Turning Tides: Reading the Hotmail hack
by Felix Stalder
First published by Telepolis [Sept. 2, 1999]
a German translation can be found here.
Homepage ||| Contact Read critical responses on nettime and telepolis [Forum section]
Two stories landed at the top of the technology news the same day. One was the massive security breach at Hotmail, the other was Sun Microsystem's acquisition of Star Division, a small developer of office software. Both events are deeply connected though this escaped the editors who put them on the same page (if there are indeed still human editors for webpages...).
Sun has been pushing for a long time the "network computer". According to this vision applications which right now reside on our PC, e.g. word processors will be located remotely on powerful networks server and accessed (and paid for?) on demand. Not coincidentally Sun produces powerful network servers. This shift from the PC to the network is often portrayed as the logical next step after the shift from the mainframe to the PC. However, it's a shift which makes the tide flow xactly in the opposite direction. PCs, which function by and large as autonomous units, brought a decentralization of computing power and arguably an empowerment of the average user. The move to the network reverses this trend. The term "network" sounds innocently enough though it means in fact in the context of Sun's initiative a few central computers that distribute applications to relatively dumb peripheral network computers, glorified monitors. Which sounds almost like mainframes all over!
Acquiring Star Sun plans to release its office suite as a network application to be accessed over the web whenever needed. While this cosmological drama is directed against Microsoft's dominance over the desktop, it's ironically Microsoft itself that owns the only net-based application that really holds mass appeal: Hotmail's web-based e-mail. 40 million people (give or take a few millions) are using Hotmail. This is an unprecedented centralization of the most important Internet application in one system.
And why does that matter?
All systems are vulnerable to attacks, the Internet is not built to be a high security network. In huge centralized system the effects of such attacks are greatly magnified because one single line of code can suddenly open millions of mailboxes. Furthermore, along with such a centralization comes as shift in the power balance between the provider and user of the service. Contrary to what many of the optimistic net futurist predict, the power shifts, at least in this case, towards the provider and away the user. Virtually all analysts agreed in their seemingly paradox assessment of the Hotmail hack. It is the most significant security breach on the web so far and, at the same time, it does not matter for Microsoft. The balance between the behemoth corporation and potentially damaged users is just too skewed for Microsoft to care. Yes, it's a bit an embarrassing itch, but as one analyst put it aptly "There are many flees in a 500 pound gorilla." Unfortunately, the flee is you! Or as the service agreement states: "the services is provided without warranty of any kind." There are commitments, to be sure, expressed in all kinds of privacy statements, but these are very different from obligations, as one can see now that something went wrong. In effect, this means that using the system, you do not only sign-off all rights, but given the imbalance between the two parties, protest in almost useless.
But the imbalance runs deeper, it's not only in numbers but also in knowledge. The classic argument goes that if the service is too bad, then the users will go somewhere else. Unfortunately, given the nature of computing problems, its pretty difficult to even find out when the service is bad. You have no way of knowing if someone read your e-mail. And the Microsoft statement posted after the incident is more opaque that a Kremlin release in the early 1980s. You have to be an insider to understand it.
However, to expect that every user is highly "computer literate," thus the informed consumer of the neo-liberal theory, is a) unrealistic and b) not desirable. We shouldn't be forced to become nerds just to use computers, as much as we do not have to become mechanics to drive cars.
What this the Hotmail hack shows is that the Internet's self-regulation doesn't work anymore because it relies on the assumption of more or less equal participants. This is clearly no longer the case. There not much guessing about what happens when you and Microsoft (or Sun, for that matter) regulate one another. You invariably end up with no rights what so ever, and you are likely not even to know it because you would have to be a computer scientist and a lawyer at the same time. Both of which are at ample supply on the side of Microsoft. What the Sun acquisition shows is that the trend which causes this imbalance is only getting stronger.
But there are ways to reverse this trend. One is to develop and spread technologies which put control back into the hands of individuals users. The open source movement is doing a lot in this direction. Cryptography is on top of the list. Free, easy-to-use, public-domain cryptographic tools are a necessity. And with a few targeted public research grants they could become a reality rather sooner than later. But cryptography is not a the magic bullet. We also need to create mechanisms of accountability which replace fancy worded "commitments" with "binding obligations" so that screwing up really hurts. Like in most other areas of life.
End of Document