The tradeoff between security and liberty often comes up in the USA. The context is usually infringement of civil rights vs the threat of terrorism. This tradeoff is seen in an entirely different context when Apple’s approach to data security on its newer Mac computers.
Mac computers that have the Apple T2 Security Chip integrate security into both software and hardware to provide encrypted-storage capabilities. Data on the built-in, solid-state drive (SSD) is encrypted using a hardware-accelerated AES engine built into the T2 chip. This encryption is performed with 256-bit keys tied to a unique identifier within the T2 chip… The advanced encryption technology integrated into the T2 chip provides line-speed encryption
On Mac computers with the Apple T2 Security Chip, encrypted internal storage devices directly connected to the T2 chip leverage the hardware security capabilities of the chip. After a user turns on FileVault on a Mac, their credentials are required during the boot process… Without valid login credentials or a cryptographic recovery key, the internal APFS volume… remains encrypted and is protected from unauthorized access even if the physical storage device is removed and connected to another computer… all FileVault key handling occurs in the Secure Enclave; encryption keys are never directly exposed to the Intel CPU
But. To accomplish this, the hard drive must be soldered on to the same board that the T2 chip is. The same Apple doc clarifies:
Encryption of removable storage devices doesn’t utilize the security capabilities of the Apple T2 Security Chip, and its encryption is performed in the same manner as Mac computers without the T2 chip.
Which means that when you buy a computer with such a T2 chip, you get the benefit of high-grade default-on encryption at nearly zero overhead, but at the cost of never being able to upgrade your hard drive size for the lifetime of the device.
… the T2 chip could render a computer inoperable if, say, the logic board is replaced, unless the chip recognizes a special piece of diagnostic software has been run. That means if you wanted to repair certain key parts of your MacBook, iMac, or Mac mini, you would need to go to an official Apple Store or a repair shop that’s part of the company’s Authorized Service Provider (ASP) network…
For Macs with the Apple T2 chip, the repair process is not complete for certain parts replacements until the AST 2 System Configuration suite has been run. Failure to perform this step will result in an inoperative system and an incomplete repair.
I see Apple’s gravitational pull make privacy more widely discussed than otherwise, causing other major tech companies to pay at least lip service to it. In the next few years, I think we will see new companies emerge that take a bold privacy-first stand because of Apple’s position on this. We’ve already seen Apple, Cloudflare and Fastly collaborate on a new privacy-oriented enhancement to an already privacy-oriented DNS lookup standard.
However, it increasingly seems that in its own ecosystem, Apple’s making it clearer than ever that the cost of this security is inherently going to be near-zero freedom to customise, repair or upgrade your hardware.
In “fintech”, which is where my day job is, many companies create algorithms to calculate people’s ‘risk profiles’. That can mean different things in different contexts. For investment-tech companies, a person’s risk profile usually determines what set of investments to recommend the person. (those investments are then sometimes automated via another algorithm). For credit-tech or lend-tech companies, a risk profile is a measure of how likely the person is to default on their loan, and that determines yes/no decisions, documentation, collateral, lending rate among others.
“Consumer reporting agencies, including credit bureaus, tenant screening companies, or check verification services, amass this information from a wide range of sources: public records, social media, web browsing, banking activity, app usage, and more. The algorithms then assign people “worthiness” scores, which figure heavily into background checks performed by lenders, employers, landlords, even schools.”
“Their comprehensive influence means that if your score is ruined, it can be nearly impossible to recover. Worse, the algorithms are owned by private companies that don’t divulge how they come to their decisions. Victims can be sent in a downward spiral that sometimes ends in homelessness or a return to their abuser.”
Even if a private company were forced to describe their algorithm, dissecting code in a court case is remarkably different from dissecting facts. As one of the lawyers handling such cases put it, “Am I going to cross-examine an algorithm?”
The unfortunately prescient series Black Mirror aired an episode back in 2016 that described a world ruled by people’s social scores, scores that real estate firms used to screen potential customers. As it turns out, reality has managed to out-dystopia a dystopian fictional series.
A scammer can use the same tricks against you on your other accounts, like your Gmail. Such attacks are more common than you think. According to this BBC article from April, Google was blocking 100 million phishing emails a day.
What does a Gmail phishing attack look like?
Phishing techniques improve every day, and are quite sophisticated even today.
You could get an email that looks like it’s from Google, but is not, asking you to tap a button – it could say it’s for account maintenance, to accept new terms and conditions, to download a Google Doc someone’s shared with you or a number of other things.
When you click on the button in the email, you get a screen that looks like this:
This screen looks like it’s from Google, but it isn’t. The only way to tell is by carefully looking at the URL (the web address in the bar). For most of us who are perennially distracted, it’s really hard to tell the difference.
You enter your username and your password, but it’s read by the attacker instead of by Google. You have lost control of your account. Your attacker can now use Google’s security features against you and log you out – from your browser, your Gmail app, Google Docs – everything.
If someone gets access to your Gmail account, or any other email account like Yahoo, Outlook or iCloud, they could then get into other your other accounts – Instagram, Facebook, Snapchat – by sending a password reset email to that email account, and then changing the password.
How do I protect Gmail – and my other accounts?
Gmail has support for two-factor-authentication, that is, support for a second layer of protection beyond your password/OTP.
This second layer is a six-digit code that you enter after you have entered your email address and password on a new computer/app install. So you see two login screens, one after another, instead of one.
As we will see in detail below, the scammer may be able to trick you into giving up your Gmail password, but it’s really hard for them to be able to get your two-factor code.
Not just Gmail/Google, here is a list of common accounts that you can and should enable this two-factor-authentication for:
Gmail (or Google) account
Apple iCloud account
Facebook
Instagram
Snapchat
Linkedin
Twitter
Dropbox
But, you ask, how is it practical to remember six-digit codes for all these accounts? Surely it isn’t wise to use a single code for all these accounts.
That’s right. In fact, you don’t need to remember any of these codes at all.
You will use a new app, Authy, to generate new six-digit codes whenever you log into Gmail or these other accounts from a new phone or computer.
Authy is a dedicated two-factor-authentication app (now owned by the Internet infrastructure company Twilio.) You can see a screenshot of my own Authy app with two-factor set up for several accounts.
You can see that Authy’s auto-generated a code for one of my accounts which I can just type when I login. So I get the full benefit of this second layer of protection without remembering codes for any of these accounts.
You can install Authy on more than one device – say your iPhone and iPad. You can even install it on your desktop computers. You secure the app itself with an Authy password – which is the only password you need to remember (or store in your password manager).
Setting up your Gmail account with two-factor protection using Authy
Keep the following handy: the Gmail app on your phone. And a laptop browser window.
Now. Login to your Google Account Management page at accounts.google.com. Tap the “Security” section on the left. Scroll down to the “Signing in to Google?” section. You’ll see that “2-step verification’ is off. Click it.
Now you’ll go through a simple wizard to set up your two-step verification. Tap Next on the Introduction screen:
Tap “Continue” on the next screen, titled “Use your phone as your second step to sign in”
Now on the next screen, the wizard says that Google has sent a notification to your Gmail app.
Launch the Gmail app on your phone and instead of your inbox, you’ll see a login notification. Tap Yes.
On the next screen, “Backup”, tap “Use another backup option”
You’ll see a bunch of recovery codes. Tap “Download”. Rename the text file to “Gmail Recovery Codes” and save the file in your My Documents folder.
Just one more step: On the next screen, under the “Add more second steps to verify it’s you”, tap the “Authenticator App” section.
On the next screen, choose whether you have an iPhone or an Android phone. I picked iPhone, but the steps are the same.
On the next screen, you’ll see a QR Code displayed.
Now on your phone, open the Authy app. Tap “Add Account” and pick “QR Code”.
Scan the QR code on your laptop screen. Your Authy app will immediately identify and add the account. And start displaying six digit codes.
The screen on your browser will automatically refresh to ask for a six digit code. Enter the six digit code that’s displayed on your phone’s Authy screen.
You’re done! Now, when you sign in to Google or Gmail or Google Drive on a new browser on your laptop, or a new app install on your phone, you’ll enter both your username and password, and then the latest six-digit code on your Authy app. That’s it!
Logging into Gmail with your new, secure two-step flow
Here is what your new login looks like. First, your user name and password as usual:
Your account’s login screen will then ask you for your second-factor code.
At this point, you look for the code in the Authy app. Authy will generate a code that is valid for a maximum of 30 seconds.
Type this code in the login screen and you’re done!
Why two-factor authentication protects your Gmail account
Let’s go back to the example at the beginning of the post. We saw how you could receive an email that looked very much like it was from Google. It has a link for you to click – the email could say that it was for account management, reviewing and accepting new terms and conditions, or a number of other things.
You don’t review the sender’s email address, which Gmail and other email apps usually collapse, and you need to tap a button to reveal. You think it’s a legitimate email, click on the link, and are taken to a very realistic-looking Google authentication page, asking you for your email address and password, which you enter.
At this point, because the web pages were hosted by a scammer and not by Google, they now have your password. They can now log into Gmail – or your Google Account and prevent you from logging back in.
But if you had 2FA set up, once the scammer entered your email and password into the Google login screen, they would be asked for your second-factor code. They don’t have it. They have no way of going back to you and asking you for another code.
But could they not have asked me for the second-factor code when they displayed the fake pages? Here’s the problem for them: they have no way of knowing in advance if you have two-factor authentication enabled on your account or not.
Finally, when they attempt to log in using your (scammed) password, you’ll get an email immediately from Google, which looks like this:
You’ve probably seen this email often – but don’t ignore it!
You will know immediately that something is wrong, since this was not you. Once you know this, you can – and should – change your password right away.
(You’d get this email even if you did not have 2FA setup, but by that time it’d be too late, since the attacker would have logged in to your account).
Protecting from really malicious attackers
But what if the scammer was someone who knew you, who is targeting you specifically, who knew – somehow – that you have two-factor turned on, and custom-built a two-factor flow to phish you? A couple of things:
One, your two-factor code is only valid for 30-second intervals. Subtract from that the time it takes for you to look at the code, memorize it, switch back to the login screen, type it (or, if you copied it, then paste it), and tap next. The attacker now needs to copy that code from their malicious code into the Google login screen they’re using to get into your account within whatever few seconds are left. It’s not impossible, but it’s really hard, and even harder to get right in the one shot that they have.
(And it’s not like the 30 second countdown starts when you open the Authy app. Try it – you could well open the app midway through a 30-second cycle, so the time the attacker has is even less).
Two, when you log in with your two factor code on any browser, select the ‘Don’t ask again on this computer’ box on the two-factor screen:
Why would you want to tell the browser to bypass the second factor? Because access to your browser is safe – since it’s on your password-protected phone or computer – and now you can distinguish between a trusted and an untrusted page. How?
Let’s go back to the truly malicious attacker, who has found out beforehand – somehow – that you have set up two-factor authentication, and has created a fake Google-like flow that asked you for your second-factor code. You are fooled by the genuine-looking email, and you click on the link. Your browser opens. You are further fooled by the genuine-looking login page, so you enter your username and password. Now you see a genuine-looking second-factor page.
At this point, you should immediately be suspicious – you’ve explicitly specified to this browser that you don’t want Google to ask you for a second factor code. That should tell you it’s not a genuine web page, and you can pause and check the email and the login page are genuine.
Links to set up two-factor authentication for Instagram, Facebook and other social media
Authy has helpful guides with steps and screenshots for setting up 2FA for many common services. Everything above on how 2FA protects your Gmail account is applicable for all the services below.
If you own an iPhone, Mac or iPad, you should also turn on two-factor authentication for your Apple iCloud account using these instructions. The only difference is that you don’t need to use Authy. Apple will send the second-factor code to one of your devices as a notification.
Remember
In each case, choose to use an ‘authentication app’ over using ‘SMS’. Add the account to Authy in the same way as in the Gmail example above.
In each case, save any recovery codes that are displayed on screen. In the rare case that you are locked out of your Authy account AND need to use your second factor for one of your accounts, you can use one of these recovery codes to log in.
So. I hope this gives you a good idea of not just the what, but also the why and how of protecting your accounts with two factor authentication.
If more of us do this, and spread the word, we can defeat phishers and scammers – something unimaginable today.
Appendix: questions I usually get about two-factor authentication
Why not have my second factor sent to me over SMS?Why bother with a whole new app?
After all, this is how the “3D secure” protection works on credit card payments. Your credit card number and expiry are like your username, your CVV is your password, and then the SMS you receive from Visa or Mastercard or American Express or RuPay is your second factor.
The problem is that SMS as second factor is known to be insecure. Motivated attackers have been able to take control of your mobile number itself using a technique commonly known as SIM swap. After such an attack, your SMSes are now sent to their phone instead of yours. This 2020 CNET article describes this method:
Hackers have been able to trick carriers into porting a phone number to a new device in a move called a SIM swap. It could be as easy as knowing your phone number and the last four digits of your Social Security number, data that tends to get leaked from time to time from banks and large corporations. Once a hacker has redirected your phone number, they no longer need your physical phone in order to gain access to your 2FA codes.
Positive Technologies was able to hijack the text messages using its own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. There are a number of known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces.
As of today, it’s unlikely that a casual attacker will resort to SIM swapping or an SS7 attack. But don’t discount malicious attackers – ex employees/teammates, a relationship that ended badly, a competitor, or someone who values access to your email/social media to get info about someone you know.
Why use two-factor codes instead of Google’s default notification system?
Google today pushes you to use its notification system as your second factor. This doesn’t require you to copy and paste time-sensitive six digits codes, ostensibly making your second factor login experience simpler. This is how it looks. After you enter your email and password, you see this screen:
If you open your Gmail app, it’ll open to this screen:
If you tap yes, your browser proceeds to your Gmail/Google Drive/whatever Google service you were logging into. This works across devices – you could be logging in on your laptop and tap Yes in the Gmail app on your phone.
Clearly there are advantages.
One, you’re not reading and re-typing six digit codes, so there’s no chance you’ll mis-type anything.
Two, it’s a single tap, so it’s much faster – there is no chance that the code will have expired by the time you paste it.
Three, the notification shows you the location of where the login is taking place. If your attacker isn’t in the same city as you, this is an immediate sign something is wrong. Same with the device. If you don’t own a Mac, and the notification shows that the login is taking place on one (like in the screenshot), you’re being phished.
Four, the 2-step verification screen lists the names of your device(s) that have Gmail installed. You can see that the text in the screenshot says “Google has sent a notification to your Rahul Gaitonde’s iPhone and Rahul’s 12.9” iPad Pro”. It’s almost impossible for an attacker to know this level of detail about you, so the fake two-factor screen that they present to you will almost certainly not name your devices.
So why should you use the Authy app instead of this seemingly elegant method?
One, everything we’ve seen above only applies to your Google account. To secure your Instagram, Facebook, Snapchat, Uber and other accounts, you’re going to need a code-based method anyway. Simplify your life. Use one solution instead of many.
Two, there is a real security downside.
Let’s revisit our walk-through of the phishing attempt. You’ve been fooled into clicking on a phishing email, fooled into entering your email and password on a phishing login page. In addition, your attacker, who is targeting you personally, has determined that you do have two-factor on, so they’ve created a page that resembles the 2-step verification screenshot above. As you enter your user name and password, they copy the password into an actual Google login screen, ready to get into your account.
Now, since you’re distracted, it’s likely you’ll fail to notice the location and device in the 2 factor notification in your Gmail app. After all, you haven’t noticed that the email – and these login screens – aren’t genuine. So. If you tap the notification (because you think you are in fact logging in), your attacker is in – instantly.
Contrast this to if you had pasted or typed your two-factor code. As we have seen above, it’s time-sensitive. And therefore
… your two-factor code is only valid for 30-second intervals. Subtract from that the time it takes for you to look at the code, memorize it, switch back to the login screen, type it (or, if you copied it, then paste it), and tap next. The attacker now needs to copy that code from their malicious code into the Google login screen they’re using to get into your account within whatever few seconds are left. It’s not impossible, but it’s really hard, and even harder to get right in the one shot that they have.
(And it’s not like the 30 second countdown starts when you open the Authy app. Try it – you could well open the app midway through a 30-second cycle, so the time the attacker has is even less).
In the case of the Gmail notification, the attacker doesn’t have to do any work. You tap the notification, they’re in. In this case, they have to read, copy, paste the code and tap Go within a tiny unit of time that they don’t know.
Why use Authy instead of the Google Authenticator app?
Google’s guides heavily promote their own Authenticator app over others like Authy. Even their code-based two-factor login screen refers only to the Google Authenticator app:
I’ll point you to Authy’s comparison guide, but here are the main bits: Google Authenticator is only available on mobile devices (not Macs or PCs), it can only be installed on one device at a time, it can’t restore from encrypted backups like Authy can.
The one-device limitation has caused problems in the past,. Due to a combination of factors, I was once forced to reach out to Google support to restore access to my account:
If I had been able to install Google Authenticator on my iPad or Mac, this wouldn’t have been an issue at all.
Disclosure: I own stock in Twilio, which owns Authy. I have no other relationship with Authy and received no compensation from Twilio/Authy for this article.
… these ideas often formed at the seam of the “natives” versus the “immigrants.” If you are Instagram-native, what you consider a great idea for a new retail space or ecomm brand is likely very different than someone who isn’t exposed to the same thousands of pics…
The upcoming generation are using tech in a different way. They are Fortnite-native. Minecraft-native. They are streaming-native. They use “insta” differently. Food delivery will be considered a human right. The expectations will be very different.
I often think about how different generations think about the Megatrends and Big Questions that we explore on this site.
Xennials like me were born in a mostly analog world, but grew up when PCs became common in people’s houses. Millennials always had a PC in their houses, connected to the Internet, and grew up with Nokias and Motorolas. Gen Z have not experienced a life before smartphones with 3G connections.
I think that the answers to making the right choices about each of these issues is timeless, but it is the natives, to use Andrew Chen’s term in this context, who will get the word out most effectively. Building an audience will come naturally to them. And because they have navigated social networks in their most socially fraught years in school, are well aware of an audience’s value as capital.
Immigrants like me will use more traditional mediums, like this nearly two decade old blog, and traditional models, like the megatrends and big questions, to raise awareness.
Last week, a friend of mine called me saying she had been locked out of her Whatsapp account on her phone, and someone else was logged in to Whatsapp as her.
My friend had received a message from one of her friends, saying that a code had mistakenly been sent to her number as an SMS, and could she please send it. Since the message came from a person my friend trusted, and in parallel, she had in fact received an SMS, she sent it.
Right away, she was logged out of her Whatsapp app.
My friend had been phished.
Phishing is an example of social engineering techniques used to deceive users.
Users are lured by communications purporting to be from trusted parties [such as friends]… typically carried out by email spoofing, instant messaging, and text messaging
My friend then told me that this attacker had then gotten control of friends’ and relatives’ accounts by simply repeating what the attacker had done with her.
The friend could not log right back into her account because Whatsapp imposes a limit on how frequently you can log into new phones. This is presumably to guard against situations like this, but the result was that the legitimate owner of the account had been locked out.
Eventually the attacker tried to get control of my account. This is the message I received from my friend’s Whatsapp:
And of course, in parallel, I had received a message from Whatsapp itself:
You can see how, if you’re in the middle of something, that you could distractedly copy and paste the OTP text – and lose control of your account before you knew what happened.
The attacker had simply entered my number into a Whatsapp login screen on a phone, triggering an OTP to my phone. Since they already had control of my friend’s account, they then messaged me as her, saying exactly what they had at the beginning of this post – that the OTP was meant for her but was sent to my number, could I please send it?
“So what? You can’t log into my bank from Whatsapp”
In a discussion about this later, someone had asked
“What do you get by hacking someone’s WA. It’s not like you can use the OTP for logging into bank accounts?”
Even if damage is not financial, it could be worse. A compromised Whatsapp account is a form of identity theft. This friend is in a leadership position. Whatsapp is a big part of their engagement – her team and key customers are all on Whatsapp. As are groups with parents, family, friends, professional groups.
My friend later wrote to me
The person who took over btw after a while went nuts…booted people out of my groups where I am admin, started writing gibberish and changed group names to angry faces etc
This is embarrassing, and it could have been a lot worse. Plus, after the fact, she had to do a form of contact tracing to find out who else had been phished via this compromised account, and if they had suffered any reputational damage.
How to protect yourself from such an attack
Turn on two-step verification. It’s under Whatsapp ➝ Settings ➝ Account
Do it now. Stop reading this article and do it, and then read on. It takes under one minute to setup.
To reduce the chances of you forgetting your six digit code, Whatsapp will occasionally ask you to enter it when you launch the app – not every time, but just enough that you stay familiar with what it is.
Here is why two-step verification (also called two-factor authentication) makes it all but certain you will never fall for a phishing attack:
When you set up Whatsapp on a new phone, or re-install it on the same phone, you now need to go through two verification steps. One, you enter an OTP that’s sent to your phone. And two, you enter this six-digit code.
An attacker who has phished your friend’s Whatsapp account may trigger an OTP for your number to your phone, and may message you asking for it. You may even be fooled into sending it to them. But Whatsapp will then ask for your six digit code. Now the attacker can’t pull the same trick saying they need a six digit code for their account – no, they have to explicitly ask you for your account’s six digit code.
Even if they’re posting as your friend, it is highly likely you’ll suspect something’s up.
So.
Do protect your Whatsapp account with two-factor authentication. Do get your parents, siblings and friends to set this up. Phishing is social engineering, and, like so many of our problems, has a social solution.
End note: What happens if you do forget your six digit two step verification code?
Well, Whatsapp will send login instructions to the email account that you provide when you set up two-step verification.
But what happens if the attacker first gets control of my email address? The verification code will be sent to an inbox that the attacker has access to.
Well. You protect your other accounts with two factor authentication as well. Especiallty your email address – for many, also their Google account. This is my guide on how to do that, without needing to remember several such six-digit two-factor codes:
The youtube-dl project is no longer available on Github. A crying shame. youtube-dl is used not just to pirate – it’s also to archive videos of protests & rights violations before they’re taken down – depiction of violence is a violation of YT’s TOS! 1/
Youtube-dl is a legitimate tool with a world of a lawful uses. Demanding its removal from Github is a disappointing and counterproductive move by the RIAA. https://t.co/VUbTokd4cP
It’s to archive videos of public events, which may have nothing to do with music. Even when they do have to do with music, as this artist says, youtube-dl was why he had a copy of his *own* performance: 2/
I've used YouTube-DL to download lectures, free documentaries, debates and discussions, interviews, and NASA video footage. But because the program can be used to download music, it clearly should be taken down.
I use the tool occasionally to create a copy of rare versions of 50-year-old+ Hindi film songs that perhaps a few dozen people are interested in anymore, and which you won’t find on iTunes or any store. But they’ll be lost to the world if that YT account ever goes offline. 3/
youtube-dl will likely be down until the creators find an alternative repository, which will likely also be an RIAA target, very likely pushing it onto the Tor network, which’ll definitely get it labelled in the mainstream press as a piracy enabler – that‘ll be the narrative. 4/
More than anything, Github’ acquiescence sets a very worrying precedent. As this tweet says, cURL (& wget) are widely used open-source projects to download a wide variety of content. You could make the same case to shut these projects’ hosting down. 5/
Do I know anyone at @Github? This is bullshit. We’ve used youtube-dl before for a project archiving activist videos about BLM/police brutality.
This should be a loud wake-up call for the @mozilla Foundation, the Electronic Frontier Foundation , the Free Software Foundation – on their watch, a Microsoft business unit became the world’s most popular code hosting service, including for critical Internet projects 6/
The FSF had plans for its own code hosting service in Feb but it doesn’t look like they’ve reached a decision, much less begun execution. Sadly, paid, full-time teams will almost always execute *faster* than volunteer teams like in the FOSS world. 7/ https://libreplanet.org/wiki/FSF_2020
Censorship-resistance needs to be a top-level criterion for evaluation, for anyone who is building anything of value for the Internet. A strictly free (or open source) code hosting platform is of no use if it or its projects can be taken down just like with youtube-dl. 8/
This should be an equally strident wake-up call for other projects – such as @The_Pi_Hole, which I have written about so often, and which are hosted on github. If the RIAA has gotten its way, the much larger online advertising industry could very easily act next. 9/
There are so many other projects that survive publicly ONLY because they either fly under the radar or have not yet been targeted. Two that immediately come to mind are the Calibre project and its (independent) Kindle De-DRM plugin. 10/
Another thought that struck me after the thread is that a USA-centric industry association filed a notice under USA law to a USA-based company, Github/Microsoft, and knocked offline a project that
had contributors from all over the world
was forked by people all over the world
made a tool that was used by people from across the world
to download videos and knowledge created and posted by people from around the world
We think of the Internet as a shared resource. Practically, it is subject to the laws of just a few countries, especially the USA, and a few massive companies, also mostly registered in, and subject to the laws of, the USA. This is not a criticism of the country – such centralisation of authority and control in the hands of any one or few countries is detrimental to the future of the Internet as we know it.
I will probably have more to say about this, but this is it for this post.
Finally, Google operates its core search engine, which is the home page for every Chrome browser and used daily by nearly every person connected to the Internet (except by those in China).
This puts Google in a uniquely powerful position to tackle misinformation on the Internet. It could build those misinformation blocklists into the browser itself. It could make them part of its public DNS resolution. It could build them into into search results, warning people before they even clicked on the search result to a navigate to the website.
Unfortunately, it has little incentive to do so. Google’s business is built on advertising. If it blocks misinformation but not intrusive advertising, it is hypocritical. If it blocks intrusive advertising but not its own ads, it is even worse hypocrisy (even though it has begun to block some of the worst offender).
Finally, Google’s positioning of neutrality on the Internet is an asset in its efforts to avoid being labelled and prosecuted as a monopolist. It cannot afford accusations of actively and flagrantly censoring web search results, as necessary and healthy for the Internet as it may be.
To conclude
Over this series, we’ve seen how harmful to a society misinformation can be, how, just like spam, it’s cheap to create and propagate but hard to research and refute.
We’ve seen how it is not in social media’s interests to tackle misinformation, how it’s a community problem and incumbent on us to solve. To that, we have explored possible ways and existing/past services to counter misinformation – on the web, Twitter and other social media. Not all of them exist or are even simple, but they are all opportunities.
Finally, this post was a thought experiment about bending the Internet’s neutrality to make it a safer place. We saw how Google is in the most powerful position to identify and hamper misinformation, but how doing so would threaten it both commercially and politically.
It doesn’t make for hopeful reading. But it’s becoming even clearer to me that the solution to misinformation – just like the solution to spam – is bottom-up and community-led, not top-down. We have grown accustomed to a steady stream of free-to-use services and apps from large tech companies. As a consequence we look to them to solve our problems. We, especially the readers of this site and similar ones, must recognise that tech companies benefit by enabling our addictive behaviours, not by encouraging thoughtful and responsible ones.
So one could imagine a situation where Cloudflare creates/maintains a list of sites and URLs that are known for spreading misinformation, or are known to contain incorrect/false data. Or syncs with a crowdsourced list of such lists, much like the public ad-block lists we saw earlier.
When you click/tap a link that leads you to one of these websites or URLs, Cloudflare could first show you a page warning you about misinformation. If you still want to visit it, you can. This’ll go a long way towards staying safe and informed.
The advantage of this approach is that it’s baked into the internet itself. While yes, the Internet was designed to be neutral, it’s expanded to well beyond its user based fifty years ago – the scientific, academic and military community. Neutrality is a key tenet of the Internet, but when it begins causing harm, it needs to be revisited.
Either way, you’d still have to set Cloudflare as your DNS provider. A vanishingly small percentage of people change their DNS settings. Even if Cloudflare – or any of the other public DNS providers – actually implemented this sort of misinformation warning system, only those that were vigilant about it in the first place would care to use it.
For this block-list approach to be useful, you’d need to bake it into something on people’s computers and phones. That’s the web browser.
Ever since most browsers began supporting extensions, they have had the ability to block ads – there are excellent, actively maintained ad-blocking extensions that don’t sell your data – like Privacy Badger by the Electronic Frontier Foundation and uBlock Origin. These and similar extensions can be extended via blocklists to block – or warn of – misinformation. Browsers today also warn you of websites that may be suspicious, or do not secure traffic:
But just like with DNS, the number of people who install ad blocking extensions is tiny, and are biased towards those who are aware of the dangers of the Internet to begin with.
However, there is one company – Google – that is in a position to solve this for most of the Internet.
The excellent Block Together was a great idea – to share block lists between people on Twitter. As this Jan 2019 article described, you could discover block lists, add them to your account and pre-emptively block tens of thousands of accounts right away.
Earlier in 2020, though, its only developer declared that they were no longer able to develop it, and eventually shuttered the service.
I'm sad to be putting this project behind me, and disappointed that Twitter hasn't picked up this functionality and improved on it, but I am happy to have helped protect people against some of the abuse on Twitter, for a little while.
Not only could you import and export easily, Twitter intended for you to share block lists with/from your friends and followers. No longer.
In 2020, that functionality is no longer available. Twitter states that
… block list, a feature for people to export and import a CSV file of blocked account lists through twitter.com, is no longer available. However, you can still view and export a list of the accounts you have blocked through Your Twitter Data, found under your account settings.
Yes – it actually removed the bulk blocking feature – one that’s more important now than ever before. Exporting your block lists is now cumbersome because it’s part of your overall Twitter data export. For me, this export took about a day to be available. Creating public block lists, while possible, is harder than just five years ago.
The Twitter API still allows for blocking users, so one could create a Twitter app for the purpose of importing a publicly available block list into one’s account.
Other social media
While the concept of block lists is less applicable to Linkedin and Whatsapp, as we had seen in our article on spam, we should report misinformation in the same way we do unsolicicted mesages.
Web and email
Medium and Substack are two of the most popular publishing platforms as of 2020. Medium has the ability for readers to report articles. Substack doesn’t seem to have any such support.
Whoever builds a search and recommendation engine for newsletters should include in their algorithm a warning flag for those that spread misinformation or hate.
(Part 4 – how can web browsers and DNS providers help?)
We’ve often spoken on this site about ad and tracker spam on the web. But this year there’s also been an increase in spam across other mediums – phone, SMS, Whatsapp, Linkedin, Twitter and email. It’s likely this is partly because there are vastly fewer people outdoors, making any form of real-world advertising and messaging ineffective.
In any case, our messaging apps are our highest-priority inboxes. We leave notifications on because chat is both asynchronous and real-time, both personal and work related. That’s why spam on these messaging apps make a higher claim on our attention than, say, email.
Given how fragile and limited our attention is , we must take such casual abuse of attention very seriously. Each of these apps has methods to report and/or block spam. We should all use them mercilessly. It just makes your life better.
But not only is the payoff high for you, your effort makes other people’s online lives better too, by taking spammer accounts offline. None of the services we’ve listed above – and others ones you use – are decentralised. Certainly not Whatsapp, Linkedin, Twitter. Email’s become synonymous with Gmail. Your reporting and marking as spam blacklists that account for everyone else on the service. We have often discussed the dangers of ceding control of your data to large tech companies, but in this case we can use it to our advantage.
Spam is a community problem – and the only way we’ll tackle it is as a community.
Phone and SMS
India has had a do-not-distrub regulatory framework for dealing with spam for over ten years now. First, find out from your mobile operator how to get on the do-not-call registry. As of this writing, you can also send ‘START 0’ as an SMS to 1909 to opt-out of all promotional messages – but as with most government services, this doesn’t always work.
Then install the TRAI DND reporting app (iOS App Store, Google Play Store). Report every single spam SMS and phone call you get. Here’s me reporting spam:
Here’s a screenshot of my operator confirming complaints from other spammers:
I’m sure this doesn’t work 100%. See this article from the publication Moneylife on TRAI’s ineffectiveness. But I have seen a sharp decline in the SMS and phone spam I receive now versus a couple of years ago.
Email
On Gmail, when you report as spam, don’t bother with the ‘report spam and unsubscribe’ option that Gmail presents you. Bad actors take your unsubscribe response itself as proof that your account is active, resulting in further spam. Just stick to ‘report spam’:
If you’re using Gmail in another email app like Apple’s Mail.app, don’t mark as spam in that app – that feeds Apple’s filters. Take the trouble of addressing the problem at its source – go to the Gmail site or the Gmail app and mark as spam there.
Messaging apps
As for Whatsapp and Linkedin and other messaging services – reporting and blocking is 100% effective for you, and goes a long way to making sure that account doesn’t bother anyone else:
We are even more powerful on these new mediums: Whatsapp is tied to your phone number. If enough people report a spammer on Whatsapp, we’ll end up knocking that number off the service. The spammer now needs to get a new phone number, which requires going to a store and performing KYC. And yes, KYC in India can be spoofed, but the costs of getting a new number and a new SIM card are much higher than creating hundreds of new email addresses to spam from.
We can win
Just as spamming is asymmetric – a small number of spammers can impact many orders of magnitude more people – marking as spam is also asymmetrical. It only takes a small number of us to take a lot of spammers offline.
