This is exactly the sort "capability" that is designed to be used through the legal loophole of "you spy on our citizens and we'll spy on yours" which is the (realpolitik) basis of the Five-Eyes intelligence sharing agreement.
The various stunts that the Bundy family has pulled off prove less about guns being
> sufficiently potent weapons to give the government trouble
and prove far more about how the US federal government has and continues to be reluctant to pursue anyone that has support from "small-government" right-wing groups, even if they continuously ignore or break federal laws.
Making it hard to siphon personal data doesn't require manufacturers to prevent side-loading of apps.
A much better solution would be to create better permissions models (capability-based) for mobile devices.
As an example, one could build a granular permissions model which forced apps to be composed of multiple modules. Each module would have their own sets of mutually exclusive permissions.
An app that allowed the user to apply filters to photos/videos could be composed of two modules:
One which had read and create permissions for files the photo library along with read-only access to an app-local storage directory
A module which had the network communications permissions (exclusively by OS APIs that performed all the crypto[1]) and write-only access to the app-local storage directory (for downloading new filters)
By forcing apps to be broken up into separate modules and ensuring that all network communication is done from a carefully constrained sandbox (which can only read/transmit a tiny subset of data generated/available to the app), users could see exactly what the app transmitted without having to install their own self-signed root certificate (and maybe also jailbreak their devices if the app that they're interested in is using certificate pinning or ignoring the OS certificates).
The best way to technically combat a lot of this sort of data-slurping nonsense would be to force apps to have near[1] total transparency for all network communication for any user that wanted to see.
[1] The OS crypto API would have to provide a few authentication routines which blanked passwords, secret keys, etc. after use to prevent the unintentional leaking of secrets. Those APIs would obviously have to be designed to be resistant to malicious use by Facebook, etc.
I'm not suggesting that the manufacturer should be creating closed platforms to "secure" things for the user; I'm saying that closed platforms can't guarantee an increase in security but will guarantee the slow erosion of openness in all other platforms.
I'm well aware of how native apps are heavily marketed over their web-app equivalents because companies want to gather more data, get access to push notifications (on iOS at least), etc.
The only way that sort of corporate behavior by Facebook, etc. is to regulate how data about users can be collected and have real (potentially criminal) penalties for data collection without informed consent.
Technical solutions (like preventing side-loading) cannot possibly eliminate the thing driving the behavior; profit motive for stealthily gathering data to build "better" user profiles to lease to advertisers.
> ideological position that they should be able to do anything with the device
While there are people who make this argument purely on ideological grounds (similar to arguments you hear about individual freedoms vs collective rights), it's essential to recognize that _completely_ removing the ability of independent developers to write and run software if the manufacturer has decided they don't like that developer will slowly destroy the competition, creativity and freedom that created most of the technologies that are used today.
It's reasonable to make the argument that the manufacturer needs to secure the devices that they sell, even for users with low technical literacy.
Advocating for the manufacturers to be given total control over everything that every user can do with their device won't guarantee increased security, but it certainly would result in manufacturers being able to disable any software they chose to, regardless of legitimacy, without reason or recourse.
That's a prospect that is (IMO) far more terrifying than what it could prevent (some users falling for certain types of phishing attacks that install spyware).
Yeah, I think we're both in agreement that things need to change.
Fundamentally though, I think that there will have to be a bigger catalyst for that change to happen and while I think people are slowly becoming more aware of how bullshit the "consent" argument for data gathering is, I don't think a general "uneasy feeling about doing things online" will actually be enough to push for useful regulatory fixes when it would require going against the incredibly large resources of the various data-mining (credit & insurance industries, etc.) and tech lobbies.
One thing I would say about smartphones is that I think that humanity would probably be in a far better place (in terms of individual privacy) if mobile networks were about 10 years behind where they are now in terms of spectral efficiency and per-bit energy requirements.
That would mean that you would have fairly ubiquitous powerful mobile hardware where there was a serious performance/battery penalty to just transmitting data up to some cloud service at all times of the day but you'd still have enough local compute and storage to do just about everything that people use their phone for today (with the exception of mobile video streaming).
It makes me think that one of the sparks for a more privacy-respecting system could be if mobile data became very unreliable/expensive but phone/OS/app developers knew that they had to actually deal with this and couldn't just ignore the lack of connectivity. Unfortunately, I can't think of any situations where that could be the case which wouldn't involve some sort of massive social upheaval (like a war or significant and widespread infrastructure damage) so I certainly wouldn't be hoping for such an event to be the catalyst.
So I gave you a real-world example of a situation where someone could be harmed by loss of privacy, and then asked if you thought it was OK to advocate the destruction of a person's privacy in that situation.
Your response was that you would "much prefer the actual issue to be fixed" and that "When you fix the actual problem, the privacy become irrelevant".
Which (presumably intentionally) sidesteps the question of whether you think it is reasonable to advocate for the destruction of someone's privacy when it is likely to cause them harm.
In your advocacy for the destruction of privacy in this thread, you haven't proposed anything which could minimize harm for people who rely on privacy; in fact you have taken great steps to even acknowledge that there are people who could be harmed by the destruction of their privacy.
At the same time, you're willing to acknowledge that you don't want to post comments here using anything other than a pseudonym because "the problem is right now I can't". So you are admitting that you'd prefer to keep some privacy around your identity.
This could be a reasonable position if you were willing to acknowledge that people (other than you) could be harmed by the loss of their privacy. You have refused to acknowledge this and so that argument is untenable.
Finally, you stated that your argument was that "the loss of privacy by itself is not a problem". You haven't provided any evidence nor explanation of why you believe this to be the case and have refused to acknowledge the value of privacy, despite multiple examples and the obvious hypocrisy of not "practicing what you preach" (though I'd be willing to accept this if you didn't claim that privacy has no value whatsoever)
I did give an example of a situation where someone could be harmed and you didn't bother to address it.
I think you're just being disingenuous and I don't see the point in engaging any further in this discussion.
Oh right. I didn't think about the extra time that signal propagation through a big ugly ROM would take.
I my comment earlier about EDA tools being able to "simplify" the ROM into the die was probably a paraphrasing of what I was told about a tool.
The tool (or workflow) allowed a designer to go from a working prototype microcode ROM to a hardcoded gate circuit (presumably by the same sort of process that one can go through to simplify a logic statement that is in disjunctive-normal form).
This was information passed on to me second hand from quite a few years back now so I probably should've tried to look up some primary sources before writing my comment! Oh well.
I don't know if the latency spike is caused by sensors detecting the extra vibrations and delaying a read or seek operation or if its just vibrations causing minor read-head errors which either require a 2nd pass (that isn't reported through to the OS via SMART) or some sort of extra processing to pull the correct signal out of the raised noisefloor.
Edit: person shouting at the disks is Brendan Gregg, not Bryan Cantrill.
I was specifically referring to the process of instruction decode, but I may be using the incorrect terminology.
My understanding (as explained to me by someone who did work on some CPU-like ASICs) was that they were able to produce the early versions of ICs with some form of "PROM" (possibly not the correct term) which could then be one-time programmed so that they didn't have to pay for a new set of masks if they wanted to change any of their instruction decode (or whatever they had wired into the "PROM") logic.
All they had to do was burn a new version into a blank chip and test/use it from there.
The company in question was producing low-volume, high cost products for a narrow niche and so I don't know if they had to throw away some die space to have this "PROM-like" feature and if that is still how things are done today.
I'm not a semiconductor engineer, but it is my understanding that most CPUs today either use a PROM, which is programmed at the factory the correct version/variant for that part, or (a sometimes compacted?) variant of mask ROM which is produced automatically by some EDA tool(s) from the final production version of the ROM.
Mask ROM usually is just used as a big lookup table which replaces the combinatorial logic by just explicitly matching each input bitstring to the correct bitstring to control the ALU, etc. (along with some sort of state-machine for VLIW ISAs).
Moving to a ROM-style architecture makes development a little more straightforward because modifying instruction decoder only requires burning a different bitstring into a PROM rather than redesigning a combinatorial logic circuit and then manufacturing an entirely new chip.
A ROM-based architecture probably makes microcode updates easier to design into a CPU as well, because you can basically just overlay the microcode over the existing ROM and patch, at runtime, essentially any part of the instruction decode (or whatever else you've designed in the ROM) on an unmodified production IC.
I imagine that the combinatorial logic approach isn't really used anywhere today (for new designs) because of how "cheap" gates are considered to be in a digital IC design, but I could be entirely wrong about this (I'm not in the industry).
> Yes it could cause serious problem but not the privacy itself that the problem, its other people using it to harm other people is the problem.
So is it OK to advocate for the destruction of people's privacy in this situation or not?
If it is, then you're admitting that you just don't care about the harm that could occur (and trying to minimize the responsibility you'd have by hand-waving the issue as being "other people")
If it is not OK to destroy people's privacy in this situation, then your entire argument about how the coerced loss of privacy isn't a problem is contradictory.
> It's just that all these devices and microchips have opened a way to trade on data that we'll never be able to regulate and control with 100% clarity and precision. So we're definitely gonna have to get more clever than just asking the government to ban them.
There's nothing fundamentally different about the technology in the last ~decade that has caused this trade to explode. Bandwidth, storage and compute have all gotten cheaper, but there's not much more that has actually technologically changed to cause this explosion.
What has changed is that companies now see this sort of data-gathering as a potential source of profit and have essentially never had to pay more than a fraction of the costs that they incur on society when this data is abused/leaked, etc.
If there was actual civil and criminal liability attached to negligence, misuse of user data, etc. then most of these problems would disappear pretty quickly. The reason why this hasn't already happened is almost certainly related to the immense amounts of money and influence that the data-gathers can wield on politicians.
A key part of any sort of effective regulation in this space would also require that breaches or misuses of data that didn't involve negligence were also heavily punished (similar to how some toxic waste spills are handled). This would create a powerful incentive for companies to just not collect the data in the first place unless there was a serious business need for it which justified the additional risk to the company.
I can't see that ever being popular here though given how entrenched online advertising $$$ is in SV/YC/HN...
> I'm not saying that its going to be easy but I doubt that its impossible.
So you're willing to concede that people being unable to make the choice to keep something about themselves private will make it harder for them to promote their own rights? Can you understand how a lack of the ability to have private conversations, relationships, etc. could cause serious problems for some people?
Because earlier in the thread you said: "I never heard any convincing argument about why privacy has value." but now you are seem to be implying that privacy actually does have value to some people, correct?
> That's why I'm advocating we spent the effort on solving the problem that arise when the information is public rather than trying to hide information.
That would be a reasonable statement if you weren't also earlier criticizing the concept of privacy and stating that it had no value. You can choose to reject the idea that people should have individual privacy and try to push for a world where people didn't feel that they had to keep secrets, but you'd need to fix all the systemic issues before you could ethically promote the sort of radical transparency that you're talking about.
Trying to claim that privacy doesn't matter because it'd "be better if everything was public" without first addressing these other issues is terribly callous and could only seek to increase the amount of trauma in the world.
And what if it's a domestic company that is destroying those people's privacy and a foreign government that is using this to prosecute them?
Should we avoid preventing further damage that the domestic company is doing? Or should we limit ourselves to dealing with the issue diplomatically, and not do anything else for fear of "looking at the wrong problem"?
I don't understand why you'd seriously suggest that reducing the likelihood of known harm (by ensuring some level of privacy) is the wrong thing to think about when it doesn't prevent other actions from being taken too. It's possible for groups of people to do different things at the same time, after all.
Ultimately, your argument will never result in a situation where privacy is taken seriously because you could substitute in any issue and your conclusion could just as easily be that "better privacy is looking at the wrong problem."
> The difference that ownership would give is consent. Western liberal democracies are based on the idea that you can do what you want as long as all parties agree to it.
No, there are things that two parties cannot legally agree to do even when there is a stated agreement between those parties.
Most of these things aren't legal because society has recognized the immense harm or potential for harm that they have.
For example, you can't legally sign yourself into slavery, nor could you (as a minor) sign a contract with an adult which would make sex legal; even if all parties say that they agree to it.
The slow destruction of privacy is creating situations which have the potential for immense harm for specific people around the world (e.g. people who criticize certain governments). To ignore these sorts of situations whenever there's a discussion on privacy is foolish at best, and maliciously disingenuously at worst.
> I willingly give my personal information over to a variety of firms [...] It's not your place to say whether that's okay or not, because it doesn't affect you.
It absolutely can affect me (or anyone else) if some of that information reveals details about anyone who isn't you. This is exactly the case with (e.g.) all of the social-graph information that Facebook collects. It doesn't matter if someone went through the process of deleting their account if information about them is still being collected by proxy.
That's not to say that any data that could reveal information about someone needs to be treated as though it "belongs" to all parties, but does mean that claiming some form of ownership over the data is not at all straightforward and that merely using the idea of ownership over data is unlikely to address many of the issues that have arisen from mass collection of data on people.
> Human trafficking + consent = immigration.
No. That is entirely wrong. Human trafficking is, by definition, done without informed consent. Stating that just "adding consent to the equation" makes it into immigration is completely ignorant of the motivations, realities and harms of that particularly disgusting criminal enterprise.
The problems with human trafficking don't arise because someone "didn't consent to something"; they arise because of the deliberately-engineered power imbalance between criminal organizations and their victims and the intention of forcing people into indentured servitude and forcing them to make money for the criminals.
> Organ trade + consent = organ donation.
Also no. Organ donation is (or should be) done without any sort of financial benefit to the donor. It's done that way to prevent the organ trade from flourishing. This is exactly the point I was making that assigning a "value" to something doesn't suddenly remove or negate the harms that that thing can cause. In fact, in the case of organ donation, there are a lot of rules which have been set up to explicitly prohibit someone from buying a human organ, specifically because of the known harm that the organ trade does.
> And yes, there should be a practical way to revoke access to data. There are ways to accomplish this technologically [...] We just don't use them yet, for the most part.
There are many ways of collecting aggregate data about populations that don't have to result in individual privacy being destroyed. They aren't used because, under current laws, it's more profitable to just collect all the data and not worry about preventing it from being abused; because there aren't any real penalties for companies and individuals who cause harm by gathering/selling/losing control of this data.
That is to say, it's not (and never has been) a technical issue. It's a political one which requires that people have an informed discussion that isn't heavily swayed by people with a vested interest (e.g. the online advertising industry, as I suspect that many people in this thread are in)
Without some expectation of privacy it would have been impossible for people to gather together with others who had been similarly criminalized.
Without those gatherings, organizing against anti-gay propaganda (equating it to pedophilia, claiming it would be the downfall of civilization, etc.) would have been impossible and it's unlikely that the laws criminalizing homosexuality would have ever been changed.
If you kill privacy then you'll also kill the ability of marginalized groups to organize against any future oppression.
I doubt you actually believe that privacy doesn't matter however, because you're posting here under a pseudonym and haven't linked any social media accounts or anything which could reveal "private" details like your full legal name, place of residence/work, etc.
I can't claim to have a complete answer to that question, but it seems that every time that the line is drawn too far towards the direction of slavery (i.e. away from individual liberty) there is a substantial power-imbalance.
That seems to suggest that any situation where there is a large power (information, monetary, etc.) asymmetry between two parties will lead to one side being heavily disadvantaged, almost certainly due to the intentional structure of that arrangement.
If true, that would suggest that any circumstance where there could be a large power imbalance between parties must be carefully moderated and that limiting "individual freedom" by not allowing people to sign away their rights in a way that mostly benefits someone else could be a reasonable way of approaching this problem.
This is exactly the sort "capability" that is designed to be used through the legal loophole of "you spy on our citizens and we'll spy on yours" which is the (realpolitik) basis of the Five-Eyes intelligence sharing agreement.