitude to charge Americans who molest children while abroad), it makes it illegal for companies operating on American soil to subcontract work to overseas employers which restrict their workers' political rights.

There was never any danger that Eich's defenders would just basically forget about the whole affair and get on with their lives. Ha ha! Yeah that definitely couldn't have happened, given how deeply committed these people were to the principle of workplace political freedom. It's not like they only care about workers' rights when it's an incredibly wealthy white male celebrity who is being criticized.

Likewise, when the dead bloated corpse of patriarchy is laid to rest this fall, everyone will have to recognize that the great Twitter Flamewar of March 2014 was really the spike through its heart. No, not that one, I mean the other one, the one where we all wrote angry all-caps tweets at that one dude, he was totally mansplaining and stuff, you remember the one I'm thinking of.