This post was originally published on my blog.
The internet is everywhere. Unless by some fluke this has blown up beyond my wildest dreams, I bet you’re reading this on an internet-connected device. This is likely one of many connected devices that you own. The dawn of the Internet of Things (IoT), especially, has filled our living spaces with connected devices. By purchasing and using these devices, we implicitly entrust their manufacturers to keep them and us secure. These devices are a gateway into our lives, and the internet is home to an infinite number of bad actors just hoping to catch a glimpse of what lies beyond the veil. I will explore the issue of trust — specifically, how it has shaped the internet and why a healthy dose of paranoia goes a long way in this age of connection.
A Short History
If you look at how much trust we put in the internet today, you might struggle to believe that there was a time when scepticism was seen as the main barrier to adoption. Many analysts in the mid-90s doubted people’s willingness to use the web in trust-dependent domains. The lack of physical interaction was a concern given the anonymity that the web provided. E-commerce, especially, was seen as an unlikely player in the burgeoning web. Shopping online meant trusting that the seller was legitimate, that the product would be delivered and that it would be of the desired quality. The possibility of credit card fraud or identity theft also acted as a deterrent for would-be early adopters. Generally, the lack of insight into the trustworthiness of anyone on the web made transacting online a risky endeavour.
The onus, then, was on technologists to make the web (and the internet) more secure to boost adoption. As one of its early pioneers, Vinton Cerf, said, “We didn’t focus on how you could wreck this system [when designing the internet]”. As the internet came into our homes, becoming accessible to casual users with very little knowledge, it became clear that developers had to find ways to protect users and give them peace of mind. The first milestone in this regard was the introduction of Secure Sockets Layer (SSL) technology. SSL uses encryption to safeguard information sent between two systems. It ensures that no one can snoop on the connection and intercept any sensitive data that may be transferred over that connection. Today, we rely on Transport Layer Security (TLS) to play this role. TLS is an updated version of SSL that offers better security. Hyper Text Transfer Protocol Secure (HTTPS) was also introduced to provide encryption and increase the security of online data transfer. Most browsers have made HTTPS a requirement and will enforce HTTPS-only connections and warn users when a website does not support a secure connection. Even the algorithms used in search engines like Google take HTTPS into consideration and rank websites that support it higher than those that do not. Without HTTPS, browsing is risky, especially on public WiFi as all communication is in plain text, making it accessible to anyone with the right tools.
Period of Naivety
Once some trust had been established, the public fully embraced the internet. The popularity in the early 2000s of companies like Amazon, eBay, and Netflix proved that people were willing to transact online. Since then, trust in the internet and web platforms has increased despite a few hiccups along the way. However, this trust is borne of the faith users have in the companies that own the web platforms. The average user does not overly concern themselves with the legitimacy of an Amazon seller or a job poster on LinkedIn. The underlying assumption is that the platforms have systems in place to verify their users. This is because of the personas that these companies and their leaders have cultivated, affirming their commitment to using their technologies for the betterment of society.
Yet, we find ourselves in a place where the chances of being exploited on the internet are higher than ever. Today, most people interface with the rest of the world via one of the dominant social platforms — Facebook, TikTok, Instagram, YouTube, or Twitter. Without diving into the contentious topic of content moderation on the internet, we must still recognise that there is an increased risk of exposure to bad actors and harmful content on social media. The social platforms themselves do not (or rarely) produce original content, yet we equate our trust in them to trust in people who post content through them. Whether consciously or otherwise, we are more likely to believe something we see posted on social media because we think it would have been taken down if it were false. Some people view verification on social media as what gives an agent credibility. But, as companies like Twitter have put verification up for sale, it may no longer serve the purpose that it used to. Verification says nothing about a person’s character or affiliation, and it’s not uncommon to see verified accounts sharing conspiracy theories with their often massive fan bases. Social media has become a vehicle for fake (and sometimes dangerous) content, mis and disinformation, bullies and trolls, bots, and scammers. Bot farms have become especially prevalent, creating thousands of fake social media accounts designed to shape public opinion and artificially amplify some topics and narratives while drowning others out.
The Big Dilemma
You would be forgiven for jumping to the conclusion that an easy solution to these problems is to put up measures to verify each user’s identity online. It is common in some countries for users to have a phone number tied to their account as this is harder to fake than, for example, an email. For companies and individuals, choosing between enforced ID verification on social media means walking a tightrope between freedom and security. For many people, especially purists who have always advocated for a free web (free as in free speech, not free as in free food), this is unthinkable. Forced user identification is liable to abuse, especially by repressive regimes. I think most companies don’t want to deal with government requests for the identities of prominent activists and critics. Equally, many users might have an aversion to the idea of handing over their identity to these corporations.
Without some methods of verifying that 1. users are real people and 2. each user has a single account, the internet and social media lend themselves so well to scammers, trolls, and bots. Bots have become a massive problem as they are deployed to interact with and share posts to extend their reach. Trolls and conspiracy theorists have made social platforms a cesspool of harmful and fake content. The anonymity provided by some platforms can embolden people to express racist, sexist, and generally obnoxious views without fear of repercussions such as suspension. This presents a unique problem for social platforms — they know that the best way to retain users is to provide a safe environment, but some measures required to do may prove highly divisive.
The misinformation issue is especially difficult to address given our society’s weakening grip on objectivity. You would be hard-pressed to find people on opposing sides of any debate agreeing on the basic facts of the situation. This makes content moderation difficult when dealing with misinformation. Facts and opinions have become interchangeable, and prominent influencers and creators will gladly craft a version of reality that pleases their followers. When social media platforms make decisions to curb the spread of misinformation, they often invite accusations of taking sides. And, to be fair, people are right to question the wisdom of giving social media platforms the power to essentially shape reality. Some may argue (perhaps rightly so) that no one is trustworthy and incorruptible enough to be entrusted with such power, especially companies that prioritise the market, shareholders, and investors above all else. Nevertheless, these decisions must still be made because there is no shortage of bad actors pursuing their agendas on the internet.
Big Trust in Big Tech
Today’s technological landscape requires users to place immense trust in tech companies. I recently spoke about the emergence of cloud computing and how much of what it offers requires that we entrust so much of our generated data to online platforms. What appears to most of us as a free internet (free as in free food) is, in fact, carried along by a massive wave of data collection. Surveillance capitalism keeps the web afloat. Many of our favourite apps offer the convenience of multi-device continuity, a godsend for people who constantly switch between devices. Yet, this requires that the data we generate — personal files, health data, location history, and notes — be stored on remote servers. To say that these servers are far from immune to data breaches would be the understatement of the century. This is not the only way our data ends up in third-party hands. Many platforms’ terms of service include clauses that allow our data to be used to create a profile, which can then be shared with advertisers or used to provide better recommendations. The many possibilities for misuse make access to this data a massive responsibility for any entity to bear.
Cloud Computing and the Internet of Things are two technologies whose success will depend on our willingness to trust tech companies. As mentioned above, cloud computing allows us to jump between devices by storing our data exclusively on a remote server or by keeping a server-side backup. This means you could lose your phone today, get a replacement, and pick up where you left off as if nothing happened. The flip side is that this data is just sitting there waiting to be stolen. In some cases, however, these features may sacrifice important security measures. For example, Telegram, a popular chat app, is known for being a secure messaging option. However, to provide seamless transitions between their apps on different platforms and the web, the normal chat sacrifices end-to-end (E2E) encryption. Instead, E2E is only implemented on secret chats which lack cloud storage functionality.
The IoT industry also relies heavily on cloud computing because of how much data IoT devices generate. The industry is estimated to produce upwards of 73 ZB (zettabytes) of data by 2025. This data is useless if it is not somehow stored and processed. As they are often hardware-focused, many manufacturers of IoT devices rely on cloud infrastructure from Amazon (AWS), Microsoft (Azure), and Google (GCP). Setting aside the data collection issue, IoT devices demand trust because we put them in our homes or take them everywhere we go. Whether it’s a smart car, home speaker, doorbell, baby monitor, bulb, or fitness watch, these devices have unrestricted access to our personal lives. This makes security a major concern on these devices. Yet, security vulnerabilities are common in IoT devices. One reason for this vulnerability is that most users rarely change the default username and password to connect to their devices. During the Mirai Botnet hack whose effects took down Netflix, Twitter, and Reddit, to name a few platforms, the Mirai malware was used to infect IoT devices and turn them into a zombie botnet. The virus would search for similar devices and connect using their default credentials. Another issue is that few manufacturers of IoT devices provide long-term firmware updates. This means that their devices can be exploited due to running outdated firmware. The biggest problem with having a vulnerable device on your network is that it can be used as a gateway into your network, giving an attacker access to more than just the records on your smart fridge.
What we see is that, through these and other related technologies, tech companies have access to massive amounts of user data. Surveillance capitalism used to thrive only on the web. Now, it’s in your home and your car, hoovering up every morsel of data about you that can be monetised. There is no incentive for companies to reduce data collection because these breaches affect the users way more. A company may be fined for a data breach, but this often amounts to little more than a mild slap on the wrist. On the other hand, the users must deal with being stalked, having their online accounts taken over by hackers, their credit cards abused, having their property stolen, or their identities hijacked.
The State of Online Trust Today
Look around the web today, and you’ll find that the war for user attention has escalated. For all the criticism levied at publishers and broadcasters for acting as gatekeepers controlling what gets to reach the public, it’s evident that they did play an important role. Today, there are millions of others just like me — bloggers, vloggers, and influencers with the freedom to publish anything to the masses. As a result, sensationalism and clickbait have become prevalent. There is no shortage of articles and videos with titles like “This will shock you”, “The only advice you’ll ever need”, or “The ultimate guide to…”. Hyperbole gets the clicks and this leads to situations being blown out of proportion to force an emotional response from viewers/watchers. This search for attention has fueled the rise in content creators whose content is curated to target specific demographics. This erodes people’s trust in our shared information space and encourages the growth of echo chambers. Here, creators can prey on our confirmation bias to tell us exactly what we want to hear, leading to a more fragmented society.
With the rise of the internet, systems that were once set up to reliably filter out bad content — that which is harmful, biased, sensationalised, or downright false — have disappeared. This is not to say that such content never existed or even that modern publishers don’t sometimes lean one way. However, it’s so much easier, today, to bypass these systems. Social media platforms and search engines have content moderation systems to filter out certain content, but these systems are not perfect. Many have spoken about the scourge that is TikTok and its proliferation of fake content, especially life hack and cooking videos, some of which are actually quite dangerous. When it comes to political issues, platforms are often pressured to remove certain opinions, as we saw during the pandemic. However, this only fuels the distrust among those who feel that what they believe to be true is being filtered out in favour of an alternate version of reality. In this sort of Wild West of information, anything goes, and people are expected to be vigilant. And, because each one of us can act as a publisher unto ourselves, it’s easy for bad content to make its way through the grapevine, being passed along by people who haven’t even bothered to confirm its veracity.
The recent emergence of powerful generative AI tools has also contributed to the erosion of trust in what we see on the internet. Deep fakes have existed for many years, now, and they are only going to get better. One need only look at this deep fake video of Obama to see how scary good this technology was 4 years ago. It’s easy to imagine all the potential abuses of this kind of technology and the havoc it can wreak when videos of public figures can be faked (or people can claim that real videos have been faked). More recently, OpenAI’s ChatGPT tool took the world by storm, surging to 100 million monthly active users in just two months. As a generative AI, ChatGPT excels at creating content and it does so while sounding disconcertingly human. It might not matter to most people, but some readers would prefer to know whether what they are reading was written by a human or an AI. Furthermore, ChatGPT has been known to confidently spout falsehoods in a dangerously convincing manner. We can assume that advanced AI detection tools will soon gain popularity to warn us of AI-generated content. However, this will likely devolve into a pseudo-arms-race where generation and detection tools battle it out, one-upping each other for the unforeseeable future.
A Future Without Trust
As with the development of SSL in the early days of the web, the next big development to save the trust in the internet must occur at a fundamental level. This is where zero-trust and trustless systems come in. As mentioned above, pre-Web3, a website’s credibility was verified by a 3rd party such as a TLS certificate issuing body like Let’s Encrypt. This meant that users had to trust the issuing body not the website’s creator. In the same way, our trust in web platforms extends to the creators and publishers who use those platforms. Since one of the goals of Web3 is to build systems that do not rely on 3rd parties, it makes sense that it is being touted as a possible solution to our online trust issues.
Despite the similar name, there are big, fundamental differences between zero-trust and trustless architectures. A zero-trust system does not automatically trust any entity that attempts to connect, even if, for example, they are on the same network. This means that every device must be authenticated, ideally by a central third party. A trustless system, on the other hand, relies on an encrypted, decentralised blockchain ledger and a transparent consensus system to ratify decisions. Decentralised Autonomous Organisations (DAOs), for example, will only decide once a consensus has been reached by a majority of nodes on the network. One could argue, however, that the terms for these technologies are a bit misleading given that some trust is still required in both cases. The only difference is that this trust is placed in technology instead of humans.
However, some believe that none of this will matter. The average internet user has a loose grasp on the privacy and security technologies that underpin the internet and its related technologies. They are not actively checking SSL certificates or reading through the terms and conditions to find out if their privacy will be respected or how their data will be secured. In this version of the future, it becomes less about trust and more about necessity and ubiquity. For those who have grown up with the internet — with social media and online shopping and banking and navigation apps, this is the only life they know. They will continue to use these tools because they have already tasted convenience and will not go back. And, for the rest, as these tools continue to be forced upon us, as they become increasingly necessary for us in our professional and personal lives, it will not matter if a platform has a record of data breaches or gladly sells its users’ data to the highest bidder. In this version of reality, we reach what Cory Doctorow called peak indifference. This phenomenon is seen among smokers who recognise the risks involved but go on anyway because the short-term benefit trumps any thoughts about the long-term harm.
Going forward, the burden will be on the internet’s architects to maintain or restore public trust in the technology. Too many companies have been caught with their pants down as victims of data breaches or trying to sneak something past their users. There will be a need for greater transparency from companies about their tracking and moderation policies. The next evolution of the web will require that we put more trust in online platforms. The data we generate from our content streaming habits, shopping patterns, location history, social media likes and retweets, and health records will allow anyone with access to tell an awful lot about us. If Big Tech companies continue to be deliberately vague and deceptive about their policies or choose not to respect user preferences then we may see migration to platforms that promise to do so. Google, for example, has seen its position as a dominant search engine challenged by upstarts like DuckDuckGo that promise unbiased search results and no tracking. Yet, its continued dominance may prove that these companies won’t have to do anything. Maybe they are right to believe that their services are far too valuable and convenient for users to simply give them up. Maybe, just as we have seen with cars, smoking, and alcohol, the benefits will be so great that people will accept or ignore the associated risks.
If you have any comments or feedback, feel free to reach out to me on Twitter (@edtha3rd). For early access to my posts, check out my website or consider subscribing here so that you never miss a post. Thanks for reading!