Monday, August 8, 2011

What LulzSec Actually Did (And Why It's Important / Not Important)

So. A lot of really interesting things have been going on. From day to day, it's hard to tell which stories are going to actually be important in the long run, so I try to resist the urge to blather about everything I find interesting in a given day (that's what the SBO News Tumblr is for). But it's been a while, and one story has surfaced as having a seemingly lasting importance. It's the story of LulzSec. Some call them nefarious hackers, and others call them vanguards of a new way of thinking, white-hat jokesters exposing weaknesses without doing too much lasting damage. The truth is (surprise!) more complicated.

There are a lot of angles from which to approach this story, but I'd just like to highlight some of the misconceptions that the public and the media seem to have about what LulzSec actually did.

For starters, people act like LulzSec did something unprecedented by exposing all of this private information. And while that's partially true (in that they are probably the most organized effort to do what they did), it's also a kind of misdirection regarding what it is they actually exposed.

Here's what I mean: to me, LulzSec exposing the weaknesses of networks of information is not that different from the series of Facebook privacy mistakes that exposed increasing amounts of personal data. There just isn't that huge of a difference between having your private information exposed on the open web because you wrongly trusted Facebook's default privacy settings and having your login information displayed publicly because you wrongly trusted Sony's encryption policies.

The (already nearly-forgotten) Anthony Weiner story is actually a pretty good example of this. Weiner was just a normal guy who didn't understand how Twitter's architecture protected (or didn't protect) his privacy. This led to his junk ending up all over the internet. Should we cut him more slack than, say, the FBI, who's protection of their website was easily circumvented with some simple hacking scripts? Weiner exposed himself (haha) the same way that the FBI did: because they didn't understand how the technology they relied on worked.

And that's what's really at stake here. Network technology has become centrally important to our everyday lives, but it's also become increasingly sophisticated. And we have a duty to understand that sophistication.

Then again, no matter how high the stakes are, we can't pretend that changing technology hasn't created high risk before. There existed a time when people uniformly left their front doors open, a time when having credit in a store just meant telling them your name. Those are technologies (doors, loose credit systems) that have became outmoded for their purposes (keeping intruders out of your home, keeping tabs on your purchases).

And that happened because people exploited those technologies; they stole from homes and used false names for credit. The unsophisticated and ineffective nature of these types of systems was exposed, requiring better systems. That's how these things have always worked. And that's how they've worked with LulzSec, too.

But here's the thing: the people that took advantage of the system and displayed its weaknesses in those cases were called "criminals," not jokesters or revolutionaries or white-hats. Having a high-minded reason for stealing and trashing things doesn't save you from consequences. Maybe LulzSec deserve the criminal treatment quite a bit more than they deserve the white-hat treatment.

Now obviously it's more complicated than "you're either a criminal or you're a sheep." I wrote a while back about WikiLeaks, which I sort of praised for wanting to change the way information is kept by governments but also sort of criticized for the dangerous way they are going about creating that change. I'd say the same here: I'm all for people using better passwords and companies using better crypto and more secure networks. But that doesn't mean I'm a fan of giving out huge amounts of personal information about otherwise innocent bystanders.

This whole thing is even more confusing when you try to come up with off-line analogs. Imagine a band of jokers wandering around suburban neighborhoods and stealing valuables from homes without alarm systems just to prove how vulnerable these houses are. This is not how social change is made. This is how moderately smart people get their jollies at everyone else's expense. That is what is happening here, possibly not much more.

Though even that analogy breaks down when we realize that LulzSec isn't really hacking deeply sophisticated servers. They're hacking websites, the public-facing, loosely-protected internet billboards for these companies. 

For example: not too long ago, LulzSec took down the CIA's website. But the CIA doesn't keep its secrets on its website; the CIA's website is likely slightly less secure than, say, the Huffington Post. It takes very little work to steal the furniture off of someone's front porch, but it takes more work to steal from their safe. LulzSec basically only stole porch furniture, even if it was the kind of porch furniture we'd rather not be left out.

The bottom line is that the whole LulzSec situation demonstrates the imbalanced interaction between our understanding of our own technology, our expectations of privacy, and our desire to trust the companies that hold our information. That's the same imbalanced interaction that was exposed by the Facebook privacy flap, the Anthony Weiner fiasco, password phishing scams, and every privacy crisis in internet history.

And the solution isn't angry prosecution or sting operations. The solution is trying to understand these interactions better. Technology isn't likely to entirely outmode the social contract any time soon. We still have to make our society work. And only more education and more understanding will make that happen.

(More about LulzSec at the SBO News Tumblr!)