economics

The Scale of Victims

by

(This column is posted at www.StevenSavage.com, Steve’s Tumblr, and Pillowfort.  Find out more at my newsletter, and all my social media at my linktr.ee)

It sure seems there’s a lot of IT security breaches lately. In fact, it’s to the point where I can’t remember which one inspired this column. It’s probably just as well, since you can map whatever horrific violation of privacy you heard of this week onto this column. There, I’ve sort of written something relatively timeless because people are dumb.

One of the things I wonder about is why more CTOs, CIOs, and so forth aren’t being taken to court, followed by reporters, and in general held freaking responsible for their companies having lousy security. Yes there’s all sorts of shielding from accountability, but you think we’d see some effort, but I think one thing protecting them is that the company is seen mostly as a victim.

I’d argue that’s technically right, the companies were attacked by some external force. But treating companies as equivalent of people ignores their responsibilities. People, individual moral agents, can be victims, but corporations are not people and not moral agents, and treating them as victims like people lets them out of responsibilities. Sorry, Mitt Romney.

Think about a person who is a victim of a crime. Though people often try to blame victims, those blamers are usually both wrong and assholes (and sometimes justifying their own crimes). A person who is victim of a crime is a victim in that someone else chose to behave criminally.. Even if said victim enhanced their own danger it doesn’t remove the culpability of the criminal, who violated social and legal norms that people are expected to follow.

When I watch people shrug as corporation after corporation has customer records placed on the dark web, I see comments about how crappy their security is, but it doesn’t seem particularly judgmental. This impresses me as an echo of the don’t-blame-the-victim mentality.

But corporations are groups of people – organizations. That organization makes certain agreements and promises in order to exist. Security of data is, obviously, part of them. If one’s data is breached, despite the criminals actions, you also take responsibility as you are responsible. If you’re leadership, you should be on the line because you made a promise that this probably won’t happen.

Organizations are about promises and responsibility. Screw that up, and no matter why, someone has to pay as your failure hurt the organization and the people involved. You don’t have to restrain yourself on going after the people who did the actual crime, but corporations have made promises. If you can’t keep them, you’ve got a problem.

In fact, I’d say a corporation that suffers a data breach or similar failure must be investigated to see if it violated social norms. If the corporation made guarantees it could not and did not keep, if good faith effort was not made, the corporation was responsible. There is a failure of the company that echoes the action of the criminal, it too violated norms.

Of course we all know that if we at all ask this we’ll find a lot of corporations have done terrible at security. It’s all cost cutting, half-assed integration, and big bonuses. A lot of companies, if they were really investigated for security problems, would be locked down and sold off for being terrible.

(And yes, I work in Healthcare, which has insanely strict rules, but everyone should for everything, and we remember that these rules protect people.)

We don’t need to act like corporations are victims like people. If they can’t keep their promises, if security violations reveal they’ve done a poor job of protecting people, they’re part of the problem. Some of them should pay. Some shouldn’t exist.

Steven Savage

Willy’s Outsourcing Problem

by

So by now you’ve probably heard about the infamous Glasgow Willy Wonka ripoff event that was a dismal disaster. If somehow you remained ignorant, basically one guy generated a bunch of AI content (including a script), outsourced everything to various actors and suppliers, and it was a mess. Fyre Festival for kids, as someone put it.

As the internet united around watching and dissecting the disaster, what I found fascinating is how this happened. Not because I learned anything new, but because it seemed depressingly familiar. It was a tale of outsourcing, taken to an extreme.

Most of the news has focused on the creation of AI content by the mastermind (disastermind?) Billy Coulls. It was obviously AI generated, from creepy imagery to hilarious misspellings and nonsense words. How AI generation is just a form of automation, of basically outsourcing. It was merely the most extremely hilarious example of Coulls having anyone but him do work.

There were people hired to bring in props. People hired to act. It seems like every damn thing was outsourced and then everyone was just supposed to make it happen. Needless to say that didn’t go well, nothing happened, everything got ad libbed and there was no chocolate. Not sure how you ripoff Willy Wonka without chocolate, but there you go.

All outsourced. There was no there there, just a bunch of AI art and some guy saying “good luck” before families paid tickets for this fiasco.

This may seem extreme, but outsourcing happens all the time. If you analyze and business or product you’ll likely find some outsourcing, because sometimes you save time and money with specialists. You’ll also find outsourcing backfiring as well, with poor service, lousy computer code, or questionable media design.

If you’ve ever tried to figure out who is responsible for something and had to drill through various organizations to get an answer or a refund? You get the idea. Outsourcing isn’t an evil thing at all, but too often its used to dodge responsibility, screw employees, and not actually do anything.

At the extreme, you end up with an event that isn’t about anything, is all fake, and ultimately is a disaster. Plus it’s hard to hold someone responsible – a little more coverage and forethought and we might haven’t discovered who did the Faux-Wonka fast enough for it to hit the news cycle.

There is nothing unusual about what we saw in Glasgow, it was just incredibly obvious. Many of us have been there before. Maybe we need to ask how much of our world is outsourced, and how much of that plays into the problems we face each day.

Outsourcing isn’t bad at all – I’ve been on both sides of it. But it can be misused.

Steven Savage

The Money In Cleanup

by

I have an acquaintance that helps migrate businesses off of ancient and inappropriate databases onto more recent ones. If you wonder how ancient and inappropriate let me simply state “not meant for industry” and “first created when One Piece the anime started airing” and you can guess. Now and then he literally goes and cleans up questionable and persisting bad choices.

In the recent unending and omnipresent discussions of AI, I saw a similar proposal. A person rather cynical about AI mused someone might make a living in the next few years backing a company’s tech and processes OUT of AI. Such things might seem ridiculous, until you consider my aforementioned acquaintance and the fact he gets paid to help people back out past decisions. Think of it as “migration from a place you shouldn’t have migrated to.”

It’s weird to think in technology, which always seems (regrettably) to be about forward motion and moving forward that there’s money in reversing decisions. Maybe it was the latest thing and now it’s not, or maybe it seemed like a good idea at the time (it wasn’t), but now you need someone to help you get out of your choice. Fortunately there are people who have turned “I told you so” into a service.

I find these “back out businesses” to be a good and needed reminder that technology is really not about forward. Yeah, the marketing guys and investors may want it, but as anyone who’s spent time in the industry knows, it’s not the case. Technology is a tool, and if the tool doesn’t work or is a bad choice, you want out of it. The latest, newest, fasted is not always the best – and may not be the best years later. Technology is not always about forward, even if someone tells you it is (before they sell you yet another new gizmo).

Considering the many, many changes in the world of tech, from social media to search to privacy, I wonder how much more “back out businesses” might evolve. Will there be coaches to get you to move to federated social media? How can you help a company get out of a bad relationship with a service vendor with leaky security and questionable choices? For that matter can we maybe take a look at better hosting arrangements and websites that aren’t ten frameworks in a trenchcoat?

I don’t know, and the world is in a terribly unpredictable state. But I’m amused to think that somewhere in my lifetime the big tech boom might be “oops, sorry.” Maybe we can say “moving away is really moving forward,” get some TED talks, and make not making bad immediate choices cool.

Steven Savage