The role of security focused alternatives

  2021-02-19

The role of security focused alternatives

  By Hagai Bar-El   , 1045 words
Categories: Security Analysis, IT Security, Security Policies

Our digital lives are more or less governed by very few providers of products and services. Our desktop computing is almost invariably based on Microsoft Windows, our document collaboration is most likely based on either Google Docs or on O365, our instant messaging is either Whatsapp or Slack, our video collaboration is either Teams or Zoom, etc. Given the prevalence of digital life and work, you would expect more options to exist. However, all those large pies seem to each be divided into just a few thick slices each. Those lucky providers that won their dominance did so by catering to the needs of the masses while serving their own agendas, or more accurately: by serving their own agendas while giving enough to make their products preferable by the masses.

Customers appreciate ease of deployment and ease of use, and all of the dominant products excel in that. However, customers never said anything too explicit about security and customers never demanded data sovereignty. Those properties are also very non-compelling for some providers, either because they increase cost, because they prevent lock-in, or because they hinder business models that rely on using customer data. The vast majority of customers never really required, and hence never really got, anything more than ease of use and ease of deployment, along a few key functional features. For most customers, this is enough, but customers who also require security, privacy, and/or data sovereignty, face a challenge when working out alternatives.

But alternatives do exist, for desktop computing, for collaboration and for messaging and video communication. Those alternatives play an important role in our digital ecosystem, even if most people never care to use them.

How did we get here?

Most areas of computing grew-up quickly, perhaps too quickly, and were led by commercial technology providers. Those providers followed the free-market model that promotes the prioritization of features by their respective market demand, because the market knows best. The requirement for security and privacy, however, can be considered as a market failure, where customers do not necessarily behave in their own best interest as a group. Tracing the reason for this type of behavior is way beyond the scope of this post, but suffice to say that (i) the public at large is not always sufficiently educated to comprehend the implication of lax security and data sovereignty, and (ii) as in typical market failures, having widely deployed insecure systems costs society more than what an individual customer considers to have at stake.

The current state and its implications

The impact is evident: most people “have no secrets in the computer” and hence we end up with desktop botnets, and most people “have nothing to hide” and hence we end up with an Internet that is largely fueled by mass surveillance.

Moreover, the implication of having most people not prioritize security and privacy goes beyond issues of ‘public health’ and the business models of the Internet. It creates a marketplace where ‘proper’ security and privacy become ever harder to get, even for those willing to pay a premium for it. Commercial providers prioritize product features by market demand. As long as the market at large does not pay a premium for security, a phenomenon that is not likely to change even with greater customer awareness (due to the Market of Lemons paradigm), and as long as commercial providers are not penalized by the market for security mishaps of sheer negligence, this situation will most likely remain.

To summarize the situation, security is absolutely required for several use-cases, and privacy is aspired by many people, and yet, security does not have sufficient market traction when looking at the entire ecosystem. Without getting into whether the lack of market traction is more a result of ignorance, of culture, or of genuine lack of need, the fact that the market does not sufficiently appreciate (and hence: reward) security and privacy is a fact that demonstrates itself every day by people’s acceptance of surveillance-based business models and of dangerously insecure IoT devices inside their homes. Product priorities follow the money, and the result is that a person who wishes to use a social network that charges money rather than her data, or a desktop system that accepts her ownership of her own hardware – has very few options, if any.

The fix

This situation is not a result of malicious intent; it is a result of economy, combined with the market failure state of security and privacy. This situation could be corrected either by:

  • regulation, or by
  • products funded by other business models.

The regulator can compensate for the market failure caused by the public acting outside its own best interest, if it is firmly demonstrated that this is indeed the case. We see the start of such government intervention with Senate Bill No. 327 in California, requiring, also, that IoT devices sold in California do not use shared default passwords, as of January 2020.

A good example for the second option is provided by the open source community, which develops products not for the sake of direct licensing monetization. The open source model can be used to build products that do not cater to the masses, and that are still profitable enough to be sustained. This product development model bypasses the conditions that cause an eternal gap between new features of products and the products security and privacy qualities. This model enables the existence of alternatives that favor security, privacy, and data sovereignty. We see this working in practice with Mozilla, Ubuntu, Ejabberd, OwnCloud, NextCloud, and others.

What we get extra

The benefits of having secure alternatives go beyond allowing organizations and individuals who seek secure products to have what they desire. It is widely recognized that lack of proper safeguards for data, be it corporate data or private data, has long-term ramifications on both society and economy.

Lastly, the benefit of alternatives that prioritize security and privacy goes beyond that of the people and organizations that actually use them. By demonstrating that security and usability are possible, and by stealing some the lunch of mainstream players, the secure offerings also raise the bar for other products, that may adopt some of their principles.

(Near-)future posts will elaborate on what it may take of products to fulfill this stated role.

1 comment

Comment from: rafi [Visitor]  

This is exciting!! This is a wonderful example of how the advance of technology goes much faster than the ability of public regulation to adapt to new products and services. It also shows that the free market models are still far from handling the new actors in the field.
The "market failure" syndrome that you use is extremely enlightening. This certainly is a case of a market failure, and as in cases of market failure you naturally propose the intervention of regulation by public governments (and international collaboration is needed).
We may find some consolation in the expectation that the market failure may lead at an extreme to some deflation of this bubble. We already see some "free market" reaction as the decreasing use of facebook, together with a government reaction of the US.
The "glass ceiling" of the market failure effect may explain the birth of the open source models. These are certainly models that deserve a more detailed analysis…


Form is loading...


Form is loading...

  XML Feeds

Search

License

All contents are licensed under the Creative Commons Attribution license.