Thank you to everyone at Defrag for attending my session. Great conversations afterwards, and looking forward to any more input you have in the future!
Value comes from what you do. As part of a working class, I firmly believe that when someone takes away your control over the work you do, they violate a basic human right. Work hard, work smart, but work on something that people need. That is value.
I’m seriously disturbed by wide-spread apathy over the legal ramifications of EULAs on personal rights. This is core curriculum IMO for digital literacy. If you own a phone or use email, you have very few digital rights, and that’s a problem. We’ve been eating marshmallows, lots and lots of marshmallows.
What is a EULA?
An End User License Agreement (EULA) is that it’s that thing you press the “Agree”, “Accept”, or “I Understand” even when you didn’t read the fine print. Think of every app on your phone, every e-commerce store, and every piece of software installed on your computer. It is a legal document, binding and enforceable and you have no idea what it says.
What is EULA apathy?
Well, consider that you have accepted many of them, probably without knowing it, and the terms can be changed at any time without requiring your consent. Meh. That’s EULA apathy.
If this doesn’t bother you, think of all the photos and videos you, your friends, and family upload to social networks daily. You don’t legally own them. That means that you can find yourself, your children, and intimate details of your house on display in a designer picture frame at your nearest Target store.
If today, your mobile phone or cable provider think you’re using their service in a way that doesn’t fit their current perspective, they cut you off. No internet, no phone, no ability to communicate to the outside world. What is free speech without the ability to speak? This increasingly matters, not just in China, but everywhere.
What is the *human* problem with EULAs?
The problem is delayed gratification, particularly with small-transaction agreements such as mobile apps. It’s that new game, the app that helps you find food or gas or sex, connect with others, something that makes them feel just a bit more validated than they are now. Hello, all of social media.
We accept what we don’t understand because our immediate gain outweighs future loss. EULAs are the digital equivalent of sugar addiction in America; our tipping points in both fights has long since passed. And just like our biological imperative to optimize for caloric intake, our emotional imperative for validation by other humans drives us to ignore what businesses ask from us.
How the fuck do you compete with human nature? How do you get people to care about what they don’t understand?
After a long time, I realized…you don’t.
My problem with EULAs is really about corporate personhood.
EULAs are designed to protect the rights of the business over the individual. They often ensure that you are responsible for bad things, illegal materials, and inappropriate use of a thing or service, but importantly that you do not own the content you provide. Not coincidentally, they also absolve the licensor (the business) of any wrong-doing to minimize risk to profit.
This leads to very unethical behavior, such as Facebook ignoring that many users are selling deadly weapons on their service. If the business owns the data but the creator is still held responsible for how it is used, we write an ethical blank check to corporations that we know will choose profit over well-being…every time.
Ownership infers responsibility. EULAs are conscription law. Digital fucking slavery.
If EULAs are a problem, how do we fix them?
The reality is that we can’t start by trying to change businesses or legal structures easily. If you can provide an easier way, people will be far more likely to take it. EULAs are about risk mitigation, an outcome of greed. You just have to get human nature to overcome the problem WITH ITSELF.
We can fight greed with greed by letting people control profits from their own data.
I brought this up a little last week as host of our Boston APIcraft meetup. I asked the question “If we quantified profitability over our personal data, would people be more inclined to pay attention to their rights (i.e. personal value)?” The conversation was positive, and the group was definitely there when it came to digital literacy. But the first step is personal data ownership for sure.
Ownership is fundamental to profitability when it comes to your own data. Let’s assume we get over how the hell to individually own and host our own data stores in a way that vendors even want to be involved in. Let’s skip past that part, thought Phil Windley has some interesting thoughts into this (i.e. PICO and personal clouds).
Once we own our own data, we have control and responsibility over it. Then we can make some real
OKAY, OKAY! How does PID control logic apply to EULAs?
Watching a GOTO; presentation on agile by Dave Thomas last night, he discussed how much of our modern world consists of PID controller circuits. He used an example of how mega-boats solved their human navigation problems before GPS was a thing.
The reason is that in many situations, making a decision without at least a bit of historical context or tracking to future goal often leads to failure. Sounds exactly like what is missing from our current situation with EULA apathy.
Let’s apply the PID pattern to personal profitability. Consider the three active elements in the PID control model:
Proportion, the current state of the system:
Your location and preferences are being traded privately between commercial entities. Since you accepted the EULAs that consign data ownership to them, they can do whatever the fuck they want with it. Fitbit and the insurance industry comes to mind. They make money, you see none of it. You pay for the device and see only a fraction of the value.
We want to change this, but pause, this is simply what is happening now, current state.
Integral, the history of profit:
How much money have people been making on your data, and have we been able to change the tide in other circumstances? Lots, and yes we have.
Global BI and analytics market is estimated at $16.9 billion, says Gartner…you know, if you believe anything they say. Sometimes I do. On Thursdays.
“The global mobile analytics market is expected to grow from USD 1.36 Billion in 2015 to USD 4.12 Billion by 2020, at a Compound Annual Growth Rate (CAGR) of 24.73% during the forecast period.” [ref] – that’s just mobile though.
Translation: pants on fire, slap me rotten, nucking futs profits.
And that’s not even the money you spend on stuff, that’s money made on the data about the stuff you spend your money on, and what you don’t. The reason that Google search, Facebook, and news sites are free is because in exchange for some a little service, they sell a massive amount of rich data about you.
We have changed this in the past (patient rights), but we have done this through legal channels which in America is a veil of ignorance and infects every good idea it touches with bureaucratic impotency.
We also have changed the way enterprise software profits. The web runs on approximately 75% linux; open source software disrupts the profits of big bads.
Derivative, the future goal:
If we want people to profit off their own data, we have to find alternatives to the broken systems we have now. It needs to be cheap. It needs to be transparent. And it needs to be easy to manage and integrate with. Git comes to mind.
It’s far more than a single technology though, it’s an ecosystem, and it needs compelling arguments for the average citizen to move forward. If only we had a government that didn’t let institutions off easily for massive data breaches, maybe businesses wouldn’t want to take on the liability of storing all our data in the first place.
We also need to deal with the problem of access to this data. If net neutrality is really dead, then there’s no other solution but to maintain our data on someone else’s infrastructure (not our own), but due so in a yet-undeveloped fully encrypted manner.
It’s not as simple as a PID controller, but no human problem ever is. The best we can do is engage, try to move some part of it forward, and that’s EULAs for me. As always, more to come.
Just came across this nugget after Googling for 30 seconds.
Essentially, you can mine an app for the intents it signals to the outside world, then intercept, then re-inject them with your own modified data. Does this seem like a potential app vulnerability to you?
More research must be done, but this smells like something I want to bring up in my Edges of Espresso talk at AnDevCon SF this month.
Found this, old, but good article supporting my concerns. Intentional Evil: A Pen Tester’s Overview of Android Intents
Also, I keep re-reading this one on IntentTestRule usage because it’s so how my brain works. http://www.catehuston.com/blog/2016/04/28/testing-intents-on-android-like-stabbing-yourself-in-the-eye-with-a-blunt-implement/
Some really great use cases for Facebook Connect login stubbing here:
Side note: Nick has a great set of examples on Jenkins, Android Studio, and Calabash at thedieseldeveloper.com
Not only have I been looking for an excuse to get down there in 2017, this looks like a very legit event. Consider Jared Smith, organizer of HackUTK and security researcher. That’s one of dozens of speakers at an event that attracted 900 devs.
Just like Abstractions.io this past year, I am ready for my mind to be blown.